diff --git a/.buildkite/scripts/steps/checks.sh b/.buildkite/scripts/steps/checks.sh index dd7c0c0e6d69c..50ee0363ad93f 100755 --- a/.buildkite/scripts/steps/checks.sh +++ b/.buildkite/scripts/steps/checks.sh @@ -15,3 +15,4 @@ fi .buildkite/scripts/steps/code_generation/security_solution_codegen.sh .buildkite/scripts/steps/openapi_bundling/security_solution_openapi_bundling.sh .buildkite/scripts/steps/code_generation/osquery_codegen.sh +.buildkite/scripts/steps/openapi_bundling/final_merge.sh diff --git a/.buildkite/scripts/steps/openapi_bundling/final_merge.sh b/.buildkite/scripts/steps/openapi_bundling/final_merge.sh new file mode 100755 index 0000000000000..41ca47aef24ee --- /dev/null +++ b/.buildkite/scripts/steps/openapi_bundling/final_merge.sh @@ -0,0 +1,9 @@ +#!/usr/bin/env bash + +set -euo pipefail + +source .buildkite/scripts/common/util.sh + +echo --- Merge Kibana OpenAPI specs + +(cd oas_docs && make api-docs && make api-docs-lint) diff --git a/oas_docs/.spectral.yaml b/oas_docs/.spectral.yaml index d01a1e93cc7c4..ec05decbc1fe4 100644 --- a/oas_docs/.spectral.yaml +++ b/oas_docs/.spectral.yaml @@ -1,6 +1,6 @@ -extends: ["spectral:oas"] +extends: ['spectral:oas'] rules: -# Built-in rules + # Built-in rules # Descriptions oas3-parameter-description: warn oas2-parameter-description: warn @@ -13,10 +13,10 @@ rules: oas3-valid-media-example: false oas3-valid-schema-example: false oas2-valid-media-example: false - # Operations - operation-operationId: warn - operation-operationId-unique: warn - operation-operationId-valid-in-url: warn + # Operations + operation-operationId: error + operation-operationId-unique: error + operation-operationId-valid-in-url: error operation-tag-defined: warn operation-tags: warn # Responses @@ -25,28 +25,30 @@ rules: oas3-schema: error oas2-schema: error array-items: false + # Bump.sh handles $ref siblings. Documentation wise it's convenient to have properties like descriptions next to $ref. + no-$ref-siblings: off # Tags openapi-tags: warn openapi-tags-alphabetical: info # Turn off some built-in rules operation-description: false operation-singular-tag: false -# Custom rules + # Custom rules # Descriptions avoid-problematic-words: description: Ban certain words from descriptions - message: "Use appropriate replacements for problematic terms" + message: 'Use appropriate replacements for problematic terms' severity: warn - given: "$..*.description" + given: '$..*.description' then: function: pattern functionOptions: notMatch: /(blacklist|whitelist|execute|kill)/i # Examples operation-success-examples: - formats: ["oas3_1"] + formats: ['oas3_1'] description: Response code 200 should have at least one example. - message: "Each response body should have a realistic example. It must not contain any sensitive or confidential data." + message: 'Each response body should have a realistic example. It must not contain any sensitive or confidential data.' severity: info given: $.paths[*][*].responses.[200].content.[application/json] then: @@ -55,7 +57,7 @@ rules: # Extensions internal-extension: description: Operations should not have x-internal extension. - message: "Do not publish x-internal operations" + message: 'Do not publish x-internal operations' severity: error given: $.paths[*][*] then: @@ -64,16 +66,16 @@ rules: # Operations operation-summary: description: Operations should have summaries. - message: "Each operation should have a summary" + message: 'Each operation should have a summary' severity: error recommended: true given: $.paths[*][*] then: field: summary - function: defined + function: defined operation-summary-length: description: Operation summary should be between 5 and 45 characters - given: "$.paths[*][*]" + given: '$.paths[*][*]' then: field: summary function: length @@ -83,14 +85,14 @@ rules: severity: warn simple-verbs-in-summary: given: - - "$.paths[*][*].summary" + - '$.paths[*][*].summary' then: function: pattern functionOptions: - notMatch: "Retrieve|Return|List *" + notMatch: 'Retrieve|Return|List *' severity: warn description: Summaries should use common verbs. - message: "Summaries should use common verbs like Get, Update, Delete whenever possible" + message: 'Summaries should use common verbs like Get, Update, Delete whenever possible' # NOTE: This one hiccups on acronyms so perhaps too noisy # docs-operation-summary-sentence-case: # description: Operation summary should be sentence cased @@ -101,4 +103,3 @@ rules: # functionOptions: # match: /^[A-Z]+[^A-Z]+$/ # severity: warn - diff --git a/oas_docs/kibana.info.yaml b/oas_docs/kibana.info.yaml index 0b6c2b2ea0fec..97766ed5f9b58 100644 --- a/oas_docs/kibana.info.yaml +++ b/oas_docs/kibana.info.yaml @@ -7,15 +7,15 @@ info: Each request that you make happens in isolation from other calls and must include all of the necessary information for Kibana to fulfill the request. API requests return JSON output, which is a format that is machine-readable and works well for automation. - + To interact with Kibana APIs, use the following operations: - + - GET: Fetches the information. - PATCH: Applies partial modifications to the existing information. - POST: Adds new information. - PUT: Updates the existing information. - DELETE: Removes the information. - + You can prepend any Kibana API endpoint with `kbn:` and run the request in **Dev Tools → Console**. For example: @@ -24,26 +24,26 @@ info: ``` For more information about the console, refer to [Run API requests](https://www.elastic.co/guide/en/kibana/current/console-kibana.html). - version: "1.0.2" + version: '1.0.2' license: name: Elastic License 2.0 url: https://www.elastic.co/licensing/elastic-license - contact: + contact: name: Kibana Team -# servers: -# - url: https://{kibana_url} -# variables: -# kibana_url: -# default: localhost:5601 -# security: -# - apiKeyAuth: [] -# components: -# securitySchemes: -# apiKeyAuth: -# type: apiKey -# in: header -# name: Authorization -# description: > -# These APIs use key-based authentication. -# You must create an API key and use the encoded value in the request header. -# For example: `Authorization: ApiKey base64AccessApiKey` \ No newline at end of file +servers: + - url: https://{kibana_url} + variables: + kibana_url: + default: localhost:5601 +security: + - apiKeyAuth: [] +components: + securitySchemes: + apiKeyAuth: + type: apiKey + in: header + name: Authorization + description: > + These APIs use key-based authentication. + You must create an API key and use the encoded value in the request header. + For example: `Authorization: ApiKey base64AccessApiKey` diff --git a/oas_docs/makefile b/oas_docs/makefile index 6943921b1c6fe..6e300734cdd17 100644 --- a/oas_docs/makefile +++ b/oas_docs/makefile @@ -14,7 +14,12 @@ # permission is obtained from Elasticsearch B.V. .PHONY: api-docs -api-docs: ## Generate kibana.serverless.yaml and kibana.yaml +api-docs: ## Generate Serverless and ESS Kibana OpenAPI bundles with kbn-openapi-bundler + @node scripts/merge_serverless_oas.js + @node scripts/merge_ess_oas.js + +.PHONY: api-docs-redocly +api-docs-redocly: ## Generate kibana.serverless.yaml and kibana.yaml with Redocly CLI @npx @redocly/cli join "kibana.info.serverless.yaml" "../x-pack/plugins/observability_solution/apm/docs/openapi/apm.yaml" "../x-pack/plugins/actions/docs/openapi/bundled_serverless.yaml" "../src/plugins/data_views/docs/openapi/bundled.yaml" "../x-pack/plugins/ml/common/openapi/ml_apis_serverless.yaml" "../packages/core/saved-objects/docs/openapi/bundled_serverless.yaml" "../x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.yaml" "bundle.serverless.json" -o "output/kibana.serverless.yaml" --prefix-components-with-info-prop title @npx @redocly/cli join "kibana.info.yaml" "../x-pack/plugins/alerting/docs/openapi/bundled.yaml" "../x-pack/plugins/observability_solution/apm/docs/openapi/apm.yaml" "../x-pack/plugins/cases/docs/openapi/bundled.yaml" "../x-pack/plugins/actions/docs/openapi/bundled.yaml" "../src/plugins/data_views/docs/openapi/bundled.yaml" "../x-pack/plugins/ml/common/openapi/ml_apis.yaml" "../packages/core/saved-objects/docs/openapi/bundled.yaml" "bundle.json" -o "output/kibana.yaml" --prefix-components-with-info-prop title diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index 7629eb0319cbc..0626823f8739a 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -1,27 +1,20 @@ openapi: 3.0.3 info: - title: Kibana Serverless APIs + contact: + name: Kibana Team description: > - **Technical preview** - - This functionality is in technical preview and may be changed or removed in - a future release. - - Elastic will work to fix any issues, but features in technical preview are - not subject to the support SLA of official GA features. + The Kibana REST APIs enable you to manage resources such as connectors, data + views, and saved objects. + The API calls are stateless. - The Kibana REST APIs for Elastic serverless enable you to manage resources + Each request that you make happens in isolation from other calls and must + include all of the necessary information for Kibana to fulfill the - such as connectors, data views, and saved objects. The API calls are + request. - stateless. Each request that you make happens in isolation from other calls - - and must include all of the necessary information for Kibana to fulfill the - - request. API requests return JSON output, which is a format that is - - machine-readable and works well for automation. + API requests return JSON output, which is a format that is machine-readable + and works well for automation. To interact with Kibana APIs, use the following operations: @@ -29,6 +22,8 @@ info: - GET: Fetches the information. + - PATCH: Applies partial modifications to the existing information. + - POST: Adds new information. - PUT: Updates the existing information. @@ -37,8 +32,9 @@ info: You can prepend any Kibana API endpoint with `kbn:` and run the request in + **Dev Tools → Console**. - **Dev Tools → Console**. For example: + For example: ``` @@ -46,246 +42,30 @@ info: GET kbn:/api/data_views ``` - version: 1.0.2 + + + For more information about the console, refer to [Run API + requests](https://www.elastic.co/guide/en/kibana/current/console-kibana.html). license: name: Elastic License 2.0 - url: https://www.elastic.co/licensing/elastic-license - contact: - name: Kibana Team + url: 'https://www.elastic.co/licensing/elastic-license' + title: Kibana APIs + version: 1.0.2 servers: - - url: https://{kibanaUrl} - variables: - kibanaUrl: - default: localhost:5601 - - url: https://{kibana_url} + - url: 'https://{kibana_url}' variables: kibana_url: - default: localhost:5601 - - url: / - - url: http://localhost:5601 - description: local - - url: http://localhost:5622 -tags: - - name: APM agent keys - description: > - Configure APM agent keys to authorize requests from APM agents to the APM - Server. - x-displayName: APM agent keys - - name: APM annotations - description: > - Annotate visualizations in the APM app with significant events. - Annotations enable you to easily see how events are impacting the - performance of your applications. - x-displayName: APM annotations - - name: connectors - description: Connector APIs enable you to create and manage connectors. - x-displayName: connectors - - name: data views - description: >- - Data view APIs enable you to manage data views, formerly known as Kibana - index patterns. - x-displayName: data views - - name: ml - description: Machine learning - x-displayName: ml - - name: saved objects - description: >- - Manage Kibana saved objects, including dashboards, visualizations, and - more. - x-displayName: saved objects - - name: slo - description: SLO APIs enable you to define, manage and track service-level objectives - x-displayName: slo - - name: system - x-displayName: system + default: 'localhost:5601' paths: - /api/apm/agent_keys: - post: - summary: Create an APM agent key - description: Create a new agent key for APM. - operationId: createAgentKey - tags: - - APM agent keys - requestBody: - required: true - content: - application/json: - schema: - type: object - properties: - name: - type: string - privileges: - type: array - items: - type: string - enum: - - event:write - - config_agent:read - responses: - '200': - description: Agent key created successfully - content: - application/json: - schema: - type: object - properties: - api_key: - type: string - expiration: - type: integer - format: int64 - id: - type: string - name: - type: string - encoded: - type: string - /api/apm/services/{serviceName}/annotation/search: - get: - summary: Search for annotations - description: Search for annotations related to a specific service. - operationId: getAnnotation - tags: - - APM annotations - parameters: - - name: serviceName - in: path - required: true - description: The name of the service - schema: - type: string - - name: environment - in: query - required: false - description: The environment to filter annotations by - schema: - type: string - - name: start - in: query - required: false - description: The start date for the search - schema: - type: string - - name: end - in: query - required: false - description: The end date for the search - schema: - type: string - responses: - '200': - description: Successful response - content: - application/json: - schema: - type: object - properties: - annotations: - type: array - items: - type: object - properties: - type: - type: string - enum: - - version - id: - type: string - '@timestamp': - type: number - text: - type: string - /api/apm/services/{serviceName}/annotation: - post: - summary: Create a service annotation - description: Create a new annotation for a specific service. - operationId: createAnnotation - tags: - - APM annotations - parameters: - - name: serviceName - in: path - required: true - description: The name of the service - schema: - type: string - requestBody: - required: true - content: - application/json: - schema: - type: object - properties: - '@timestamp': - type: string - service: - type: object - properties: - version: - type: string - environment: - type: string - message: - type: string - tags: - type: array - items: - type: string - responses: - '200': - description: Annotation created successfully - content: - application/json: - schema: - type: object - properties: - _id: - type: string - _index: - type: string - _source: - type: object - properties: - annotation: - type: string - tags: - type: array - items: - type: string - message: - type: string - service: - type: object - properties: - name: - type: string - environment: - type: string - version: - type: string - event: - type: object - properties: - created: - type: string - '@timestamp': - type: string /api/actions/connector: post: - summary: Create a connector with a random ID - operationId: createConnector description: The connector identifier is randomly generated. - tags: - - connectors + operationId: createConnector parameters: - $ref: '#/components/parameters/Connectors_kbn_xsrf' requestBody: - required: true content: - application/json: - schema: - $ref: '#/components/schemas/Connectors_create_connector_request' + application/json; Elastic-Api-Version=2023-10-31: examples: createEmailConnectorRequest: $ref: >- @@ -299,13 +79,13 @@ paths: createXmattersConnectorRequest: $ref: >- #/components/examples/Connectors_create_xmatters_connector_request + schema: + $ref: '#/components/schemas/Connectors_create_connector_request' + required: true responses: '200': - description: Indicates a successful call. content: - application/json: - schema: - $ref: '#/components/schemas/Connectors_connector_response_properties' + application/json; Elastic-Api-Version=2023-10-31: examples: createEmailConnectorResponse: $ref: >- @@ -319,4130 +99,11255 @@ paths: createXmattersConnectorResponse: $ref: >- #/components/examples/Connectors_create_xmatters_connector_response - '401': - $ref: '#/components/responses/Connectors_401' - /api/actions/connector/{connectorId}: - get: - summary: Get a connector information - operationId: getConnector - tags: - - connectors - parameters: - - $ref: '#/components/parameters/Connectors_connector_id' - responses: - '200': - description: Indicates a successful call. - content: - application/json: schema: $ref: '#/components/schemas/Connectors_connector_response_properties' - examples: - getConnectorResponse: - $ref: '#/components/examples/Connectors_get_connector_response' - '401': - $ref: '#/components/responses/Connectors_401' - '404': - $ref: '#/components/responses/Connectors_404' - delete: - summary: Delete a connector - operationId: deleteConnector - tags: - - connectors - parameters: - - $ref: '#/components/parameters/Connectors_kbn_xsrf' - - $ref: '#/components/parameters/Connectors_connector_id' - responses: - '204': description: Indicates a successful call. '401': $ref: '#/components/responses/Connectors_401' - '404': - $ref: '#/components/responses/Connectors_404' - post: - summary: Create a connector - operationId: createConnectorId + summary: Create a connector with a random ID tags: - connectors + /api/actions/connector_types: + get: + operationId: getConnectorTypes parameters: - - $ref: '#/components/parameters/Connectors_kbn_xsrf' - - in: path - name: connectorId - description: > - A UUID v1 or v4 identifier for the connector. If you omit this - parameter, an identifier is randomly generated. - required: true + - description: >- + A filter to limit the retrieved connector types to those that + support a specific feature (such as alerting or cases). + in: query + name: feature_id schema: - type: string - example: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/Connectors_create_connector_request' - examples: - createIndexConnectorRequest: - $ref: >- - #/components/examples/Connectors_create_index_connector_request + $ref: '#/components/schemas/Connectors_features' responses: '200': - description: Indicates a successful call. content: - application/json: - schema: - $ref: '#/components/schemas/Connectors_connector_response_properties' + application/json; Elastic-Api-Version=2023-10-31: examples: - createIndexConnectorResponse: - $ref: >- - #/components/examples/Connectors_create_index_connector_response - '401': - $ref: '#/components/responses/Connectors_401' - put: - summary: Update a connector - operationId: updateConnector - tags: - - connectors - parameters: - - $ref: '#/components/parameters/Connectors_kbn_xsrf' - - $ref: '#/components/parameters/Connectors_connector_id' - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/Connectors_update_connector_request' - examples: - updateIndexConnectorRequest: - $ref: >- - #/components/examples/Connectors_update_index_connector_request - responses: - '200': - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Connectors_connector_response_properties' - '400': - $ref: '#/components/responses/Connectors_401' - '401': - $ref: '#/components/responses/Connectors_401' - '404': - $ref: '#/components/responses/Connectors_404' - /api/actions/connectors: - get: - summary: Get all connectors - operationId: getConnectors - tags: - - connectors - responses: - '200': - description: Indicates a successful call. - content: - application/json: - schema: - type: array - items: + getConnectorTypesServerlessResponse: $ref: >- - #/components/schemas/Connectors_connector_response_properties - examples: - getConnectorsResponse: - $ref: '#/components/examples/Connectors_get_connectors_response' - '401': - $ref: '#/components/responses/Connectors_401' - /api/actions/connector_types: - get: - summary: Get all connector types - operationId: getConnectorTypes - tags: - - connectors - parameters: - - in: query - name: feature_id - description: >- - A filter to limit the retrieved connector types to those that - support a specific feature (such as alerting or cases). - schema: - $ref: '#/components/schemas/Connectors_features' - responses: - '200': - description: Indicates a successful call. - content: - application/json: + #/components/examples/Connectors_get_connector_types_generativeai_response schema: - title: Get connector types response body properties description: The properties vary for each connector type. - type: array items: type: object properties: enabled: - type: boolean description: >- Indicates whether the connector type is enabled in Kibana. example: true - enabled_in_config: type: boolean + enabled_in_config: description: >- Indicates whether the connector type is enabled in the Kibana configuration file. example: true - enabled_in_license: type: boolean + enabled_in_license: description: >- Indicates whether the connector is enabled in the license. example: true + type: boolean id: $ref: '#/components/schemas/Connectors_connector_types' is_system_action_type: - type: boolean example: false + type: boolean minimum_license_required: - type: string description: The license that is required to use the connector type. example: basic - name: type: string + name: description: The name of the connector type. example: Index + type: string supported_feature_ids: - type: array description: The features that are supported by the connector type. - items: - $ref: '#/components/schemas/Connectors_features' example: - alerting - cases - siem - examples: - getConnectorTypesServerlessResponse: - $ref: >- - #/components/examples/Connectors_get_connector_types_generativeai_response + items: + $ref: '#/components/schemas/Connectors_features' + type: array + title: Get connector types response body properties + type: array + description: Indicates a successful call. '401': $ref: '#/components/responses/Connectors_401' - /api/data_views: - get: - summary: Get all data views - operationId: getAllDataViewsDefault + summary: Get all connector types tags: - - data views + - connectors + '/api/actions/connector/{connectorId}': + delete: + operationId: deleteConnector + parameters: + - $ref: '#/components/parameters/Connectors_kbn_xsrf' + - $ref: '#/components/parameters/Connectors_connector_id' responses: - '200': + '204': description: Indicates a successful call. + '401': + $ref: '#/components/responses/Connectors_401' + '404': + $ref: '#/components/responses/Connectors_404' + summary: Delete a connector + tags: + - connectors + get: + operationId: getConnector + parameters: + - $ref: '#/components/parameters/Connectors_connector_id' + responses: + '200': content: - application/json: - schema: - type: object - properties: - data_view: - type: array - items: - type: object - properties: - id: - type: string - name: - type: string - namespaces: - type: array - items: - type: string - title: - type: string - typeMeta: - type: object + application/json; Elastic-Api-Version=2023-10-31: examples: - getAllDataViewsResponse: - $ref: '#/components/examples/Data_views_get_data_views_response' - '400': - description: Bad request - content: - application/json: + getConnectorResponse: + $ref: '#/components/examples/Connectors_get_connector_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/data_view: - post: - summary: Create a data view - operationId: createDataViewDefaultw + $ref: '#/components/schemas/Connectors_connector_response_properties' + description: Indicates a successful call. + '401': + $ref: '#/components/responses/Connectors_401' + '404': + $ref: '#/components/responses/Connectors_404' + summary: Get a connector information tags: - - data views + - connectors + post: + operationId: createConnectorId parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Connectors_kbn_xsrf' + - description: > + A UUID v1 or v4 identifier for the connector. If you omit this + parameter, an identifier is randomly generated. + in: path + name: connectorId + required: true + schema: + example: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 + type: string requestBody: - required: true content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_create_data_view_request_object' + application/json; Elastic-Api-Version=2023-10-31: examples: - createDataViewRequest: - $ref: '#/components/examples/Data_views_create_data_view_request' + createIndexConnectorRequest: + $ref: >- + #/components/examples/Connectors_create_index_connector_request + schema: + $ref: '#/components/schemas/Connectors_create_connector_request' + required: true responses: '200': - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createIndexConnectorResponse: + $ref: >- + #/components/examples/Connectors_create_index_connector_response schema: - $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/data_view/{viewId}: - get: - summary: Get a data view - operationId: getDataViewDefault + $ref: '#/components/schemas/Connectors_connector_response_properties' + description: Indicates a successful call. + '401': + $ref: '#/components/responses/Connectors_401' + summary: Create a connector tags: - - data views + - connectors + put: + operationId: updateConnector parameters: - - $ref: '#/components/parameters/Data_views_view_id' + - $ref: '#/components/parameters/Connectors_kbn_xsrf' + - $ref: '#/components/parameters/Connectors_connector_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateIndexConnectorRequest: + $ref: >- + #/components/examples/Connectors_update_index_connector_request + schema: + $ref: '#/components/schemas/Connectors_update_connector_request' + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - examples: - getDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' + $ref: '#/components/schemas/Connectors_connector_response_properties' + description: Indicates a successful call. + '400': + $ref: '#/components/responses/Connectors_401' + '401': + $ref: '#/components/responses/Connectors_401' '404': - description: Object is not found. - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - delete: - summary: Delete a data view - operationId: deleteDataViewDefault - description: | - WARNING: When you delete a data view, it cannot be recovered. + $ref: '#/components/responses/Connectors_404' + summary: Update a connector tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '204': - description: Indicates a successful call. - '404': - description: Object is not found. - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - post: - summary: Update a data view - operationId: updateDataViewDefault - tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_update_data_view_request_object' - examples: - updateDataViewRequest: - $ref: '#/components/examples/Data_views_update_data_view_request' + - connectors + /api/actions/connectors: + get: + operationId: getConnectors responses: '200': - description: Indicates a successful call. content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - '400': - description: Bad request - content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getConnectorsResponse: + $ref: '#/components/examples/Connectors_get_connectors_response' schema: - $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/data_view/{viewId}/fields: - post: - summary: Update data view fields metadata - operationId: updateFieldsMetadataDefault - description: > - Update fields presentation metadata such as count, customLabel, - customDescription, and format. - tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - required: true - content: - application/json: - schema: - type: object - required: - - fields - properties: - fields: - description: The field object. - type: object - examples: - updateFieldsMetadataRequest: - $ref: '#/components/examples/Data_views_update_field_metadata_request' - responses: - '200': + items: + $ref: >- + #/components/schemas/Connectors_connector_response_properties + type: array description: Indicates a successful call. - content: - application/json: - schema: - type: object - properties: - acknowledged: - type: boolean - '400': - description: Bad request - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/data_view/{viewId}/runtime_field: - post: - summary: Create a runtime field - operationId: createRuntimeFieldDefault + '401': + $ref: '#/components/responses/Connectors_401' + summary: Get all connectors tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' + - connectors + /api/apm/agent_keys: + post: + description: Create a new agent key for APM. + operationId: createAgentKey requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object - required: - - name - - runtimeField properties: name: type: string - description: | - The name for a runtime field. - runtimeField: - type: object - description: | - The runtime field definition object. - examples: - createRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' + privileges: + items: + enum: + - 'event:write' + - 'config_agent:read' + type: string + type: array + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object - put: - summary: Create or update a runtime field - operationId: createUpdateRuntimeFieldDefault + properties: + api_key: + type: string + encoded: + type: string + expiration: + format: int64 + type: integer + id: + type: string + name: + type: string + description: Agent key created successfully + summary: Create an APM agent key tags: - - data views + - APM agent keys + '/api/apm/services/{serviceName}/annotation': + post: + description: Create a new annotation for a specific service. + operationId: createAnnotation parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - name: viewId + - description: The name of the service in: path - description: | - The ID of the data view fields you want to update. + name: serviceName required: true schema: type: string requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object - required: - - name - - runtimeField properties: - name: + '@timestamp': type: string - description: | - The name for a runtime field. - runtimeField: + message: + type: string + service: type: object - description: | - The runtime field definition object. - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' + properties: + environment: + type: string + version: + type: string + tags: + items: + type: string + type: array + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - data_view: + _id: + type: string + _index: + type: string + _source: type: object - fields: - type: array - items: - type: object - '400': - description: Bad request - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: - get: - summary: Get a runtime field - operationId: getRuntimeFieldDefault + properties: + '@timestamp': + type: string + annotation: + type: string + event: + type: object + properties: + created: + type: string + message: + type: string + service: + type: object + properties: + environment: + type: string + name: + type: string + version: + type: string + tags: + items: + type: string + type: array + description: Annotation created successfully + summary: Create a service annotation tags: - - data views + - APM annotations + '/api/apm/services/{serviceName}/annotation/search': + get: + description: Search for annotations related to a specific service. + operationId: getAnnotation parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' + - description: The name of the service + in: path + name: serviceName + required: true + schema: + type: string + - description: The environment to filter annotations by + in: query + name: environment + required: false + schema: + type: string + - description: The start date for the search + in: query + name: start + required: false + schema: + type: string + - description: The end date for the search + in: query + name: end + required: false + schema: + type: string responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - data_view: - type: object - fields: - type: array + annotations: items: type: object - examples: - getRuntimeFieldResponse: - $ref: '#/components/examples/Data_views_get_runtime_field_response' - '404': - description: Object is not found. - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_404_response' - delete: - summary: Delete a runtime field from a data view - operationId: deleteRuntimeFieldDefault + properties: + '@timestamp': + type: number + id: + type: string + text: + type: string + type: + enum: + - version + type: string + type: array + description: Successful response + summary: Search for annotations tags: - - data views + - APM annotations + /api/asset_criticality: + delete: + operationId: DeleteAssetCriticalityRecord parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' + - description: The ID value of the asset. + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IdField + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false + schema: + enum: + - wait_for + type: string responses: '200': - description: Indicates a successful call. - '404': - description: Object is not found. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_404_response' - post: - summary: Update a runtime field - operationId: updateRuntimeFieldDefault + type: object + properties: + deleted: + description: >- + If the record was deleted. If false the record did not + exist. + type: boolean + record: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + required: + - deleted + description: Successful response + '400': + description: Invalid request + summary: Delete Criticality Record tags: - - data views + - Security Solution Entity Analytics API + get: + operationId: GetAssetCriticalityRecord parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' + - description: The ID value of the asset. + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IdField + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + '404': + description: Criticality record not found + summary: Get Criticality Record + tags: + - Security Solution Entity Analytics API + post: + operationId: CreateAssetCriticalityRecord requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord + - type: object + properties: + refresh: + description: >- + If 'wait_for' the request will wait for the index + refresh. + enum: + - wait_for + type: string required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + summary: Create Criticality Record + tags: + - Security Solution Entity Analytics API + /api/asset_criticality/bulk: + post: + operationId: BulkUpsertAssetCriticalityRecords + requestBody: content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 type: object - required: - - runtimeField properties: - runtimeField: - type: object - description: | - The runtime field definition object. - - You can update following fields: - - - `type` - - `script` - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_update_runtime_field_request' + records: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord + maxItems: 1000 + minItems: 1 + type: array + required: + - records responses: '200': - description: Indicates a successful call. - '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/default: - get: - summary: Get the default data view - operationId: getDefaultDataViewDefault + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem + type: array + stats: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadStats + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: >- + Bulk upsert asset criticality data, creating or updating records as + needed tags: - - data views + - Security Solution Entity Analytics API + /api/asset_criticality/list: + post: + operationId: FindAssetCriticalityRecords + parameters: + - description: The field to sort by. + in: query + name: sort_field + required: false + schema: + enum: + - id_value + - id_field + - criticality_level + - \@timestamp + type: string + - description: The order to sort by. + in: query + name: sort_direction + required: false + schema: + enum: + - asc + - desc + type: string + - description: The page number to return. + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of records to return per page. + in: query + name: per_page + required: false + schema: + maximum: 1000 + minimum: 1 + type: integer + - description: The kuery to filter by. + in: query + name: kuery + required: false + schema: + type: string responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - data_view_id: - type: string + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Bulk upload successful + summary: 'List asset criticality data, filtering and sorting as needed' + tags: + - Security Solution Entity Analytics API + /api/data_views: + get: + operationId: getAllDataViewsDefault + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: examples: - getDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_get_default_data_view_response + getAllDataViewsResponse: + $ref: '#/components/examples/Data_views_get_data_views_response' + schema: + type: object + properties: + data_view: + items: + type: object + properties: + id: + type: string + name: + type: string + namespaces: + items: + type: string + type: array + title: + type: string + typeMeta: + type: object + type: array + description: Indicates a successful call. '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: $ref: '#/components/schemas/Data_views_400_response' - post: - summary: Set the default data view - operationId: setDefaultDatailViewDefault + description: Bad request + summary: Get all data views tags: - data views + /api/data_views/data_view: + post: + operationId: createDataViewDefaultw parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: - required: true content: - application/json: - schema: - type: object - required: - - data_view_id - properties: - data_view_id: - type: string - nullable: true - description: > - The data view identifier. NOTE: The API does not validate - whether it is a valid identifier. Use `null` to unset the - default data view. - force: - type: boolean - description: Update an existing default data view identifier. - default: false + application/json; Elastic-Api-Version=2023-10-31: examples: - setDefaultDataViewRequest: - $ref: '#/components/examples/Data_views_set_default_data_view_request' + createDataViewRequest: + $ref: '#/components/examples/Data_views_create_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_create_data_view_request_object' + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - acknowledged: - type: boolean + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/swap_references: - post: - summary: Swap saved object references - operationId: swapDataViewsDefault - description: > - Changes saved object references from one data view identifier to - another. WARNING: Misuse can break large numbers of saved objects! - Practicing with a backup is recommended. + description: Bad request + summary: Create a data view tags: - data views + '/api/data_views/data_view/{viewId}': + delete: + description: | + WARNING: When you delete a data view, it cannot be recovered. + operationId: deleteDataViewDefault parameters: - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - examples: - swapDataViewRequest: - $ref: '#/components/examples/Data_views_swap_data_view_request' + - $ref: '#/components/parameters/Data_views_view_id' responses: - '200': + '204': description: Indicates a successful call. + '404': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - deleteStatus: - type: object - properties: - deletePerformed: - type: boolean - remainingRefs: - type: integer - result: - type: array - items: - type: object - properties: - id: - type: string - description: A saved object identifier. - type: - type: string - description: The saved object type. - /api/data_views/swap_references/_preview: - post: - summary: Preview a saved object reference swap - operationId: previewSwapDataViewsDefault - description: > - Preview the impact of swapping saved object references from one data - view identifier to another. + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a data view tags: - data views + get: + operationId: getDataViewDefault parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - examples: - previewSwapDataViewRequest: - $ref: >- - #/components/examples/Data_views_preview_swap_data_view_request + - $ref: '#/components/parameters/Data_views_view_id' responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. + '404': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - result: - type: array - items: - type: object - properties: - id: - type: string - description: A saved object identifier. - type: - type: string - description: The saved object type. - /api/ml/saved_objects/sync: - get: - summary: Sync machine learning saved objects - description: > - Synchronizes Kibana saved objects for machine learning jobs and trained - models. This API runs automatically when you start Kibana and - periodically thereafter. - operationId: mlSync + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a data view tags: - - ml + - data views + post: + operationId: updateDataViewDefault parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateDataViewRequest: + $ref: '#/components/examples/Data_views_update_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_update_data_view_request_object' + required: true responses: '200': - description: Indicates a successful call content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' - '401': - description: Authorization information is missing or invalid. + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - /api/saved_objects/_export: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a data view + tags: + - data views + '/api/data_views/data_view/{viewId}/fields': post: - summary: Export saved objects - operationId: exportSavedObjectsDefault description: > - Retrieve sets of saved objects that you want to import into Kibana. - - You must include `type` or `objects` in the request body. - - - Exported saved objects are not backwards compatible and cannot be - imported into an older version of Kibana. - - - NOTE: The `savedObjects.maxImportExportSize` configuration setting - limits the number of saved objects which may be exported. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - tags: - - saved objects + Update fields presentation metadata such as count, customLabel, + customDescription, and format. + operationId: updateFieldsMetadataDefault parameters: - - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateFieldsMetadataRequest: + $ref: '#/components/examples/Data_views_update_field_metadata_request' schema: type: object properties: - excludeExportDetails: - description: Do not add export details entry at the end of the stream. - type: boolean - default: false - includeReferencesDeep: - description: >- - Includes all of the referenced objects in the exported - objects. - type: boolean - objects: - description: A list of objects to export. - type: array - items: - type: object - type: - description: >- - The saved object types to include in the export. Use `*` to - export all the types. - oneOf: - - type: string - - type: array - items: - type: string - examples: - exportSavedObjectsRequest: - $ref: >- - #/components/examples/Serverless_saved_objects_export_objects_request + fields: + description: The field object. + type: object + required: + - fields + required: true responses: '200': - description: Indicates a successful call. content: - application/x-ndjson: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object - additionalProperties: true - examples: - exportSavedObjectsResponse: - $ref: >- - #/components/examples/Serverless_saved_objects_export_objects_response + properties: + acknowledged: + type: boolean + description: Indicates a successful call. '400': - description: Bad request. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Serverless_saved_objects_400_response' - /api/saved_objects/_import: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update data view fields metadata + tags: + - data views + '/api/data_views/data_view/{viewId}/runtime_field': post: - summary: Import saved objects - operationId: importSavedObjectsDefault - description: > - Create sets of Kibana saved objects from a file created by the export - API. - - Saved objects can be imported only into the same version, a newer minor - on the same major, or the next major. Exported saved objects are not - backwards compatible and cannot be imported into an older version of - Kibana. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. + operationId: createRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + summary: Create a runtime field tags: - - saved objects + - data views + put: + operationId: createUpdateRuntimeFieldDefault parameters: - - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' - - in: query - name: createNewCopies - schema: - type: boolean - required: false - description: > - Creates copies of saved objects, regenerates each object ID, and - resets the origin. When used, potential conflict errors are avoided. - NOTE: This option cannot be used with the `overwrite` and - `compatibilityMode` options. - - in: query - name: overwrite - schema: - type: boolean - required: false - description: > - Overwrites saved objects when they already exist. When used, - potential conflict errors are automatically resolved by overwriting - the destination object. NOTE: This option cannot be used with the - `createNewCopies` option. - - in: query - name: compatibilityMode + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: | + The ID of the data view fields you want to update. + in: path + name: viewId + required: true schema: - type: boolean - required: false - description: > - Applies various adjustments to the saved objects that are being - imported to maintain compatibility between different Kibana - versions. Use this option only if you encounter issues with imported - saved objects. NOTE: This option cannot be used with the - `createNewCopies` option. + type: string requestBody: - required: true content: - multipart/form-data: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' schema: type: object properties: - file: - description: > - A file exported using the export API. NOTE: The - `savedObjects.maxImportExportSize` configuration setting - limits the number of saved objects which may be included in - this file. Similarly, the - `savedObjects.maxImportPayloadBytes` setting limits the - overall size of the file that can be imported. - examples: - importObjectsRequest: - $ref: >- - #/components/examples/Serverless_saved_objects_import_objects_request + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - success: - type: boolean - description: > - Indicates when the import was successfully completed. When - set to false, some objects may not have been created. For - additional information, refer to the `errors` and - `successResults` properties. - successCount: - type: integer - description: Indicates the number of successfully imported records. - errors: - type: array + data_view: + type: object + fields: items: type: object - description: > - Indicates the import was unsuccessful and specifies the - objects that failed to import. - - - NOTE: One object may result in multiple errors, which - requires separate steps to resolve. For instance, a - `missing_references` error and conflict error. - successResults: type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create or update a runtime field + tags: + - data views + '/api/data_views/data_view/{viewId}/runtime_field/{fieldName}': + delete: + operationId: deleteRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + description: Indicates a successful call. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a runtime field from a data view + tags: + - data views + get: + operationId: getRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_get_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: items: type: object - description: > - Indicates the objects that are successfully imported, with - any metadata if applicable. + type: array + description: Indicates a successful call. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a runtime field + tags: + - data views + post: + operationId: updateRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_update_runtime_field_request' + schema: + type: object + properties: + runtimeField: + description: | + The runtime field definition object. + You can update following fields: - NOTE: Objects are created only when all resolvable errors - are addressed, including conflicts and missing references. - If objects are created as new copies, each entry in the - `successResults` array includes a `destinationId` - attribute. + - `type` + - `script` + type: object + required: + - runtimeField + required: true + responses: + '200': + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a runtime field + tags: + - data views + /api/data_views/default: + get: + operationId: getDefaultDataViewDefault + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: examples: - importObjectsResponse: + getDefaultDataViewResponse: $ref: >- - #/components/examples/Serverless_saved_objects_import_objects_response + #/components/examples/Data_views_get_default_data_view_response + schema: + type: object + properties: + data_view_id: + type: string + description: Indicates a successful call. '400': - description: Bad request. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Serverless_saved_objects_400_response' - /s/{spaceId}/api/observability/slos: - post: - summary: Create an SLO - operationId: createSloOp - description: > - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get the default data view tags: - - slo + - data views + post: + operationId: setDefaultDatailViewDefault parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: + examples: + setDefaultDataViewRequest: + $ref: '#/components/examples/Data_views_set_default_data_view_request' schema: - $ref: '#/components/schemas/SLOs_create_slo_request' + type: object + properties: + data_view_id: + description: > + The data view identifier. NOTE: The API does not validate + whether it is a valid identifier. Use `null` to unset the + default data view. + nullable: true + type: string + force: + default: false + description: Update an existing default data view identifier. + type: boolean + required: + - data_view_id + required: true responses: '200': - description: Successful request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_create_slo_response' + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' - '401': - description: Unauthorized response - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_401_response' - '403': - description: Unauthorized response + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Set the default data view + tags: + - data views + /api/data_views/swap_references: + post: + description: > + Changes saved object references from one data view identifier to + another. WARNING: Misuse can break large numbers of saved objects! + Practicing with a backup is recommended. + operationId: swapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + swapDataViewRequest: + $ref: '#/components/examples/Data_views_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - '409': - description: Conflict - The SLO id already exists + type: object + properties: + deleteStatus: + type: object + properties: + deletePerformed: + type: boolean + remainingRefs: + type: integer + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Swap saved object references + tags: + - data views + /api/data_views/swap_references/_preview: + post: + description: > + Preview the impact of swapping saved object references from one data + view identifier to another. + operationId: previewSwapDataViewsDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + previewSwapDataViewRequest: + $ref: >- + #/components/examples/Data_views_preview_swap_data_view_request + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_409_response' - servers: - - url: https://localhost:5601 + type: object + properties: + result: + items: + type: object + properties: + id: + description: A saved object identifier. + type: string + type: + description: The saved object type. + type: string + type: array + description: Indicates a successful call. + summary: Preview a saved object reference swap + tags: + - data views + /api/detection_engine/privileges: get: - summary: Get a paginated list of SLOs - operationId: findSlosOp description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + Retrieves whether or not the user is authenticated, and the user's + Kibana + + space and index privileges, which determine if the user can create an + + index for the Elastic Security alerts generated by + + detection engine rules. + operationId: ReadPrivileges + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + description: Successful response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Returns user privileges for the Kibana space tags: - - slo + - Security Solution Detections API + - Privileges API + /api/detection_engine/rules: + delete: + description: Delete a detection rule using the `rule_id` or `id` field. + operationId: DeleteRule parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - name: kqlQuery - in: query - description: A valid kql query to filter the SLO with - schema: - type: string - example: 'slo.name:latency* and slo.tags : "prod"' - - name: page - in: query - description: The page to use for pagination, must be greater or equal than 1 - schema: - type: integer - default: 1 - example: 1 - - name: perPage + - description: The rule's `id` value. in: query - description: Number of SLOs returned by page + name: id + required: false schema: - type: integer - default: 25 - maximum: 5000 - example: 25 - - name: sortBy + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. in: query - description: Sort by field + name: rule_id + required: false schema: - type: string - enum: - - sli_value - - status - - error_budget_consumed - - error_budget_remaining - default: status - example: status - - name: sortDirection + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Delete a detection rule + tags: + - Security Solution Detections API + - Rules API + get: + description: Retrieve a detection rule using the `rule_id` or `id` field. + operationId: ReadRule + parameters: + - description: The rule's `id` value. in: query - description: Sort order + name: id + required: false schema: - type: string - enum: - - asc - - desc - default: asc - example: asc - - name: hideStale + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. in: query - description: >- - Hide stale SLOs from the list as defined by stale SLO threshold in - SLO settings + name: rule_id + required: false schema: - type: boolean + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId responses: '200': - description: Successful request - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_find_slo_response' - '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' - '401': - description: Unauthorized response + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Retrieve a detection rule + tags: + - Security Solution Detections API + - Rules API + patch: + description: >- + Update specific fields of an existing detection rule using the `rule_id` + or `id` field. + operationId: PatchRule + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePatchProps + required: true + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_401_response' - '403': - description: Unauthorized response + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Patch a detection rule + tags: + - Security Solution Detections API + - Rules API + post: + description: Create a new detection rule. + operationId: CreateRule + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleCreateProps + required: true + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - '404': - description: Not found response + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Create a detection rule + tags: + - Security Solution Detections API + - Rules API + put: + description: > + Update a detection rule using the `rule_id` or `id` field. The original + rule is replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` or `rule_id` values. + operationId: UpdateRule + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleUpdateProps + required: true + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - /s/{spaceId}/api/observability/slos/{sloId}: - get: - summary: Get an SLO - operationId: getSloOp - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Update a detection rule tags: - - slo + - Security Solution Detections API + - Rules API + /api/detection_engine/rules/_bulk_action: + post: + description: >- + Apply a bulk action, such as bulk edit, duplicate, or delete, to + multiple detection rules. The bulk action is applied to all rules that + match the query or to the rules listed by their IDs. + operationId: PerformRulesBulkAction parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - - name: instanceId + - description: Enables dry run mode for the request call. in: query - description: the specific instanceId used by the summary calculation + name: dry_run + required: false schema: - type: string - example: host-abcde + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkDeleteRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkDisableRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEnableRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkExportRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkDuplicateRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkManualRuleRun + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditRules responses: '200': - description: Successful request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - '400': - description: Bad request - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_400_response' - '401': - description: Unauthorized response + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditActionResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkExportActionResponse + description: OK + summary: Apply a bulk action to detection rules + tags: + - Security Solution Detections API + - Bulk API + /api/detection_engine/rules/_export: + post: + description: > + Export detection rules to an `.ndjson` file. The following configuration + items are also included in the `.ndjson` file: + + - Actions + + - Exception lists + + > info + + > You cannot export prebuilt rules. + operationId: ExportRules + parameters: + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: File name for saving the exported rules. + in: query + name: file_name + required: false + schema: + default: export.ndjson + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + nullable: true + type: object + properties: + objects: + description: >- + Array of `rule_id` fields. Exports all rules when + unspecified. + items: + type: object + properties: + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + required: + - rule_id + type: array + required: + - objects + required: false + responses: + '200': content: - application/json: + application/ndjson; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_401_response' - '403': - description: Unauthorized response + description: An `.ndjson` file containing the returned rules. + format: binary + type: string + description: Indicates a successful call. + summary: Export detection rules + tags: + - Security Solution Detections API + - Import/Export API + /api/detection_engine/rules/_find: + get: + description: >- + Retrieve a paginated list of detection rules. By default, the first page + is returned, with 20 results per page. + operationId: FindRules + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_FindRulesSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - '404': - description: Not found response + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + summary: List all detection rules + tags: + - Security Solution Detections API + - Rules API + /api/detection_engine/rules/_import: + post: + description: > + Import detection rules from an `.ndjson` file, including actions and + exception lists. The request must include: + + - The `Content-Type: multipart/form-data` HTTP header. + + - A link to the `.ndjson` file containing the rules. + operationId: ImportRules + parameters: + - description: >- + Determines whether existing rules with the same `rule_id` are + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing exception lists with the same `list_id` + are overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing actions with the same + `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + required: true + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - put: - summary: Update an SLO - operationId: updateSloOp - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + additionalProperties: false + type: object + properties: + action_connectors_errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ErrorSchema + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_WarningSchema + type: array + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ErrorSchema + type: array + exceptions_errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ErrorSchema + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer + required: + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules tags: - - slo + - Security Solution Detections API + - Import/Export API + '/api/detection_engine/rules/{id}/exceptions': + post: + operationId: CreateRuleExceptionListItems parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - description: Detection rule's identifier + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_RuleId' requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_update_slo_request' + type: object + properties: + items: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateRuleExceptionListItemProps + type: array + required: + - items + description: Rule exception list items + required: true responses: '200': - description: Successful request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + type: array + description: Successful response '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response '401': - description: Unauthorized response content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_401_response' + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response '403': - description: Unauthorized response content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - '404': - description: Not found response + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - delete: - summary: Delete an SLO - operationId: deleteSloOp - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Creates rule exception list items tags: - - slo - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - Security Solution Exceptions API + /api/detection_engine/rules/preview: + post: + operationId: RulePreview + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + discriminator: + propertyName: type + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied + required: true responses: - '204': - description: Successful request - '400': - description: Bad request + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' - '401': - description: Unauthorized response + type: object + properties: + isAborted: + type: boolean + logs: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewLogs + type: array + previewId: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + required: + - logs + description: Successful response + '400': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_401_response' - '403': - description: Unauthorized response + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - '404': - description: Not found response + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - /s/{spaceId}/api/observability/slos/{sloId}/enable: - post: - summary: Enable an SLO - operationId: enableSloOp - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Preview rule alerts generated on specified time range tags: - - slo - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - description: Bad request - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_400_response' - '401': - description: Unauthorized response + - Security Solution Detections API + - Rule preview API + /api/detection_engine/signals/assignees: + post: + description: | + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + assignees: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertAssignees + description: Details about the assignees to assign and unassign. + ids: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertIds + description: List of alerts ids to assign and unassign passed assignees. + required: + - assignees + - ids + required: true + responses: + '200': + description: Indicates a successful call. + '400': + description: Invalid request. + summary: Assign and unassign users from detection alerts + tags: + - Security Solution Detections API + /api/detection_engine/signals/search: + post: + description: Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + description: Elasticsearch query and aggregation request + type: object + properties: + _source: + oneOf: + - type: boolean + - type: string + - items: + type: string + type: array + aggs: + additionalProperties: true + type: object + fields: + items: + type: string + type: array + query: + additionalProperties: true + type: object + runtime_mappings: + additionalProperties: true + type: object + size: + minimum: 0 + type: integer + sort: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsSort + track_total_hits: + type: boolean + description: Search and/or aggregation query + required: true + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_401_response' - '403': - description: Unauthorized response + additionalProperties: true + description: Elasticsearch search response + type: object + description: Successful response + '400': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - '404': - description: Not found response + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - /s/{spaceId}/api/observability/slos/{sloId}/disable: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Find and/or aggregate detection alerts + tags: + - Security Solution Detections API + - Alerts API + /api/detection_engine/signals/status: post: - summary: Disable an SLO - operationId: disableSloOp - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + description: Set the status of one or more detection alerts. + operationId: SetAlertsStatus + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SetAlertsStatusByIds + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SetAlertsStatusByQuery + description: >- + An object containing desired status and explicit alert ids or a query + to select alerts + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Set a detection alert status tags: - - slo - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - Security Solution Detections API + - Alerts API + /api/detection_engine/signals/tags: + post: + description: | + And tags to detection alerts, and remove them from alerts. + > info + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + ids: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertIds + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SetAlertTags + required: + - ids + - tags + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied + required: true responses: '200': - description: Successful request + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: true + description: Elasticsearch update by query response + type: object + description: Successful response '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response '401': - description: Unauthorized response content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_401_response' - '403': - description: Unauthorized response + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - '404': - description: Not found response + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Add and remove detection alert tags + tags: + - Security Solution Detections API + - Alerts API + /api/detection_engine/tags: + get: + description: List all unique tags from all detection rules. + operationId: ReadTags + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - /s/{spaceId}/api/observability/slos/{sloId}/_reset: - post: - summary: Reset an SLO - operationId: resetSloOp - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + description: Indicates a successful call + summary: List all detection rule tags tags: - - slo - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' + - Security Solution Detections API + - Tags API + /api/endpoint_list: + post: + description: Creates an endpoint list or does nothing if the list already exists + operationId: CreateEndpointList responses: - '204': - description: Successful request + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointList + description: Successful response '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data '401': - description: Unauthorized response content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_401_response' + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication '403': - description: Unauthorized response content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - '404': - description: Not found response + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '500': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_404_response' - /s/{spaceId}/api/observability/slos/_delete_instances: - post: - summary: Batch delete rollup and summary data - operationId: deleteSloInstancesOp - description: > - The deletion occurs for the specified list of `sloId` and `instanceId`. - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - tags: - - slo + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Creates an endpoint list + /api/endpoint_list/items: + delete: + operationId: DeleteEndpointListItem parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/SLOs_delete_slo_instances_request' + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId responses: - '204': - description: Successful request + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + description: Successful response '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_400_response' + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data '401': - description: Unauthorized response content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_401_response' + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication '403': - description: Unauthorized response content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/SLOs_403_response' - servers: - - url: https://localhost:5601 - /api/status: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Deletes an endpoint list item get: - operationId: /api/status#0 + operationId: ReadEndpointListItem parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: Set to "true" to get the response in v7 format. + - description: Either `id` or `item_id` must be specified in: query - name: v7format + name: id required: false schema: - type: boolean - - description: Set to "true" to get the response in v8 format. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified in: query - name: v8format + name: item_id required: false schema: - type: boolean + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse - description: >- - Kibana's operational status. A minimal response is sent for - unauthorized users. - description: Overall status is OK and Kibana should be functioning normally. - '503': + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': content: application/json; Elastic-Api-Version=2023-10-31: schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Reads an endpoint list item + post: + operationId: CreateEndpointListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray + item_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse - description: >- - Kibana's operational status. A minimal response is sent for - unauthorized users. - description: >- - Kibana or some of it's essential services are unavailable. Kibana - may be degraded or unavailable. - summary: Get Kibana's current status + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item already exists + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Creates an endpoint list item + put: + operationId: UpdateEndpointListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Updates an endpoint list item + /api/endpoint_list/items/_find: + get: + operationId: FindEndpointListItems + parameters: + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_FindEndpointListItemsFilter + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + - description: 'Determines the sort order, which can be `desc` or `asc`' + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Finds endpoint list items + /api/endpoint/action: + get: + description: Get a list of action requests and their responses + operationId: EndpointGetActionsList + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_GetEndpointActionListRouteQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Actions List schema tags: - - system - security: - - Kibana_HTTP_APIs_basicAuth: [] -components: - parameters: - Connectors_kbn_xsrf: - schema: - type: string - in: header - name: kbn-xsrf - description: Cross-site request forgery protection - required: true - Connectors_connector_id: - in: path - name: connectorId - description: An identifier for the connector. - required: true - schema: - type: string - example: df770e30-8b8b-11ed-a780-3b746c987a81 - Data_views_kbn_xsrf: - schema: - type: string - in: header - name: kbn-xsrf - description: Cross-site request forgery protection - required: true - Data_views_view_id: - in: path - name: viewId - description: An identifier for the data view. - required: true - schema: - type: string - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - Data_views_field_name: - in: path - name: fieldName - description: The name of the runtime field. - required: true - schema: - type: string - example: hour_of_day - Machine_learning_APIs_simulateParam: - in: query - name: simulate - description: >- - When true, simulates the synchronization by returning only the list of - actions that would be performed. - required: false - schema: - type: boolean - example: 'true' - Serverless_saved_objects_kbn_xsrf: - schema: - type: string - in: header - name: kbn-xsrf - description: Cross-site request forgery protection - required: true - SLOs_kbn_xsrf: - schema: - type: string - in: header - name: kbn-xsrf - description: Cross-site request forgery protection - required: true - SLOs_space_id: - in: path - name: spaceId - description: >- - An identifier for the space. If `/s/` and the identifier are omitted - from the path, the default space is used. - required: true - schema: - type: string - example: default - SLOs_slo_id: - in: path - name: sloId - description: An identifier for the slo. - required: true - schema: - type: string - example: 9c235211-6834-11ea-a78c-6feb38a34414 - schemas: - Connectors_create_connector_request_bedrock: - title: Create Amazon Bedrock connector request - description: >- - The Amazon Bedrock connector uses axios to send a POST request to Amazon - Bedrock. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_bedrock' - connector_type_id: - type: string - description: The type of connector. - enum: - - .bedrock - example: .bedrock - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_bedrock' - Connectors_create_connector_request_gemini: - title: Create Google Gemini connector request - description: >- - The Google Gemini connector uses axios to send a POST request to Google - Gemini. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_gemini' - connector_type_id: - type: string - description: The type of connector. - enum: - - .gemini - example: .gemini - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_gemini' - Connectors_create_connector_request_cases_webhook: - title: Create Webhook - Case Managment connector request - description: > - The Webhook - Case Management connector uses axios to send POST, PUT, - and GET requests to a case management RESTful API web service. - type: object - required: - - config - - connector_type_id - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_cases_webhook' - connector_type_id: - type: string - description: The type of connector. - enum: - - .cases-webhook - example: .cases-webhook - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_cases_webhook' - Connectors_create_connector_request_d3security: - title: Create D3 Security connector request - description: > - The connector uses axios to send a POST request to a D3 Security - endpoint. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_d3security' - connector_type_id: - type: string - description: The type of connector. - enum: - - .d3security - example: .d3security - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_d3security' - Connectors_create_connector_request_email: - title: Create email connector request - description: > - The email connector uses the SMTP protocol to send mail messages, using - an integration of Nodemailer. An exception is Microsoft Exchange, which - uses HTTP protocol for sending emails, Send mail. Email message text is - sent as both plain text and html text. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_email' - connector_type_id: - type: string - description: The type of connector. - enum: - - .email - example: .email - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_email' - Connectors_create_connector_request_genai: - title: Create OpenAI connector request - description: > - The OpenAI connector uses axios to send a POST request to either OpenAI - or Azure OpenAPI. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_genai' - connector_type_id: - type: string - description: The type of connector. - enum: - - .gen-ai - example: .gen-ai - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_genai' - Connectors_create_connector_request_index: - title: Create index connector request - description: The index connector indexes a document into Elasticsearch. - type: object - required: - - config - - connector_type_id - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_index' - connector_type_id: - type: string - description: The type of connector. - enum: - - .index - example: .index - name: - type: string - description: The display name for the connector. - example: my-connector - Connectors_create_connector_request_jira: - title: Create Jira connector request - description: The Jira connector uses the REST API v2 to create Jira issues. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_jira' - connector_type_id: - type: string - description: The type of connector. - enum: - - .jira - example: .jira - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_jira' - Connectors_create_connector_request_opsgenie: - title: Create Opsgenie connector request - description: The Opsgenie connector uses the Opsgenie alert API. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_opsgenie' - connector_type_id: - type: string - description: The type of connector. - enum: - - .opsgenie - example: .opsgenie - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_opsgenie' - Connectors_create_connector_request_pagerduty: - title: Create PagerDuty connector request - description: > - The PagerDuty connector uses the v2 Events API to trigger, acknowledge, - and resolve PagerDuty alerts. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_pagerduty' - connector_type_id: - type: string - description: The type of connector. - enum: - - .pagerduty - example: .pagerduty - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_pagerduty' - Connectors_create_connector_request_resilient: - title: Create IBM Resilient connector request - description: >- - The IBM Resilient connector uses the RESILIENT REST v2 to create IBM - Resilient incidents. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_resilient' - connector_type_id: - description: The type of connector. - type: string - example: .resilient - enum: - - .resilient - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_resilient' - Connectors_create_connector_request_sentinelone: - title: Create SentinelOne connector request - description: > - The SentinelOne connector communicates with SentinelOne Management - Console via REST API. This functionality is in technical preview and may - be changed or removed in a future release. Elastic will work to fix any - issues, but features in technical preview are not subject to the support - SLA of official GA features. - x-technical-preview: true - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_sentinelone' - connector_type_id: - type: string - description: The type of connector. - enum: - - .sentinelone - example: .sentinelone - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_sentinelone' - Connectors_create_connector_request_serverlog: - title: Create server log connector request - description: This connector writes an entry to the Kibana server log. - type: object - required: - - connector_type_id - - name - properties: - connector_type_id: - type: string - description: The type of connector. - enum: - - .server-log - example: .server-log - name: - type: string - description: The display name for the connector. - example: my-connector - Connectors_create_connector_request_servicenow: - title: Create ServiceNow ITSM connector request - description: > - The ServiceNow ITSM connector uses the import set API to create - ServiceNow incidents. You can use the connector for rule actions and - cases. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow' - connector_type_id: - type: string - description: The type of connector. - enum: - - .servicenow - example: .servicenow - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' - Connectors_create_connector_request_servicenow_itom: - title: Create ServiceNow ITOM connector request - description: > - The ServiceNow ITOM connector uses the event API to create ServiceNow - events. You can use the connector for rule actions. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow_itom' - connector_type_id: - type: string - description: The type of connector. - enum: - - .servicenow-itom - example: .servicenow-itom - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' - Connectors_create_connector_request_servicenow_sir: - title: Create ServiceNow SecOps connector request - description: > - The ServiceNow SecOps connector uses the import set API to create - ServiceNow security incidents. You can use the connector for rule - actions and cases. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow' - connector_type_id: - type: string - description: The type of connector. - enum: - - .servicenow-sir - example: .servicenow-sir - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' - Connectors_create_connector_request_slack_api: - title: Create Slack connector request - description: The Slack connector uses an API method to send Slack messages. - type: object - required: - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_slack_api' - connector_type_id: - type: string - description: The type of connector. - enum: - - .slack_api - example: .slack_api - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_slack_api' - Connectors_create_connector_request_slack_webhook: - title: Create Slack connector request - description: The Slack connector uses Slack Incoming Webhooks. - type: object - required: - - connector_type_id - - name - - secrets - properties: - connector_type_id: - type: string - description: The type of connector. - enum: - - .slack - example: .slack - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_slack_webhook' - Connectors_create_connector_request_swimlane: - title: Create Swimlane connector request - description: >- - The Swimlane connector uses the Swimlane REST API to create Swimlane - records. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_swimlane' - connector_type_id: - type: string - description: The type of connector. - enum: - - .swimlane - example: .swimlane - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_swimlane' - Connectors_create_connector_request_teams: - title: Create Microsoft Teams connector request - description: The Microsoft Teams connector uses Incoming Webhooks. - type: object - required: - - connector_type_id - - name - - secrets - properties: - connector_type_id: - type: string - description: The type of connector. - enum: - - .teams - example: .teams - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_teams' - Connectors_create_connector_request_tines: - title: Create Tines connector request - description: > - The Tines connector uses Tines Webhook actions to send events via POST - request. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_tines' - connector_type_id: - type: string - description: The type of connector. - enum: - - .tines - example: .tines - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_tines' - Connectors_create_connector_request_torq: - title: Create Torq connector request - description: > - The Torq connector uses a Torq webhook to trigger workflows with Kibana - actions. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_torq' - connector_type_id: - type: string - description: The type of connector. - enum: - - .torq - example: .torq - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_torq' - Connectors_create_connector_request_webhook: - title: Create Webhook connector request - description: > - The Webhook connector uses axios to send a POST or PUT request to a web - service. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_webhook' - connector_type_id: - type: string - description: The type of connector. - enum: - - .webhook - example: .webhook - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_webhook' - Connectors_create_connector_request_xmatters: - title: Create xMatters connector request - description: > - The xMatters connector uses the xMatters Workflow for Elastic to send - actionable alerts to on-call xMatters resources. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_xmatters' - connector_type_id: - type: string - description: The type of connector. - enum: - - .xmatters - example: .xmatters - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_xmatters' - Connectors_config_properties_bedrock: - title: Connector request properties for an Amazon Bedrock connector - description: Defines properties for connectors when type is `.bedrock`. - type: object - required: - - apiUrl - properties: - apiUrl: - type: string - description: The Amazon Bedrock request URL. - defaultModel: - type: string - description: > - The generative artificial intelligence model for Amazon Bedrock to - use. Current support is for the Anthropic Claude models. - default: anthropic.claude-3-5-sonnet-20240620-v1:0 - Connectors_secrets_properties_bedrock: - title: Connector secrets properties for an Amazon Bedrock connector - description: Defines secrets for connectors when type is `.bedrock`. - type: object - required: - - accessKey - - secret - properties: - accessKey: - type: string - description: The AWS access key for authentication. - secret: - type: string - description: The AWS secret for authentication. - Connectors_config_properties_gemini: - title: Connector request properties for an Google Gemini connector - description: Defines properties for connectors when type is `.gemini`. - type: object - required: - - apiUrl - - gcpRegion - - gcpProjectID - properties: - apiUrl: - type: string - description: The Google Gemini request URL. - defaultModel: - type: string - description: >- - The generative artificial intelligence model for Google Gemini to - use. - default: gemini-1.5-pro-001 - gcpRegion: - type: string - description: The GCP region where the Vertex AI endpoint enabled. - gcpProjectID: - type: string - description: The Google ProjectID that has Vertex AI endpoint enabled. - Connectors_secrets_properties_gemini: - title: Connector secrets properties for a Google Gemini connector - description: Defines secrets for connectors when type is `.gemini`. - type: object - required: - - credentialsJSON - properties: - credentialsJSON: - type: string - description: >- - The service account credentials JSON file. The service account - should have Vertex AI user IAM role assigned to it. - Connectors_config_properties_cases_webhook: - title: Connector request properties for Webhook - Case Management connector - required: - - createIncidentJson - - createIncidentResponseKey - - createIncidentUrl - - getIncidentResponseExternalTitleKey - - getIncidentUrl - - updateIncidentJson - - updateIncidentUrl - - viewIncidentUrl - description: Defines properties for connectors when type is `.cases-webhook`. - type: object - properties: - createCommentJson: - type: string - description: > - A JSON payload sent to the create comment URL to create a case - comment. You can use variables to add Kibana Cases data to the - payload. The required variable is `case.comment`. Due to Mustache - template variables (the text enclosed in triple braces, for example, - `{{{case.title}}}`), the JSON is not validated when you create the - connector. The JSON is validated once the Mustache variables have - been placed when the REST method runs. Manually ensure that the JSON - is valid, disregarding the Mustache variables, so the later - validation will pass. - example: '{"body": {{{case.comment}}}}' - createCommentMethod: - type: string - description: > - The REST API HTTP request method to create a case comment in the - third-party system. Valid values are `patch`, `post`, and `put`. - default: put - enum: - - patch - - post - - put - createCommentUrl: - type: string - description: > - The REST API URL to create a case comment by ID in the third-party - system. You can use a variable to add the external system ID to the - URL. If you are using the `xpack.actions.allowedHosts setting`, add - the hostname to the allowed hosts. - example: https://example.com/issue/{{{external.system.id}}}/comment - createIncidentJson: - type: string - description: > - A JSON payload sent to the create case URL to create a case. You can - use variables to add case data to the payload. Required variables - are `case.title` and `case.description`. Due to Mustache template - variables (which is the text enclosed in triple braces, for example, - `{{{case.title}}}`), the JSON is not validated when you create the - connector. The JSON is validated after the Mustache variables have - been placed when REST method runs. Manually ensure that the JSON is - valid to avoid future validation errors; disregard Mustache - variables during your review. - example: >- - {"fields": {"summary": {{{case.title}}},"description": - {{{case.description}}},"labels": {{{case.tags}}}}} - createIncidentMethod: - type: string - description: > - The REST API HTTP request method to create a case in the third-party - system. Valid values are `patch`, `post`, and `put`. - enum: - - patch - - post - - put - default: post - createIncidentResponseKey: - type: string - description: >- - The JSON key in the create external case response that contains the - case ID. - createIncidentUrl: - type: string - description: > - The REST API URL to create a case in the third-party system. If you - are using the `xpack.actions.allowedHosts` setting, add the hostname - to the allowed hosts. - getIncidentResponseExternalTitleKey: - type: string - description: >- - The JSON key in get external case response that contains the case - title. - getIncidentUrl: - type: string - description: > - The REST API URL to get the case by ID from the third-party system. - If you are using the `xpack.actions.allowedHosts` setting, add the - hostname to the allowed hosts. You can use a variable to add the - external system ID to the URL. Due to Mustache template variables - (the text enclosed in triple braces, for example, - `{{{case.title}}}`), the JSON is not validated when you create the - connector. The JSON is validated after the Mustache variables have - been placed when REST method runs. Manually ensure that the JSON is - valid, disregarding the Mustache variables, so the later validation - will pass. - example: https://example.com/issue/{{{external.system.id}}} - hasAuth: - type: boolean - description: >- - If true, a username and password for login type authentication must - be provided. - default: true - headers: - type: string - description: > - A set of key-value pairs sent as headers with the request URLs for - the create case, update case, get case, and create comment methods. - updateIncidentJson: - type: string - description: > - The JSON payload sent to the update case URL to update the case. You - can use variables to add Kibana Cases data to the payload. Required - variables are `case.title` and `case.description`. Due to Mustache - template variables (which is the text enclosed in triple braces, for - example, `{{{case.title}}}`), the JSON is not validated when you - create the connector. The JSON is validated after the Mustache - variables have been placed when REST method runs. Manually ensure - that the JSON is valid to avoid future validation errors; disregard - Mustache variables during your review. - example: >- - {"fields": {"summary": {{{case.title}}},"description": - {{{case.description}}},"labels": {{{case.tags}}}}} - updateIncidentMethod: - type: string - description: > - The REST API HTTP request method to update the case in the - third-party system. Valid values are `patch`, `post`, and `put`. - default: put - enum: - - patch - - post - - put - updateIncidentUrl: - type: string - description: > - The REST API URL to update the case by ID in the third-party system. - You can use a variable to add the external system ID to the URL. If - you are using the `xpack.actions.allowedHosts` setting, add the - hostname to the allowed hosts. - example: https://example.com/issue/{{{external.system.ID}}} - viewIncidentUrl: - type: string - description: > - The URL to view the case in the external system. You can use - variables to add the external system ID or external system title to - the URL. - example: >- - https://testing-jira.atlassian.net/browse/{{{external.system.title}}} - Connectors_secrets_properties_cases_webhook: - title: Connector secrets properties for Webhook - Case Management connector - type: object - properties: - password: - type: string - description: >- - The password for HTTP basic authentication. If `hasAuth` is set to - `true`, this property is required. - user: - type: string - description: >- - The username for HTTP basic authentication. If `hasAuth` is set to - `true`, this property is required. - Connectors_config_properties_d3security: - title: Connector request properties for a D3 Security connector - description: Defines properties for connectors when type is `.d3security`. - type: object - required: - - url - properties: - url: - type: string - description: > - The D3 Security API request URL. If you are using the - `xpack.actions.allowedHosts` setting, add the hostname to the - allowed hosts. - Connectors_secrets_properties_d3security: - title: Connector secrets properties for a D3 Security connector - description: Defines secrets for connectors when type is `.d3security`. - required: - - token - type: object - properties: - token: - type: string - description: The D3 Security token. - Connectors_config_properties_email: - title: Connector request properties for an email connector - description: Defines properties for connectors when type is `.email`. - required: - - from - type: object - properties: - clientId: - description: > - The client identifier, which is a part of OAuth 2.0 client - credentials authentication, in GUID format. If `service` is - `exchange_server`, this property is required. - type: string - nullable: true - from: - description: > - The from address for all emails sent by the connector. It must be - specified in `user@host-name` format. - type: string - hasAuth: - description: > - Specifies whether a user and password are required inside the - secrets configuration. - default: true - type: boolean - host: - description: > - The host name of the service provider. If the `service` is - `elastic_cloud` (for Elastic Cloud notifications) or one of - Nodemailer's well-known email service providers, this property is - ignored. If `service` is `other`, this property must be defined. - type: string - oauthTokenUrl: - type: string - nullable: true - port: - description: > - The port to connect to on the service provider. If the `service` is - `elastic_cloud` (for Elastic Cloud notifications) or one of - Nodemailer's well-known email service providers, this property is - ignored. If `service` is `other`, this property must be defined. - type: integer - secure: - description: > - Specifies whether the connection to the service provider will use - TLS. If the `service` is `elastic_cloud` (for Elastic Cloud - notifications) or one of Nodemailer's well-known email service - providers, this property is ignored. - type: boolean - service: - description: | - The name of the email service. - type: string - enum: - - elastic_cloud - - exchange_server - - gmail - - other - - outlook365 - - ses - tenantId: - description: > - The tenant identifier, which is part of OAuth 2.0 client credentials - authentication, in GUID format. If `service` is `exchange_server`, - this property is required. - type: string - nullable: true - Connectors_secrets_properties_email: - title: Connector secrets properties for an email connector - description: Defines secrets for connectors when type is `.email`. - type: object - properties: - clientSecret: - type: string - description: > - The Microsoft Exchange Client secret for OAuth 2.0 client - credentials authentication. It must be URL-encoded. If `service` is - `exchange_server`, this property is required. - password: - type: string - description: > - The password for HTTP basic authentication. If `hasAuth` is set to - `true`, this property is required. - user: - type: string - description: > - The username for HTTP basic authentication. If `hasAuth` is set to - `true`, this property is required. - Connectors_config_properties_genai_azure: - title: >- - Connector request properties for an OpenAI connector that uses Azure - OpenAI - description: > - Defines properties for connectors when type is `.gen-ai` and the API - provider is `Azure OpenAI'. - type: object - required: - - apiProvider - - apiUrl - properties: - apiProvider: - type: string - description: The OpenAI API provider. - enum: - - Azure OpenAI - apiUrl: - type: string - description: The OpenAI API endpoint. - Connectors_config_properties_genai_openai: - title: Connector request properties for an OpenAI connector - description: > - Defines properties for connectors when type is `.gen-ai` and the API - provider is `OpenAI'. - type: object - required: - - apiProvider - - apiUrl - properties: - apiProvider: - type: string - description: The OpenAI API provider. - enum: - - OpenAI - apiUrl: - type: string - description: The OpenAI API endpoint. - defaultModel: - type: string - description: The default model to use for requests. - Connectors_config_properties_genai: - title: Connector request properties for an OpenAI connector - description: Defines properties for connectors when type is `.gen-ai`. - oneOf: - - $ref: '#/components/schemas/Connectors_config_properties_genai_azure' - - $ref: '#/components/schemas/Connectors_config_properties_genai_openai' - discriminator: - propertyName: apiProvider - mapping: - Azure OpenAI: '#/components/schemas/Connectors_config_properties_genai_azure' - OpenAI: '#/components/schemas/Connectors_config_properties_genai_openai' - Connectors_secrets_properties_genai: - title: Connector secrets properties for an OpenAI connector - description: Defines secrets for connectors when type is `.gen-ai`. - type: object - properties: - apiKey: - type: string - description: The OpenAI API key. - Connectors_config_properties_index: - title: Connector request properties for an index connector - required: - - index - description: Defines properties for connectors when type is `.index`. - type: object - properties: - executionTimeField: - description: A field that indicates when the document was indexed. - default: null - type: string - nullable: true - index: - description: The Elasticsearch index to be written to. - type: string - refresh: - description: > - The refresh policy for the write request, which affects when changes - are made visible to search. Refer to the refresh setting for - Elasticsearch document APIs. - default: false - type: boolean - Connectors_config_properties_jira: - title: Connector request properties for a Jira connector - required: - - apiUrl - - projectKey - description: Defines properties for connectors when type is `.jira`. - type: object - properties: - apiUrl: - description: The Jira instance URL. - type: string - projectKey: - description: The Jira project key. - type: string - Connectors_secrets_properties_jira: - title: Connector secrets properties for a Jira connector - required: - - apiToken - - email - description: Defines secrets for connectors when type is `.jira`. - type: object - properties: - apiToken: - description: The Jira API authentication token for HTTP basic authentication. - type: string - email: - description: The account email for HTTP Basic authentication. - type: string - Connectors_config_properties_opsgenie: - title: Connector request properties for an Opsgenie connector - required: - - apiUrl - description: Defines properties for connectors when type is `.opsgenie`. - type: object - properties: - apiUrl: - description: > - The Opsgenie URL. For example, `https://api.opsgenie.com` or - `https://api.eu.opsgenie.com`. If you are using the - `xpack.actions.allowedHosts` setting, add the hostname to the - allowed hosts. - type: string - Connectors_secrets_properties_opsgenie: - title: Connector secrets properties for an Opsgenie connector - required: - - apiKey - description: Defines secrets for connectors when type is `.opsgenie`. - type: object - properties: - apiKey: - description: The Opsgenie API authentication key for HTTP Basic authentication. - type: string - Connectors_config_properties_pagerduty: - title: Connector request properties for a PagerDuty connector - description: Defines properties for connectors when type is `.pagerduty`. - type: object - properties: - apiUrl: - description: The PagerDuty event URL. - type: string - nullable: true - example: https://events.pagerduty.com/v2/enqueue - Connectors_secrets_properties_pagerduty: - title: Connector secrets properties for a PagerDuty connector - description: Defines secrets for connectors when type is `.pagerduty`. - type: object - required: - - routingKey - properties: - routingKey: - description: > - A 32 character PagerDuty Integration Key for an integration on a - service. - type: string - Connectors_config_properties_resilient: - title: Connector request properties for a IBM Resilient connector - required: - - apiUrl - - orgId - description: Defines properties for connectors when type is `.resilient`. - type: object - properties: - apiUrl: - description: The IBM Resilient instance URL. - type: string - orgId: - description: The IBM Resilient organization ID. - type: string - Connectors_secrets_properties_resilient: - title: Connector secrets properties for IBM Resilient connector - required: - - apiKeyId - - apiKeySecret - description: Defines secrets for connectors when type is `.resilient`. - type: object - properties: - apiKeyId: - type: string - description: The authentication key ID for HTTP Basic authentication. - apiKeySecret: - type: string - description: The authentication key secret for HTTP Basic authentication. - Connectors_config_properties_sentinelone: - title: Connector request properties for a SentinelOne connector - required: - - url - description: Defines properties for connectors when type is `.sentinelone`. - type: object - properties: - url: - description: > - The SentinelOne tenant URL. If you are using the - `xpack.actions.allowedHosts` setting, add the hostname to the - allowed hosts. - type: string - Connectors_secrets_properties_sentinelone: - title: Connector secrets properties for a SentinelOne connector - description: Defines secrets for connectors when type is `.sentinelone`. - type: object - required: - - token - properties: - token: - description: The A SentinelOne API token. - type: string - Connectors_config_properties_servicenow: - title: Connector request properties for a ServiceNow ITSM connector - required: - - apiUrl - description: Defines properties for connectors when type is `.servicenow`. - type: object - properties: - apiUrl: - type: string - description: The ServiceNow instance URL. - clientId: - description: > - The client ID assigned to your OAuth application. This property is - required when `isOAuth` is `true`. - type: string - isOAuth: - description: > - The type of authentication to use. The default value is false, which - means basic authentication is used instead of open authorization - (OAuth). - default: false - type: boolean - jwtKeyId: - description: > - The key identifier assigned to the JWT verifier map of your OAuth - application. This property is required when `isOAuth` is `true`. - type: string - userIdentifierValue: - description: > - The identifier to use for OAuth authentication. This identifier - should be the user field you selected when you created an OAuth JWT - API endpoint for external clients in your ServiceNow instance. For - example, if the selected user field is `Email`, the user identifier - should be the user's email address. This property is required when - `isOAuth` is `true`. - type: string - usesTableApi: - description: > - Determines whether the connector uses the Table API or the Import - Set API. This property is supported only for ServiceNow ITSM and - ServiceNow SecOps connectors. NOTE: If this property is set to - `false`, the Elastic application should be installed in ServiceNow. - default: true - type: boolean - Connectors_secrets_properties_servicenow: - title: >- - Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and - ServiceNow SecOps connectors - description: >- - Defines secrets for connectors when type is `.servicenow`, - `.servicenow-sir`, or `.servicenow-itom`. - type: object - properties: - clientSecret: - type: string - description: >- - The client secret assigned to your OAuth application. This property - is required when `isOAuth` is `true`. - password: - type: string - description: >- - The password for HTTP basic authentication. This property is - required when `isOAuth` is `false`. - privateKey: - type: string - description: >- - The RSA private key that you created for use in ServiceNow. This - property is required when `isOAuth` is `true`. - privateKeyPassword: - type: string - description: >- - The password for the RSA private key. This property is required when - `isOAuth` is `true` and you set a password on your private key. - username: - type: string - description: >- - The username for HTTP basic authentication. This property is - required when `isOAuth` is `false`. - Connectors_config_properties_servicenow_itom: - title: Connector request properties for a ServiceNow ITSM connector - required: - - apiUrl - description: Defines properties for connectors when type is `.servicenow`. - type: object - properties: - apiUrl: - type: string - description: The ServiceNow instance URL. - clientId: - description: > - The client ID assigned to your OAuth application. This property is - required when `isOAuth` is `true`. - type: string - isOAuth: - description: > - The type of authentication to use. The default value is false, which - means basic authentication is used instead of open authorization - (OAuth). - default: false - type: boolean - jwtKeyId: - description: > - The key identifier assigned to the JWT verifier map of your OAuth - application. This property is required when `isOAuth` is `true`. - type: string - userIdentifierValue: - description: > - The identifier to use for OAuth authentication. This identifier - should be the user field you selected when you created an OAuth JWT - API endpoint for external clients in your ServiceNow instance. For - example, if the selected user field is `Email`, the user identifier - should be the user's email address. This property is required when - `isOAuth` is `true`. - type: string - Connectors_config_properties_slack_api: - title: Connector request properties for a Slack connector - description: Defines properties for connectors when type is `.slack_api`. - type: object - properties: - allowedChannels: - type: array - description: A list of valid Slack channels. - items: + - Security Solution Endpoint Management API + '/api/endpoint/action_log/{agent_id}': + get: + deprecated: true + description: Get action requests log + operationId: EndpointGetActionLog + parameters: + - in: path + name: agent_id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentId + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ActionLogRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get action requests log schema + tags: + - Security Solution Endpoint Management API + /api/endpoint/action_status: + get: + description: Get action status + operationId: EndpointGetActionsStatus + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + agent_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentIds + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ActionStatusSuccessResponse + description: OK + summary: Get Actions status schema + tags: + - Security Solution Endpoint Management API + '/api/endpoint/action/{action_id}': + get: + description: Get action details + operationId: EndpointGetActionsDetails + parameters: + - in: path + name: action_id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Action details schema + tags: + - Security Solution Endpoint Management API + '/api/endpoint/action/{action_id}/file/{file_id}/download`': + get: + description: Download a file from an endpoint + operationId: EndpointFileDownload + parameters: + - in: path + name: action_id + required: true + schema: + type: string + - in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: File Download schema + tags: + - Security Solution Endpoint Management API + '/api/endpoint/action/{action_id}/file/{file_id}`': + get: + description: Get file info + operationId: EndpointFileInfo + parameters: + - in: path + name: action_id + required: true + schema: + type: string + - in: path + name: file_id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: File Info schema + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/execute: + post: + description: Execute a given command on an endpoint + operationId: EndpointExecuteAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ExecuteRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Execute Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/get_file: + post: + description: Get a file from an endpoint + operationId: EndpointGetFileAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_GetFileRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get File Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/isolate: + post: + description: Isolate an endpoint + operationId: EndpointIsolateAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_IsolateRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Isolate Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/kill_process: + post: + description: Kill a running process on an endpoint + operationId: EndpointKillProcessAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_KillOrSuspendActionSchema + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Kill process Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/running_procs: + post: + description: Get list of running processes on an endpoint + operationId: EndpointGetProcessesAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_GetProcessesRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Running Processes Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/scan: + post: + description: Scan a file or directory + operationId: EndpointScanAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ScanRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Scan Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/state: + get: + operationId: EndpointGetActionsState + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ActionStateSuccessResponse + description: OK + summary: Get Action State schema + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/suspend_process: + post: + description: Suspend a running process on an endpoint + operationId: EndpointSuspendProcessAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_KillOrSuspendActionSchema + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Suspend process Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/unisolate: + post: + description: Release an endpoint + operationId: EndpointUnisolateAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_UnisolateRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Unisolate Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/upload: + post: + description: Upload a file to an endpoint + operationId: EndpointUploadAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_UploadRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Upload Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/metadata: + get: + operationId: GetEndpointMetadataList + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ListRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Metadata List schema + tags: + - Security Solution Endpoint Management API + '/api/endpoint/metadata/{id}': + get: + operationId: GetEndpointMetadata + parameters: + - in: path + name: id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Metadata schema + tags: + - Security Solution Endpoint Management API + /api/endpoint/metadata/transforms: + get: + operationId: GetEndpointMetadataTransform + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Metadata Transform schema + tags: + - Security Solution Endpoint Management API + /api/endpoint/policy_response: + get: + operationId: GetPolicyResponse + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + agentId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentId + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Policy Response schema + tags: + - Security Solution Endpoint Management API + /api/endpoint/policy/summaries: + get: + deprecated: true + operationId: GetAgentPolicySummary + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + package_name: + type: string + policy_id: + nullable: true + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Agent Policy Summary schema + tags: + - Security Solution Endpoint Management API + '/api/endpoint/protection_updates_note/{package_policy_id}': + get: + operationId: GetProtectionUpdatesNote + parameters: + - in: path + name: package_policy_id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ProtectionUpdatesNoteResponse + description: OK + summary: Get Protection Updates Note schema + tags: + - Security Solution Endpoint Management API + post: + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + note: + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ProtectionUpdatesNoteResponse + description: OK + summary: Create Update Protection Updates Note schema + tags: + - Security Solution Endpoint Management API + '/api/endpoint/suggestions/{suggestion_type}': + post: + operationId: GetEndpointSuggestions + parameters: + - in: path + name: suggestion_type + required: true + schema: + enum: + - eventFilters + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + field: + type: string + fieldMeta: {} + filters: {} + query: + type: string + required: + - parameters + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get suggestions + tags: + - Security Solution Endpoint Management API + /api/exception_lists: + delete: + operationId: DeleteExceptionList + parameters: + - description: Either `id` or `list_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Either `id` or `list_id` must be specified + in: query + name: list_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Deletes an exception list + tags: + - Security Solution Exceptions API + get: + operationId: ReadExceptionList + parameters: + - description: Either `id` or `list_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Either `id` or `list_id` must be specified + in: query + name: list_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Retrieves an exception list using its `id` or `list_id` field + tags: + - Security Solution Exceptions API + post: + operationId: CreateExceptionList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListVersion + default: 1 + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Creates an exception list + tags: + - Security Solution Exceptions API + put: + operationId: UpdateExceptionList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListTags + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListVersion + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Updates an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/_duplicate: + post: + operationId: DuplicateExceptionList + parameters: + - description: Exception list's human identifier + in: query + name: list_id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list to duplicate not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Duplicates an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/_export: + post: + description: Exports an exception list and its associated items to an .ndjson file + operationId: ExportExceptionList + parameters: + - description: Exception list's identifier + in: query + name: id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Exception list's human identifier + in: query + name: list_id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' + type: string + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: >- + A `.ndjson` file containing specified exception list and its + items + format: binary + type: string + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Exports an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/_find: + get: + operationId: FindExceptionLists + parameters: + - description: > + Filters the returned results according to the value of the specified + field. + + + Uses the `so type.field name:field` value syntax, where `so type` + can be: + + + - `exception-list`: Specify a space-aware exception list. + + - `exception-list-agnostic`: Specify an exception list that is + shared across spaces. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_FindExceptionListsFilter + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + minimum: 1 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + type: string + - description: 'Determines the sort order, which can be `desc` or `asc`' + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Finds exception lists + tags: + - Security Solution Exceptions API + /api/exception_lists/_import: + post: + description: Imports an exception list and associated items + operationId: ImportExceptionList + parameters: + - description: > + Determines whether existing exception lists with the same `list_id` + are overwritten. + + If any exception items have the same `item_id`, those are also + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: > + Determines whether the list being imported will have a new `list_id` + generated. + + Additional `item_id`'s are generated for each exception item. Both + the exception + + list and its items are overwritten. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: A `.ndjson` file containing the exception list + format: binary + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + errors: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListsImportBulkErrorArray + success: + type: boolean + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: + type: boolean + required: + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Imports an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/items: + delete: + operationId: DeleteExceptionListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Deletes an exception list item + tags: + - Security Solution Exceptions API + get: + operationId: ReadExceptionListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Gets an exception list item + tags: + - Security Solution Exceptions API + post: + operationId: CreateExceptionListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + required: + - list_id + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Creates an exception list item + tags: + - Security Solution Exceptions API + put: + operationId: UpdateExceptionListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_UpdateExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Updates an exception list item + tags: + - Security Solution Exceptions API + /api/exception_lists/items/_find: + get: + operationId: FindExceptionListItems + parameters: + - description: List's id + in: query + name: list_id + required: true + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + type: array + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + in: query + name: filter + required: false + schema: + default: [] + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_FindExceptionListItemsFilter + type: array + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + type: array + - in: query + name: search + required: false + schema: + type: string + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_NonEmptyString + - description: 'Determines the sort order, which can be `desc` or `asc`' + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Finds exception list items + tags: + - Security Solution Exceptions API + /api/exception_lists/summary: + get: + operationId: ReadExceptionListSummary + parameters: + - description: Exception list's identifier generated upon creation + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Exception list's human readable identifier + in: query + name: list_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + - description: Search filter clause + in: query + name: filter + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Retrieves an exception list summary + tags: + - Security Solution Exceptions API + /api/exceptions/shared: + post: + operationId: CreateSharedExceptionList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + required: + - name + - description + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Creates a shared exception list + tags: + - Security Solution Exceptions API + /api/lists: + delete: + operationId: DeleteList + parameters: + - description: List's `id` value + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - in: query + name: deleteReferences + required: false + schema: + default: false + type: boolean + - in: query + name: ignoreReferences + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Deletes a list + tags: + - Security Solution Lists API + get: + operationId: ReadList + parameters: + - description: List's `id` value + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Retrieves a list using its id field + tags: + - Security Solution Lists API + patch: + operationId: PatchList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListDescription + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListMetadata + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + version: + minimum: 1 + type: integer + required: + - id + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Patches a list + tags: + - Security Solution Lists API + post: + operationId: CreateList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListDescription + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListMetadata + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + serializer: + type: string + type: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer + required: + - name + - description + - type + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Creates a list + tags: + - Security Solution Lists API + put: + operationId: UpdateList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListDescription + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListMetadata + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + version: + minimum: 1 + type: integer + required: + - id + - name + - description + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Updates a list + tags: + - Security Solution Lists API + /api/lists/_find: + get: + operationId: FindLists + parameters: + - description: The page number to return + in: query + name: page + required: false + schema: + type: integer + - description: The number of lists to return per page + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + - description: 'Determines the sort order, which can be `desc` or `asc`' + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_FindListsCursor' + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_FindListsFilter' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + cursor: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListsCursor + data: + items: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Finds lists + tags: + - Security Solution Lists API + /api/lists/index: + delete: + operationId: DeleteListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List data stream not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Deletes list data streams + tags: + - Security Solution Lists API + get: + operationId: ReadListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + list_index: + type: boolean + list_item_index: + type: boolean + required: + - list_index + - list_item_index + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List data stream(s) not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get list data stream existence status + tags: + - Security Solution Lists API + post: + operationId: CreateListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List data stream exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Creates necessary list data streams + tags: + - Security Solution Lists API + /api/lists/items: + delete: + operationId: DeleteListItem + parameters: + - description: Required if `list_id` and `value` are not specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: value + required: false + schema: + type: string + - description: >- + Determines when changes made by the request are made visible to + search + in: query + name: refresh + required: false + schema: + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + - items: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Deletes a list item + tags: + - Security Solution Lists API + get: + operationId: ReadListItem + parameters: + - description: Required if `list_id` and `value` are not specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: value + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + - items: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Gets a list item + tags: + - Security Solution Lists API + patch: + operationId: PatchListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemMetadata + refresh: + description: >- + Determines when changes made by the request are made visible + to search + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemValue + required: + - id + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Patches a list item + tags: + - Security Solution Lists API + post: + operationId: CreateListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemMetadata + refresh: + description: >- + Determines when changes made by the request are made visible + to search + enum: + - 'true' + - 'false' + - wait_for + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemValue + required: + - list_id + - value + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Creates a list item + tags: + - Security Solution Lists API + put: + operationId: UpdateListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemMetadata + value: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemValue + required: + - id + - value + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Updates a list item + tags: + - Security Solution Lists API + /api/lists/items/_export: + post: + description: Exports list item values from the specified list + operationId: ExportListItems + parameters: + - description: List's id to export + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: A `.txt` file containing list items from the specified list + format: binary + type: string + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Exports list items + tags: + - Security Solution Lists API + /api/lists/items/_find: + get: + operationId: FindListItems + parameters: + - description: List's id + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: The page number to return + in: query + name: page + required: false + schema: + type: integer + - description: The number of list items to return per page + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + - description: 'Determines the sort order, which can be `desc` or `asc`' + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. + in: query + name: cursor + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListItemsCursor + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListItemsFilter + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + cursor: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListItemsCursor + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItem + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Finds list items + tags: + - Security Solution Lists API + /api/lists/items/_import: + post: + description: > + Imports a list of items from a `.txt` or `.csv` file. The maximum file + size is 9 million bytes. + + + You can import items to a new or existing list. + operationId: ImportListItems + parameters: + - description: | + List's id. + + Required when importing to an existing list. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: > + Type of the importing list. + + + Required when importing a new list that is `list_id` is not + specified. + in: query + name: type + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + - in: query + name: serializer + required: false + schema: + type: string + - in: query + name: deserializer + required: false + schema: + type: string + - description: >- + Determines when changes made by the request are made visible to + search + in: query + name: refresh + required: false + schema: + enum: + - 'true' + - 'false' + - wait_for + type: string + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: >- + A `.txt` or `.csv` file containing newline separated list + items + format: binary + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List with specified list_id does not exist response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Imports list items + tags: + - Security Solution Lists API + /api/lists/privileges: + get: + operationId: ReadListPrivileges + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + is_authenticated: + type: boolean + listItems: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemPrivileges + lists: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListPrivileges + required: + - lists + - listItems + - is_authenticated + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Gets list privileges + tags: + - Security Solution Lists API + /api/ml/saved_objects/sync: + get: + description: > + Synchronizes Kibana saved objects for machine learning jobs and trained + models. This API runs automatically when you start Kibana and + periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync machine learning saved objects + tags: + - ml + /api/note: + delete: + operationId: DeleteNote + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - nullable: true + type: object + properties: + noteId: + type: string + required: + - noteId + - type: object + properties: + noteIds: + items: + type: string + nullable: true + type: array + required: + - noteIds + description: The id of the note to delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + description: Indicates the note was successfully deleted. + summary: Deletes a note from a timeline. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + get: + description: Gets notes + operationId: GetNotes + parameters: + - in: query + name: documentIds + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_DocumentIds' + - in: query + name: page + schema: + nullable: true + type: number + - in: query + name: perPage + schema: + nullable: true + type: number + - in: query + name: search + schema: + nullable: true + type: string + - in: query + name: sortField + schema: + nullable: true + type: string + - in: query + name: sortOrder + schema: + nullable: true + type: string + - in: query + name: filter + schema: + nullable: true + type: string + responses: + '200': + description: Indicates the requested notes were returned. + summary: Get all notes for a given document. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + patch: + operationId: PersistNoteRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + eventDataView: + nullable: true + type: string + eventIngested: + nullable: true + type: string + eventTimestamp: + nullable: true + type: string + note: + $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + noteId: + nullable: true + type: string + overrideOwner: + nullable: true + type: boolean + version: + nullable: true + type: string + required: + - note + description: The note to persist or update along with additional metadata. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistNote: + type: object + properties: + code: + type: number + message: + type: string + note: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_Note + required: + - code + - message + - note + required: + - persistNote + required: + - data + description: Indicates the note was successfully created. + summary: Persists a note to a timeline. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/osquery/live_queries: + get: + operationId: OsqueryFindLiveQueries + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_FindLiveQueryRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Find live queries + tags: + - Security Solution Osquery API + post: + operationId: OsqueryCreateLiveQuery + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_CreateLiveQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a live query + tags: + - Security Solution Osquery API + '/api/osquery/live_queries/{id}': + get: + operationId: OsqueryGetLiveQueryDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + - in: query + name: query + schema: + additionalProperties: true type: object - required: - - id - - name - maxItems: 25 - properties: - id: - type: string - description: The Slack channel ID. - example: C123ABC456 - minLength: 1 - name: + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live query details + tags: + - Security Solution Osquery API + '/api/osquery/live_queries/{id}/results/{actionId}': + get: + operationId: OsqueryGetLiveQueryResults + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + - in: path + name: actionId + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_GetLiveQueryResultsRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live query results + tags: + - Security Solution Osquery API + /api/osquery/packs: + get: + operationId: OsqueryFindPacks + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_FindPacksRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Find packs + tags: + - Security Solution Osquery API + post: + operationId: OsqueryCreatePacks + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_CreatePacksRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a packs + tags: + - Security Solution Osquery API + '/api/osquery/packs/{id}': + delete: + operationId: OsqueryDeletePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Delete packs + tags: + - Security Solution Osquery API + get: + operationId: OsqueryGetPacksDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get packs details + tags: + - Security Solution Osquery API + put: + operationId: OsqueryUpdatePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_UpdatePacksRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Update packs + tags: + - Security Solution Osquery API + /api/osquery/saved_queries: + get: + operationId: OsqueryFindSavedQueries + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_FindSavedQueryRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Find saved queries + tags: + - Security Solution Osquery API + post: + operationId: OsqueryCreateSavedQuery + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_CreateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a saved query + tags: + - Security Solution Osquery API + '/api/osquery/saved_queries/{id}': + delete: + operationId: OsqueryDeleteSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Delete saved query + tags: + - Security Solution Osquery API + get: + operationId: OsqueryGetSavedQueryDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get saved query details + tags: + - Security Solution Osquery API + put: + operationId: OsqueryUpdateSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_UpdateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Update saved query + tags: + - Security Solution Osquery API + /api/pinned_event: + patch: + operationId: PersistPinnedEventRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + eventId: + type: string + pinnedEventId: + nullable: true + type: string + timelineId: + type: string + required: + - eventId + - timelineId + description: The pinned event to persist or update along with additional metadata. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistPinnedEventOnTimeline: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Timeline_API_PinnedEvent + - type: object + properties: + code: + type: number + message: + type: string + required: + - persistPinnedEventOnTimeline + required: + - data + description: Indicate the event was successfully pinned in the timeline. + summary: Persists a pinned event to a timeline. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/saved_objects/_export: + post: + description: > + Retrieve sets of saved objects that you want to import into Kibana. + + You must include `type` or `objects` in the request body. + + + Exported saved objects are not backwards compatible and cannot be + imported into an older version of Kibana. + + + NOTE: The `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be exported. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: exportSavedObjectsDefault + parameters: + - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + exportSavedObjectsRequest: + $ref: >- + #/components/examples/Serverless_saved_objects_export_objects_request + schema: + type: object + properties: + excludeExportDetails: + default: false + description: Do not add export details entry at the end of the stream. + type: boolean + includeReferencesDeep: + description: >- + Includes all of the referenced objects in the exported + objects. + type: boolean + objects: + description: A list of objects to export. + items: + type: object + type: array + type: + description: >- + The saved object types to include in the export. Use `*` to + export all the types. + oneOf: + - type: string + - items: + type: string + type: array + required: true + responses: + '200': + content: + application/x-ndjson; Elastic-Api-Version=2023-10-31: + examples: + exportSavedObjectsResponse: + $ref: >- + #/components/examples/Serverless_saved_objects_export_objects_response + schema: + additionalProperties: true + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Serverless_saved_objects_400_response' + description: Bad request. + summary: Export saved objects + tags: + - saved objects + /api/saved_objects/_import: + post: + description: > + Create sets of Kibana saved objects from a file created by the export + API. + + Saved objects can be imported only into the same version, a newer minor + on the same major, or the next major. Exported saved objects are not + backwards compatible and cannot be imported into an older version of + Kibana. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: importSavedObjectsDefault + parameters: + - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' + - description: > + Creates copies of saved objects, regenerates each object ID, and + resets the origin. When used, potential conflict errors are avoided. + NOTE: This option cannot be used with the `overwrite` and + `compatibilityMode` options. + in: query + name: createNewCopies + required: false + schema: + type: boolean + - description: > + Overwrites saved objects when they already exist. When used, + potential conflict errors are automatically resolved by overwriting + the destination object. NOTE: This option cannot be used with the + `createNewCopies` option. + in: query + name: overwrite + required: false + schema: + type: boolean + - description: > + Applies various adjustments to the saved objects that are being + imported to maintain compatibility between different Kibana + versions. Use this option only if you encounter issues with imported + saved objects. NOTE: This option cannot be used with the + `createNewCopies` option. + in: query + name: compatibilityMode + required: false + schema: + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + examples: + importObjectsRequest: + $ref: >- + #/components/examples/Serverless_saved_objects_import_objects_request + schema: + type: object + properties: + file: + description: > + A file exported using the export API. NOTE: The + `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be included in + this file. Similarly, the + `savedObjects.maxImportPayloadBytes` setting limits the + overall size of the file that can be imported. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + importObjectsResponse: + $ref: >- + #/components/examples/Serverless_saved_objects_import_objects_response + schema: + type: object + properties: + errors: + description: > + Indicates the import was unsuccessful and specifies the + objects that failed to import. + + + NOTE: One object may result in multiple errors, which + requires separate steps to resolve. For instance, a + `missing_references` error and conflict error. + items: + type: object + type: array + success: + description: > + Indicates when the import was successfully completed. When + set to false, some objects may not have been created. For + additional information, refer to the `errors` and + `successResults` properties. + type: boolean + successCount: + description: Indicates the number of successfully imported records. + type: integer + successResults: + description: > + Indicates the objects that are successfully imported, with + any metadata if applicable. + + + NOTE: Objects are created only when all resolvable errors + are addressed, including conflicts and missing references. + If objects are created as new copies, each entry in the + `successResults` array includes a `destinationId` + attribute. + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Serverless_saved_objects_400_response' + description: Bad request. + summary: Import saved objects + tags: + - saved objects + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: + description: >- + The bulk action is applied to all anonymization fields that match the + filter or to the list of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + create: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps + type: array + delete: + type: object + properties: + ids: + description: Array of anonymization fields IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter anonymization fields + type: string + update: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Applies a bulk action to multiple anonymization fields + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/anonymization_fields/_find: + get: + description: Finds anonymization fields that match the given query. + operationId: FindAnonymizationFields + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Finds anonymization fields that match the given query. + tags: + - Security AI Assistant API + - AnonymizationFields API + /api/security_ai_assistant/chat/complete: + post: + description: Creates a model response for the given chat conversation. + operationId: ChatComplete + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true + responses: + '200': + content: + application/octet-stream; Elastic-Api-Version=2023-10-31: + schema: + format: binary type: string - description: The Slack channel name. - minLength: 1 - Connectors_secrets_properties_slack_api: - title: Connector secrets properties for a Web API Slack connector - description: Defines secrets for connectors when type is `.slack`. - required: - - token - type: object - properties: - token: - type: string - description: Slack bot user OAuth token. - Connectors_secrets_properties_slack_webhook: - title: Connector secrets properties for a Webhook Slack connector - description: Defines secrets for connectors when type is `.slack`. - required: - - webhookUrl - type: object - properties: - webhookUrl: - type: string - description: Slack webhook url. - Connectors_config_properties_swimlane: - title: Connector request properties for a Swimlane connector - required: - - apiUrl - - appId - - connectorType - description: Defines properties for connectors when type is `.swimlane`. - type: object - properties: - apiUrl: - description: The Swimlane instance URL. - type: string - appId: - description: The Swimlane application ID. - type: string - connectorType: + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Creates a model response for the given chat conversation. + tags: + - Security AI Assistant API + - Chat Complete API + /api/security_ai_assistant/current_user/conversations: + post: + description: Create a conversation + operationId: CreateConversation + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Create a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/current_user/conversations/_find: + get: + description: Finds conversations that match the given query. + operationId: FindConversations + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Conversations per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Finds conversations that match the given query. + tags: + - Security AI Assistant API + - Conversations API + '/api/security_ai_assistant/current_user/conversations/{id}': + delete: + description: Deletes a single conversation using the `id` field. + operationId: DeleteConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Deletes a single conversation using the `id` field. + tags: + - Security AI Assistant API + - Conversation API + get: + description: Read a single conversation + operationId: ReadConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Read a single conversation + tags: + - Security AI Assistant API + - Conversations API + put: + description: Update a single conversation + operationId: UpdateConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Update a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/prompts/_bulk_action: + post: + description: >- + The bulk action is applied to all prompts that match the filter or to + the list of prompts by their IDs. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + create: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptCreateProps + type: array + delete: + type: object + properties: + ids: + description: Array of prompts IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter promps + type: string + update: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Applies a bulk action to multiple prompts + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/prompts/_find: + get: + description: Finds prompts that match the given query. + operationId: FindPrompts + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Prompts per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Finds prompts that match the given query. + tags: + - Security AI Assistant API + - Prompts API + /api/status: + get: + operationId: /api/status#0 + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: Set to "true" to get the response in v7 format. + in: query + name: v7format + required: false + schema: + type: boolean + - description: Set to "true" to get the response in v8 format. + in: query + name: v8format + required: false + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. + description: Overall status is OK and Kibana should be functioning normally. + '503': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. description: >- - The type of connector. Valid values are `all`, `alerts`, and - `cases`. - type: string - enum: - - all - - alerts - - cases - mappings: - title: Connector mappings properties for a Swimlane connector - description: The field mapping. - type: object - properties: - alertIdConfig: - title: Alert identifier mapping - description: Mapping for the alert ID. + Kibana or some of it's essential services are unavailable. Kibana + may be degraded or unavailable. + summary: Get Kibana's current status + tags: + - system + /api/timeline: + delete: + operationId: DeleteTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + savedObjectIds: + items: + type: string + type: array + searchIds: + description: >- + Saved search ids that should be deleted alongside the + timelines + items: + type: string + type: array + required: + - savedObjectIds + description: The ids of the timelines or timeline templates to delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + deleteTimeline: + type: boolean + required: + - deleteTimeline + required: + - data + description: Indicates the timeline was successfully deleted. + summary: Deletes one or more timelines or timeline templates. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + get: + operationId: GetTimeline + parameters: + - description: The ID of the template timeline to retrieve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to retrieve + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + getOneTimeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + nullable: true + required: + - getOneTimeline + required: + - data + description: Indicates that the (template) timeline was found and returned. + summary: >- + Get an existing saved timeline or timeline template. This API is used to + retrieve an existing saved timeline or timeline template. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + patch: + description: >- + Updates an existing timeline. This API is used to update the title, + description, date range, pinned events, pinned queries, and/or pinned + saved queries of an existing timeline. + operationId: PatchTimeline + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - required: - - fieldType - - id - - key - - name properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SavedTimeline + timelineId: + nullable: true type: string - description: The key for the field in Swimlane. - name: + version: + nullable: true type: string - description: The name of the field in Swimlane. - caseIdConfig: - title: Case identifier mapping - description: Mapping for the case ID. - type: object required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - caseNameConfig: - title: Case name mapping - description: Mapping for the case name. + - timelineId + - version + - timeline + description: The timeline updates along with the timeline ID and version. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - timeline + required: + - persistTimeline + required: + - data + description: >- + Indicates that the draft timeline was successfully created. In the + event the user already has a draft timeline, the existing draft + timeline is cleared and returned. + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates that the user does not have the required access to create + a draft timeline. + summary: Updates an existing timeline. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + post: + operationId: CreateTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - required: - - fieldType - - id - - key - - name properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: + status: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineStatus + nullable: true + templateTimelineId: + nullable: true type: string - description: The identifier for the field in Swimlane. - key: + templateTimelineVersion: + nullable: true + type: number + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SavedTimeline + timelineId: + nullable: true type: string - description: The key for the field in Swimlane. - name: + timelineType: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineType + nullable: true + version: + nullable: true type: string - description: The name of the field in Swimlane. - commentsConfig: - title: Case comment mapping - description: Mapping for the case comments. - type: object required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - descriptionConfig: - title: Case description mapping - description: Mapping for the case description. + - timeline + description: >- + The required timeline fields used to create a new timeline along with + optional fields that will be created if not provided. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - persistTimeline + required: + - data + description: Indicates the timeline was successfully created. + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates that there was an error in the timeline creation. + summary: Creates a new timeline. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timeline/_draft: + get: + operationId: GetDraftTimelines + parameters: + - in: query + name: timelineType + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - timeline + required: + - persistTimeline + required: + - data + description: Indicates that the draft timeline was successfully retrieved. + '403': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + If a draft timeline was not found and we attempted to create one, it + indicates that the user does not have the required permissions to + create a draft timeline. + '409': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + This should never happen, but if a draft timeline was not found and + we attempted to create one, it indicates that there is already a + draft timeline with the given timelineId. + summary: >- + Retrieves the draft timeline for the current user. If the user does not + have a draft timeline, an empty timeline is returned. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + post: + description: > + Retrieves a clean draft timeline. If a draft timeline does not exist, it + is created and returned. + operationId: CleanDraftTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - required: - - fieldType - - id - - key - - name properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - ruleNameConfig: - title: Rule name mapping - description: Mapping for the name of the alert's rule. + timelineType: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineType + required: + - timelineType + description: >- + The type of timeline to create. Valid values are `default` and + `template`. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - timeline + required: + - persistTimeline + required: + - data + description: >- + Indicates that the draft timeline was successfully created. In the + event the user already has a draft timeline, the existing draft + timeline is cleared and returned. + '403': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that the user does not have the required permissions to + create a draft timeline. + '409': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that there is already a draft timeline with the given + timelineId. + summary: Retrieves a draft timeline or timeline template. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timeline/_export: + post: + operationId: ExportTimelines + parameters: + - description: The name of the file to export + in: query + name: file_name + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - required: - - fieldType - - id - - key - - name properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - severityConfig: - title: Severity mapping - description: Mapping for the severity. + ids: + items: + type: string + nullable: true + type: array + description: The ids of the timelines to export + required: true + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: NDJSON of the exported timelines + type: string + description: Indicates the timelines were successfully exported + '400': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates that the export size limit was exceeded + summary: Exports timelines as an NDJSON file + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timeline/_favorite: + patch: + operationId: PersistFavoriteRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - required: - - fieldType - - id - - key - - name properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: + templateTimelineId: + nullable: true type: string - description: The key for the field in Swimlane. - name: + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true type: string - description: The name of the field in Swimlane. - Connectors_secrets_properties_swimlane: - title: Connector secrets properties for a Swimlane connector - description: Defines secrets for connectors when type is `.swimlane`. - type: object - properties: - apiToken: - description: Swimlane API authentication token. - type: string - Connectors_secrets_properties_teams: - title: Connector secrets properties for a Microsoft Teams connector - description: Defines secrets for connectors when type is `.teams`. - type: object - required: - - webhookUrl - properties: - webhookUrl: - type: string - description: > - The URL of the incoming webhook. If you are using the - `xpack.actions.allowedHosts` setting, add the hostname to the - allowed hosts. - Connectors_config_properties_tines: - title: Connector request properties for a Tines connector - description: Defines properties for connectors when type is `.tines`. - type: object - required: - - url - properties: - url: - description: > - The Tines tenant URL. If you are using the - `xpack.actions.allowedHosts` setting, make sure this hostname is - added to the allowed hosts. - type: string - Connectors_secrets_properties_tines: - title: Connector secrets properties for a Tines connector - description: Defines secrets for connectors when type is `.tines`. - type: object - required: - - email - - token - properties: - email: - description: The email used to sign in to Tines. - type: string - token: - description: The Tines API token. - type: string - Connectors_config_properties_torq: - title: Connector request properties for a Torq connector - description: Defines properties for connectors when type is `.torq`. - type: object - required: - - webhookIntegrationUrl - properties: - webhookIntegrationUrl: - description: The endpoint URL of the Elastic Security integration in Torq. - type: string - Connectors_secrets_properties_torq: - title: Connector secrets properties for a Torq connector - description: Defines secrets for connectors when type is `.torq`. - type: object - required: - - token - properties: - token: - description: The secret of the webhook authentication header. - type: string - Connectors_config_properties_webhook: - title: Connector request properties for a Webhook connector - description: Defines properties for connectors when type is `.webhook`. - type: object - properties: - authType: - type: string - nullable: true - enum: - - webhook-authentication-basic - - webhook-authentication-ssl - description: | - The type of authentication to use: basic, SSL, or none. - ca: - type: string - description: > - A base64 encoded version of the certificate authority file that the - connector can trust to sign and validate certificates. This option - is available for all authentication types. - certType: - type: string - description: > - If the `authType` is `webhook-authentication-ssl`, specifies whether - the certificate authentication data is in a CRT and key file format - or a PFX file format. - enum: - - ssl-crt-key - - ssl-pfx - hasAuth: - type: boolean - description: > - If `true`, a user name and password must be provided for login type - authentication. - headers: - type: object - nullable: true - description: A set of key-value pairs sent as headers with the request. - method: - type: string - default: post - enum: - - post - - put - description: | - The HTTP request method, either `post` or `put`. - url: - type: string - description: > - The request URL. If you are using the `xpack.actions.allowedHosts` - setting, add the hostname to the allowed hosts. - verificationMode: - type: string - enum: - - certificate - - full - - none - default: full - description: > - Controls the verification of certificates. Use `full` to validate - that the certificate has an issue date within the `not_before` and - `not_after` dates, chains to a trusted certificate authority (CA), - and has a hostname or IP address that matches the names within the - certificate. Use `certificate` to validate the certificate and - verify that it is signed by a trusted authority; this option does - not check the certificate hostname. Use `none` to skip certificate - validation. - Connectors_secrets_properties_webhook: - title: Connector secrets properties for a Webhook connector - description: Defines secrets for connectors when type is `.webhook`. - type: object - properties: - crt: - type: string + timelineType: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineType + nullable: true + required: + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) timeline. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistFavorite: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FavoriteTimelineResponse + required: + - persistFavorite + required: + - data + description: Indicates the favorite status was successfully updated. + '403': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: + type: object + properties: + body: + type: string + statusCode: + type: number description: >- - If `authType` is `webhook-authentication-ssl` and `certType` is - `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT - file. - key: - type: string + Indicates the user does not have the required permissions to persist + the favorite status. + summary: Persists a given users favorite status of a timeline. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timeline/_import: + post: + operationId: ImportTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Timeline_API_Readable + - type: object + properties: + hapi: + type: object + properties: + filename: + type: string + headers: + type: object + isImmutable: + enum: + - 'true' + - 'false' + type: string + required: + - filename + - headers + required: + - hapi + description: The timelines to import as a readable stream. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelineResult + required: + - data + description: Indicates the import of timelines was successful. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + id: + type: string + statusCode: + type: number description: >- - If `authType` is `webhook-authentication-ssl` and `certType` is - `ssl-crt-key`, it is a base64 encoded version of the KEY file. - pfx: - type: string + Indicates the import of timelines was unsuccessful because of an + invalid file extension. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + type: string + statusCode: + type: number description: >- - If `authType` is `webhook-authentication-ssl` and `certType` is - `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. - password: - type: string - description: > - The password for HTTP basic authentication or the passphrase for the - SSL certificate files. If `hasAuth` is set to `true` and `authType` - is `webhook-authentication-basic`, this property is required. - user: - type: string - description: > - The username for HTTP basic authentication. If `hasAuth` is set to - `true` and `authType` is `webhook-authentication-basic`, this - property is required. - Connectors_config_properties_xmatters: - title: Connector request properties for an xMatters connector - description: Defines properties for connectors when type is `.xmatters`. - type: object - properties: - configUrl: - description: > - The request URL for the Elastic Alerts trigger in xMatters. It is - applicable only when `usesBasic` is `true`. - type: string - nullable: true - usesBasic: + Indicates that we were unable to locate the saved object client + necessary to handle the import. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + id: + type: string + statusCode: + type: number + description: Indicates the import of timelines was unsuccessful. + summary: Imports timelines. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timeline/_prepackaged: + post: + operationId: InstallPrepackedTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + prepackagedTimelines: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SavedTimeline + type: array + timelinesToInstall: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelines + nullable: true + type: array + timelinesToUpdate: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelines + nullable: true + type: array + required: + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The timelines to install or update. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelineResult + required: + - data + description: Indicates the installation of prepackaged timelines was successful. + '500': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: + type: object + properties: + body: + type: string + statusCode: + type: number description: >- - Specifies whether the connector uses HTTP basic authentication - (`true`) or URL authentication (`false`). - type: boolean - default: true - Connectors_secrets_properties_xmatters: - title: Connector secrets properties for an xMatters connector - description: Defines secrets for connectors when type is `.xmatters`. - type: object + Indicates the installation of prepackaged timelines was + unsuccessful. + summary: Installs prepackaged timelines. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timeline/resolve: + get: + operationId: ResolveTimeline + parameters: + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to resolve + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + getOneTimeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + nullable: true + required: + - getOneTimeline + required: + - data + description: The (template) timeline has been found + '400': + description: The request is missing parameters + '404': + description: The (template) timeline was not found + summary: Get an existing saved timeline or timeline template. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timelines: + get: + operationId: GetTimelines + parameters: + - description: >- + If true, only timelines that are marked as favorites by the user are + returned. + in: query + name: only_user_favorite + schema: + enum: + - 'true' + - 'false' + nullable: true + type: string + - in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + nullable: true + - in: query + name: sort_field + schema: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SortFieldTimeline + - in: query + name: sort_order + schema: + enum: + - asc + - desc + type: string + - in: query + name: page_size + schema: + nullable: true + type: string + - in: query + name: page_index + schema: + nullable: true + type: string + - in: query + name: search + schema: + nullable: true + type: string + - in: query + name: status + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineStatus' + nullable: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + customTemplateTimelineCount: + type: number + defaultTimelineCount: + type: number + elasticTemplateTimelineCount: + type: number + favoriteCount: + type: number + templateTimelineCount: + type: number + timelines: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + type: array + totalCount: + type: number + required: + - timelines + - totalCount + - defaultTimelineCount + - templateTimelineCount + - favoriteCount + - elasticTemplateTimelineCount + - customTemplateTimelineCount + required: + - data + description: Indicates that the (template) timelines were found and returned. + '400': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Bad request. The user supplied invalid data. + summary: >- + This API is used to retrieve a list of existing saved timelines or + timeline templates. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + '/s/{spaceId}/api/observability/slos': + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: findSlosOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: A valid kql query to filter the SLO with + example: 'slo.name:latency* and slo.tags : "prod"' + in: query + name: kqlQuery + schema: + type: string + - description: 'The page to use for pagination, must be greater or equal than 1' + example: 1 + in: query + name: page + schema: + default: 1 + type: integer + - description: Number of SLOs returned by page + example: 25 + in: query + name: perPage + schema: + default: 25 + maximum: 5000 + type: integer + - description: Sort by field + example: status + in: query + name: sortBy + schema: + default: status + enum: + - sli_value + - status + - error_budget_consumed + - error_budget_remaining + type: string + - description: Sort order + example: asc + in: query + name: sortDirection + schema: + default: asc + enum: + - asc + - desc + type: string + - description: >- + Hide stale SLOs from the list as defined by stale SLO threshold in + SLO settings + in: query + name: hideStale + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_find_slo_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get a paginated list of SLOs + tags: + - slo + post: + description: > + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: createSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_create_slo_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_create_slo_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_409_response' + description: Conflict - The SLO id already exists + summary: Create an SLO + tags: + - slo + '/s/{spaceId}/api/observability/slos/_delete_instances': + post: + description: > + The deletion occurs for the specified list of `sloId` and `instanceId`. + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloInstancesOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_delete_slo_instances_request' + required: true + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + summary: Batch delete rollup and summary data + tags: + - slo + '/s/{spaceId}/api/observability/slos/{sloId}': + delete: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Delete an SLO + tags: + - slo + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: getSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + - description: the specific instanceId used by the summary calculation + example: host-abcde + in: query + name: instanceId + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get an SLO + tags: + - slo + put: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: updateSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_update_slo_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Update an SLO + tags: + - slo + '/s/{spaceId}/api/observability/slos/{sloId}/_reset': + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: resetSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Reset an SLO + tags: + - slo + '/s/{spaceId}/api/observability/slos/{sloId}/disable': + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: disableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '200': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Disable an SLO + tags: + - slo + '/s/{spaceId}/api/observability/slos/{sloId}/enable': + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: enableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Enable an SLO + tags: + - slo +components: + examples: + Connectors_create_email_connector_request: + summary: Create an email connector. + value: + config: + from: tester@example.com + hasAuth: true + host: 'https://example.com' + port: 1025 + secure: false + service: other + connector_type_id: .email + name: email-connector-1 + secrets: + password: password + user: username + Connectors_create_email_connector_response: + summary: A new email connector. + value: + config: + clientId: null + from: tester@example.com + hasAuth: true + host: 'https://example.com' + oauthTokenUrl: null + port: 1025 + secure: false + service: other + tenantId: null + connector_type_id: .email + id: 90a82c60-478f-11ee-a343-f98a117c727f + is_deprecated: false + is_missing_secrets: false + is_preconfigured: false + is_system_action: false + name: email-connector-1 + Connectors_create_index_connector_request: + summary: Create an index connector. + value: + config: + index: test-index + connector_type_id: .index + name: my-connector + Connectors_create_index_connector_response: + summary: A new index connector. + value: + config: + executionTimeField: null + index: test-index + refresh: false + connector_type_id: .index + id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad + is_deprecated: false + is_missing_secrets: false + is_preconfigured: false + is_system_action: false + name: my-connector + Connectors_create_webhook_connector_request: + summary: Create a webhook connector with SSL authentication. + value: + config: + authType: webhook-authentication-ssl + certType: ssl-crt-key + method: post + url: 'https://example.com' + connector_type_id: .webhook + name: my-webhook-connector + secrets: + crt: QmFnIEF0dH... + key: LS0tLS1CRUdJ... + password: my-passphrase + Connectors_create_webhook_connector_response: + summary: A new webhook connector. + value: + config: + authType: webhook-authentication-ssl + certType: ssl-crt-key + hasAuth: true + headers: null + method: post + url: 'https://example.com' + verificationMode: full + connector_type_id: .webhook + id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd + is_deprecated: false + is_missing_secrets: false + is_preconfigured: false + is_system_action: false + name: my-webhook-connector + Connectors_create_xmatters_connector_request: + summary: Create an xMatters connector with URL authentication. + value: + config: + usesBasic: false + connector_type_id: .xmatters + name: my-xmatters-connector + secrets: + secretsUrl: 'https://example.com?apiKey=xxxxx' + Connectors_create_xmatters_connector_response: + summary: A new xMatters connector. + value: + config: + configUrl: null + usesBasic: false + connector_type_id: .xmatters + id: 4d2d8da0-4d1f-11ee-9367-577408be4681 + is_deprecated: false + is_missing_secrets: false + is_preconfigured: false + is_system_action: false + name: my-xmatters-connector + Connectors_get_connector_response: + summary: Get connector details. + value: + config: {} + connector_type_id: .server-log + id: df770e30-8b8b-11ed-a780-3b746c987a81 + is_deprecated: false + is_missing_secrets: false + is_preconfigured: false + is_system_action: false + name: my_server_log_connector + Connectors_get_connector_types_generativeai_response: + summary: A list of connector types for the `generativeAI` feature. + value: + - enabled: true + enabled_in_config: true + enabled_in_license: true + id: .gen-ai + is_system_action_type: false + minimum_license_required: enterprise + name: OpenAI + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + - enabled: true + enabled_in_config: true + enabled_in_license: true + id: .bedrock + is_system_action_type: false + minimum_license_required: enterprise + name: AWS Bedrock + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + - enabled: true + enabled_in_config: true + enabled_in_license: true + id: .gemini + is_system_action_type: false + minimum_license_required: enterprise + name: Google Gemini + supported_feature_ids: + - generativeAIForSecurity + Connectors_get_connectors_response: + summary: A list of connectors + value: + - connector_type_id: .email + id: preconfigured-email-connector + is_deprecated: false + is_preconfigured: true + is_system_action: false + name: my-preconfigured-email-notification + referenced_by_count: 0 + - config: + executionTimeField: null + index: test-index + refresh: false + connector_type_id: .index + id: e07d0c80-8b8b-11ed-a780-3b746c987a81 + is_deprecated: false + is_missing_secrets: false + is_preconfigured: false + is_system_action: false + name: my-index-connector + referenced_by_count: 2 + Connectors_update_index_connector_request: + summary: Update an index connector. + value: + config: + index: updated-index + name: updated-connector + Data_views_create_data_view_request: + summary: Create a data view with runtime fields. + value: + data_view: + name: My Logstash data view + runtimeFieldMap: + runtime_shape_name: + script: + source: 'emit(doc[''shape_name''].value)' + type: keyword + title: logstash-* + Data_views_create_runtime_field_request: + summary: Create a runtime field. + value: + name: runtimeFoo + runtimeField: + script: + source: 'emit(doc["foo"].value)' + type: long + Data_views_get_data_view_response: + summary: >- + The get data view API returns a JSON object that contains information + about the data view. + value: + data_view: + allowNoIndex: false + fieldAttrs: + products.manufacturer: + count: 1 + products.price: + count: 1 + products.product_name: + count: 1 + total_quantity: + count: 1 + fieldFormats: + products.base_price: + id: number + params: + pattern: '$0,0.00' + products.base_unit_price: + id: number + params: + pattern: '$0,0.00' + products.min_price: + id: number + params: + pattern: '$0,0.00' + products.price: + id: number + params: + pattern: '$0,0.00' + products.taxful_price: + id: number + params: + pattern: '$0,0.00' + products.taxless_price: + id: number + params: + pattern: '$0,0.00' + taxful_total_price: + id: number + params: + pattern: '$0,0.[00]' + taxless_total_price: + id: number + params: + pattern: '$0,0.00' + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: category + type: string + currency: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: currency + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_birth_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: customer_birth_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + customer_first_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_first_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_first_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_first_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_first_name + type: string + customer_full_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_full_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_full_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_full_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_full_name + type: string + customer_gender: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_gender + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_last_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_last_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_last_name + type: string + customer_phone: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_phone + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: day_of_week + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week_i: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: day_of_week_i + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + email: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: email + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + event.dataset: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: event.dataset + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.city_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.city_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.continent_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.continent_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.country_iso_code: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.country_iso_code + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.location: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: geoip.location + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + geoip.region_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.region_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: manufacturer + type: string + order_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: order_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + order_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: order_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products._id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products._id.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products._id + type: string + products.base_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: products.base_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.base_unit_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: products.base_unit_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products.category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.category + type: string + products.created_on: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: products.created_on + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + products.discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.discount_percentage: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_percentage + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.manufacturer: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.manufacturer + type: string + products.min_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: products.min_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.price: + aggregatable: true + count: 1 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: products.price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_id: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + isMapped: true + name: products.product_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_name: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.product_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.product_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.product_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.product_name + type: string + products.quantity: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: products.quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.tax_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.tax_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxful_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: products.taxful_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxless_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: products.taxless_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.unit_discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.unit_discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + taxful_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.[00]' + isMapped: true + name: taxful_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + taxless_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: taxless_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_quantity: + aggregatable: true + count: 1 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_unique_products: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_unique_products + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + type: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: type + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + user: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: user + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + runtimeFieldMap: {} + sourceFilters: [] + timeFieldName: order_date + title: kibana_sample_data_ecommerce + typeMeta: {} + version: WzUsMV0= + Data_views_get_data_views_response: + summary: The get all data views API returns a list of data views. + value: + data_view: + - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + title: kibana_sample_data_ecommerce + typeMeta: {} + - id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + namespaces: + - default + title: kibana_sample_data_flights + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: Kibana Sample Data Logs + namespaces: + - default + title: kibana_sample_data_logs + Data_views_get_default_data_view_response: + summary: The get default data view API returns the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + Data_views_get_runtime_field_response: + summary: >- + The get runtime field API returns a JSON object that contains + information about the runtime field (`hour_of_day`) and the data view + (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + value: + data_view: + allowNoIndex: false + fieldAttrs: {} + fieldFormats: + AvgTicketPrice: + id: number + params: + pattern: '$0,0.[00]' + hour_of_day: + id: number + params: + pattern: '00' + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + AvgTicketPrice: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + params: + pattern: '$0,0.[00]' + isMapped: true + name: AvgTicketPrice + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Cancelled: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: Cancelled + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + Carrier: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Carrier + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + dayOfWeek: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: dayOfWeek + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Dest: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Dest + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: DestLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + DestRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DistanceKilometers: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceKilometers + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + DistanceMiles: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceMiles + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelay: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: FlightDelay + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + FlightDelayMin: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: FlightDelayMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelayType: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightDelayType + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightNum: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightNum + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeHour: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightTimeHour + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeMin: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: FlightTimeMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + hour_of_day: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + params: + pattern: '00' + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: 'emit(doc[''timestamp''].value.getHour());' + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Origin: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Origin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: OriginLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + OriginRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + timestamp: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: timestamp + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + runtimeFieldMap: + hour_of_day: + script: + source: 'emit(doc[''timestamp''].value.getHour());' + type: long + sourceFilters: [] + timeFieldName: timestamp + title: kibana_sample_data_flights + version: WzM2LDJd + fields: + - aggregatable: true + count: 0 + esTypes: + - long + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: 'emit(doc[''timestamp''].value.getHour());' + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Data_views_preview_swap_data_view_request: + summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". + value: + fromId: abcd-efg + toId: xyz-123 + Data_views_set_default_data_view_request: + summary: Set the default data view identifier. + value: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + force: true + Data_views_swap_data_view_request: + summary: >- + Swap references from data view ID "abcd-efg" to "xyz-123" and remove the + data view that is no longer referenced. + value: + delete: true + fromId: abcd-efg + toId: xyz-123 + Data_views_update_data_view_request: + summary: Update some properties for a data view. + value: + data_view: + allowNoIndex: false + name: Kibana Sample Data eCommerce + timeFieldName: order_date + title: kibana_sample_data_ecommerce + refresh_fields: true + Data_views_update_field_metadata_request: + summary: Update metadata for multiple fields. + value: + fields: + field1: + count: 123 + customLabel: Field 1 label + field2: + customDescription: Field 2 description + customLabel: Field 2 label + Data_views_update_runtime_field_request: + summary: Update an existing runtime field on a data view. + value: + runtimeField: + script: + source: 'emit(doc["bar"].value)' + Machine_learning_APIs_mlSyncExample: + summary: Two anomaly detection jobs required synchronization in this example. + value: + datafeedsAdded: {} + datafeedsRemoved: {} + savedObjectsCreated: + anomaly-detector: + myjob1: + success: true + myjob2: + success: true + savedObjectsDeleted: {} + Serverless_saved_objects_export_objects_request: + summary: Export a specific saved object. + value: + excludeExportDetails: true + includeReferencesDeep: false + objects: + - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + type: map + Serverless_saved_objects_export_objects_response: + summary: >- + The export objects API response contains a JSON record for each exported + object. + value: + attributes: + description: '' + layerListJSON: >- + [{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total + Requests by + Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web + logs + count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual + Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total + Requests and + Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web + logs + count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}] + mapStateJSON: >- + {"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}} + title: '[Logs] Total Requests and Bytes' + uiStateJSON: '{"isDarkMode":false}' + coreMigrationVersion: 8.8.0 + created_at: '2023-08-23T20:03:32.204Z' + id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + managed: false + references: + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_1_join_0_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_2_source_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_3_source_index_pattern + type: index-pattern + type: map + typeMigrationVersion: 8.4.0 + updated_at: '2023-08-23T20:03:32.204Z' + version: WzEzLDFd + Serverless_saved_objects_import_objects_request: + value: + file: file.ndjson + Serverless_saved_objects_import_objects_response: + summary: >- + The import objects API response indicates a successful import and the + objects are created. Since these objects are created as new copies, each + entry in the successResults array includes a destinationId attribute. + value: + success: true + successCount: 1 + successResults: + - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + managed: false + meta: + icon: indexPatternApp + title: Kibana Sample Data Logs + type: index-pattern + parameters: + Connectors_connector_id: + description: An identifier for the connector. + in: path + name: connectorId + required: true + schema: + example: df770e30-8b8b-11ed-a780-3b746c987a81 + type: string + Connectors_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Machine_learning_APIs_simulateParam: + description: >- + When true, simulates the synchronization by returning only the list of + actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + Serverless_saved_objects_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + example: 9c235211-6834-11ea-a78c-6feb38a34414 + type: string + SLOs_space_id: + description: >- + An identifier for the space. If `/s/` and the identifier are omitted + from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + example: default + type: string + responses: + Connectors_401: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + properties: + error: + enum: + - Unauthorized + example: Unauthorized + type: string + message: + type: string + statusCode: + enum: + - 401 + example: 401 + type: integer + title: Unauthorized response + type: object + description: Authorization information is missing or invalid. + Connectors_404: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: >- + Saved object [action/baf33fc0-920c-11ed-b36a-874bd1548a00] not + found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + title: Not found response + type: object + description: Object is not found. + schemas: + Connectors_config_properties_bedrock: + description: Defines properties for connectors when type is `.bedrock`. properties: - password: - description: > - A user name for HTTP basic authentication. It is applicable only - when `usesBasic` is `true`. - type: string - secretsUrl: - description: > - The request URL for the Elastic Alerts trigger in xMatters with the - API key included in the URL. It is applicable only when `usesBasic` - is `false`. + apiUrl: + description: The Amazon Bedrock request URL. type: string - user: + defaultModel: + default: 'anthropic.claude-3-5-sonnet-20240620-v1:0' description: > - A password for HTTP basic authentication. It is applicable only when - `usesBasic` is `true`. + The generative artificial intelligence model for Amazon Bedrock to + use. Current support is for the Anthropic Claude models. type: string - Connectors_create_connector_request: - title: Create connector request body properties - description: The properties vary depending on the connector type. - oneOf: - - $ref: '#/components/schemas/Connectors_create_connector_request_bedrock' - - $ref: '#/components/schemas/Connectors_create_connector_request_gemini' - - $ref: >- - #/components/schemas/Connectors_create_connector_request_cases_webhook - - $ref: '#/components/schemas/Connectors_create_connector_request_d3security' - - $ref: '#/components/schemas/Connectors_create_connector_request_email' - - $ref: '#/components/schemas/Connectors_create_connector_request_genai' - - $ref: '#/components/schemas/Connectors_create_connector_request_index' - - $ref: '#/components/schemas/Connectors_create_connector_request_jira' - - $ref: '#/components/schemas/Connectors_create_connector_request_opsgenie' - - $ref: '#/components/schemas/Connectors_create_connector_request_pagerduty' - - $ref: '#/components/schemas/Connectors_create_connector_request_resilient' - - $ref: '#/components/schemas/Connectors_create_connector_request_sentinelone' - - $ref: '#/components/schemas/Connectors_create_connector_request_serverlog' - - $ref: '#/components/schemas/Connectors_create_connector_request_servicenow' - - $ref: >- - #/components/schemas/Connectors_create_connector_request_servicenow_itom - - $ref: >- - #/components/schemas/Connectors_create_connector_request_servicenow_sir - - $ref: '#/components/schemas/Connectors_create_connector_request_slack_api' - - $ref: >- - #/components/schemas/Connectors_create_connector_request_slack_webhook - - $ref: '#/components/schemas/Connectors_create_connector_request_swimlane' - - $ref: '#/components/schemas/Connectors_create_connector_request_teams' - - $ref: '#/components/schemas/Connectors_create_connector_request_tines' - - $ref: '#/components/schemas/Connectors_create_connector_request_torq' - - $ref: '#/components/schemas/Connectors_create_connector_request_webhook' - - $ref: '#/components/schemas/Connectors_create_connector_request_xmatters' - discriminator: - propertyName: connector_type_id - mapping: - .bedrock: '#/components/schemas/Connectors_create_connector_request_bedrock' - .gemini: '#/components/schemas/Connectors_create_connector_request_gemini' - .cases-webhook: >- - #/components/schemas/Connectors_create_connector_request_cases_webhook - .d3security: '#/components/schemas/Connectors_create_connector_request_d3security' - .email: '#/components/schemas/Connectors_create_connector_request_email' - .gen-ai: '#/components/schemas/Connectors_create_connector_request_genai' - .index: '#/components/schemas/Connectors_create_connector_request_index' - .jira: '#/components/schemas/Connectors_create_connector_request_jira' - .opsgenie: '#/components/schemas/Connectors_create_connector_request_opsgenie' - .pagerduty: '#/components/schemas/Connectors_create_connector_request_pagerduty' - .resilient: '#/components/schemas/Connectors_create_connector_request_resilient' - .sentinelone: '#/components/schemas/Connectors_create_connector_request_sentinelone' - .server-log: '#/components/schemas/Connectors_create_connector_request_serverlog' - .servicenow: '#/components/schemas/Connectors_create_connector_request_servicenow' - .servicenow-itom: >- - #/components/schemas/Connectors_create_connector_request_servicenow_itom - .servicenow-sir: >- - #/components/schemas/Connectors_create_connector_request_servicenow_sir - .slack_api: '#/components/schemas/Connectors_create_connector_request_slack_api' - .slack: >- - #/components/schemas/Connectors_create_connector_request_slack_webhook - .swimlane: '#/components/schemas/Connectors_create_connector_request_swimlane' - .teams: '#/components/schemas/Connectors_create_connector_request_teams' - .tines: '#/components/schemas/Connectors_create_connector_request_tines' - .torq: '#/components/schemas/Connectors_create_connector_request_torq' - .webhook: '#/components/schemas/Connectors_create_connector_request_webhook' - .xmatters: '#/components/schemas/Connectors_create_connector_request_xmatters' - Connectors_connector_response_properties_bedrock: - title: Connector response properties for an Amazon Bedrock connector - type: object required: - - config - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_bedrock' - connector_type_id: - type: string - description: The type of connector. - enum: - - .bedrock - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - Connectors_connector_response_properties_gemini: - title: Connector response properties for a Google Gemini connector + - apiUrl + title: Connector request properties for an Amazon Bedrock connector + type: object + Connectors_config_properties_cases_webhook: + description: Defines properties for connectors when type is `.cases-webhook`. type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_gemini' - connector_type_id: + createCommentJson: + description: > + A JSON payload sent to the create comment URL to create a case + comment. You can use variables to add Kibana Cases data to the + payload. The required variable is `case.comment`. Due to Mustache + template variables (the text enclosed in triple braces, for example, + `{{{case.title}}}`), the JSON is not validated when you create the + connector. The JSON is validated once the Mustache variables have + been placed when the REST method runs. Manually ensure that the JSON + is valid, disregarding the Mustache variables, so the later + validation will pass. + example: '{"body": {{{case.comment}}}}' type: string - description: The type of connector. + createCommentMethod: + default: put + description: > + The REST API HTTP request method to create a case comment in the + third-party system. Valid values are `patch`, `post`, and `put`. enum: - - .gemini - id: + - patch + - post + - put type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + createCommentUrl: + description: > + The REST API URL to create a case comment by ID in the third-party + system. You can use a variable to add the external system ID to the + URL. If you are using the `xpack.actions.allowedHosts setting`, add + the hostname to the allowed hosts. + example: 'https://example.com/issue/{{{external.system.id}}}/comment' type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_cases_webhook: - title: Connector request properties for a Webhook - Case Management connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_cases_webhook' - connector_type_id: - description: The type of connector. + createIncidentJson: + description: > + A JSON payload sent to the create case URL to create a case. You can + use variables to add case data to the payload. Required variables + are `case.title` and `case.description`. Due to Mustache template + variables (which is the text enclosed in triple braces, for example, + `{{{case.title}}}`), the JSON is not validated when you create the + connector. The JSON is validated after the Mustache variables have + been placed when REST method runs. Manually ensure that the JSON is + valid to avoid future validation errors; disregard Mustache + variables during your review. + example: >- + {"fields": {"summary": {{{case.title}}},"description": + {{{case.description}}},"labels": {{{case.tags}}}}} type: string + createIncidentMethod: + default: post + description: > + The REST API HTTP request method to create a case in the third-party + system. Valid values are `patch`, `post`, and `put`. enum: - - .cases-webhook - id: + - patch + - post + - put type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + createIncidentResponseKey: + description: >- + The JSON key in the create external case response that contains the + case ID. type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_d3security: - title: Connector response properties for a D3 Security connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_d3security' - connector_type_id: + createIncidentUrl: + description: > + The REST API URL to create a case in the third-party system. If you + are using the `xpack.actions.allowedHosts` setting, add the hostname + to the allowed hosts. type: string - description: The type of connector. - enum: - - .d3security - id: + getIncidentResponseExternalTitleKey: + description: >- + The JSON key in get external case response that contains the case + title. type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + getIncidentUrl: + description: > + The REST API URL to get the case by ID from the third-party system. + If you are using the `xpack.actions.allowedHosts` setting, add the + hostname to the allowed hosts. You can use a variable to add the + external system ID to the URL. Due to Mustache template variables + (the text enclosed in triple braces, for example, + `{{{case.title}}}`), the JSON is not validated when you create the + connector. The JSON is validated after the Mustache variables have + been placed when REST method runs. Manually ensure that the JSON is + valid, disregarding the Mustache variables, so the later validation + will pass. + example: 'https://example.com/issue/{{{external.system.id}}}' type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_email: - title: Connector response properties for an email connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_email' - connector_type_id: + hasAuth: + default: true + description: >- + If true, a username and password for login type authentication must + be provided. + type: boolean + headers: + description: > + A set of key-value pairs sent as headers with the request URLs for + the create case, update case, get case, and create comment methods. type: string - description: The type of connector. + updateIncidentJson: + description: > + The JSON payload sent to the update case URL to update the case. You + can use variables to add Kibana Cases data to the payload. Required + variables are `case.title` and `case.description`. Due to Mustache + template variables (which is the text enclosed in triple braces, for + example, `{{{case.title}}}`), the JSON is not validated when you + create the connector. The JSON is validated after the Mustache + variables have been placed when REST method runs. Manually ensure + that the JSON is valid to avoid future validation errors; disregard + Mustache variables during your review. + example: >- + {"fields": {"summary": {{{case.title}}},"description": + {{{case.description}}},"labels": {{{case.tags}}}}} + type: string + updateIncidentMethod: + default: put + description: > + The REST API HTTP request method to update the case in the + third-party system. Valid values are `patch`, `post`, and `put`. enum: - - .email - id: + - patch + - post + - put type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + updateIncidentUrl: + description: > + The REST API URL to update the case by ID in the third-party system. + You can use a variable to add the external system ID to the URL. If + you are using the `xpack.actions.allowedHosts` setting, add the + hostname to the allowed hosts. + example: 'https://example.com/issue/{{{external.system.ID}}}' + type: string + viewIncidentUrl: + description: > + The URL to view the case in the external system. You can use + variables to add the external system ID or external system title to + the URL. + example: >- + https://testing-jira.atlassian.net/browse/{{{external.system.title}}} + type: string + required: + - createIncidentJson + - createIncidentResponseKey + - createIncidentUrl + - getIncidentResponseExternalTitleKey + - getIncidentUrl + - updateIncidentJson + - updateIncidentUrl + - viewIncidentUrl + title: Connector request properties for Webhook - Case Management connector + Connectors_config_properties_d3security: + description: Defines properties for connectors when type is `.d3security`. + properties: + url: + description: > + The D3 Security API request URL. If you are using the + `xpack.actions.allowedHosts` setting, add the hostname to the + allowed hosts. type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_genai: - title: Connector response properties for an OpenAI connector - type: object required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + - url + title: Connector request properties for a D3 Security connector + type: object + Connectors_config_properties_email: + description: Defines properties for connectors when type is `.email`. + type: object properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_genai' - connector_type_id: + clientId: + description: > + The client identifier, which is a part of OAuth 2.0 client + credentials authentication, in GUID format. If `service` is + `exchange_server`, this property is required. + nullable: true type: string - description: The type of connector. + from: + description: > + The from address for all emails sent by the connector. It must be + specified in `user@host-name` format. + type: string + hasAuth: + default: true + description: > + Specifies whether a user and password are required inside the + secrets configuration. + type: boolean + host: + description: > + The host name of the service provider. If the `service` is + `elastic_cloud` (for Elastic Cloud notifications) or one of + Nodemailer's well-known email service providers, this property is + ignored. If `service` is `other`, this property must be defined. + type: string + oauthTokenUrl: + nullable: true + type: string + port: + description: > + The port to connect to on the service provider. If the `service` is + `elastic_cloud` (for Elastic Cloud notifications) or one of + Nodemailer's well-known email service providers, this property is + ignored. If `service` is `other`, this property must be defined. + type: integer + secure: + description: > + Specifies whether the connection to the service provider will use + TLS. If the `service` is `elastic_cloud` (for Elastic Cloud + notifications) or one of Nodemailer's well-known email service + providers, this property is ignored. + type: boolean + service: + description: | + The name of the email service. enum: - - .gen-ai - id: + - elastic_cloud + - exchange_server + - gmail + - other + - outlook365 + - ses type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + tenantId: + description: > + The tenant identifier, which is part of OAuth 2.0 client credentials + authentication, in GUID format. If `service` is `exchange_server`, + this property is required. + nullable: true type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_index: - title: Connector response properties for an index connector - type: object required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + - from + title: Connector request properties for an email connector + Connectors_config_properties_gemini: + description: Defines properties for connectors when type is `.gemini`. properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_index' - connector_type_id: + apiUrl: + description: The Google Gemini request URL. type: string - description: The type of connector. - enum: - - .index - id: + defaultModel: + default: gemini-1.5-pro-001 + description: >- + The generative artificial intelligence model for Google Gemini to + use. type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + gcpProjectID: + description: The Google ProjectID that has Vertex AI endpoint enabled. + type: string + gcpRegion: + description: The GCP region where the Vertex AI endpoint enabled. type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_jira: - title: Connector response properties for a Jira connector - type: object required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + - apiUrl + - gcpRegion + - gcpProjectID + title: Connector request properties for an Google Gemini connector + type: object + Connectors_config_properties_genai: + description: Defines properties for connectors when type is `.gen-ai`. + discriminator: + mapping: + Azure OpenAI: '#/components/schemas/Connectors_config_properties_genai_azure' + OpenAI: '#/components/schemas/Connectors_config_properties_genai_openai' + propertyName: apiProvider + oneOf: + - $ref: '#/components/schemas/Connectors_config_properties_genai_azure' + - $ref: '#/components/schemas/Connectors_config_properties_genai_openai' + title: Connector request properties for an OpenAI connector + Connectors_config_properties_genai_azure: + description: > + Defines properties for connectors when type is `.gen-ai` and the API + provider is `Azure OpenAI'. properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_jira' - connector_type_id: - type: string - description: The type of connector. + apiProvider: + description: The OpenAI API provider. enum: - - .jira - id: + - Azure OpenAI type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + apiUrl: + description: The OpenAI API endpoint. type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_opsgenie: - title: Connector response properties for an Opsgenie connector - type: object required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + - apiProvider + - apiUrl + title: >- + Connector request properties for an OpenAI connector that uses Azure + OpenAI + type: object + Connectors_config_properties_genai_openai: + description: > + Defines properties for connectors when type is `.gen-ai` and the API + provider is `OpenAI'. properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_opsgenie' - connector_type_id: - type: string - description: The type of connector. + apiProvider: + description: The OpenAI API provider. enum: - - .opsgenie - id: + - OpenAI type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + apiUrl: + description: The OpenAI API endpoint. + type: string + defaultModel: + description: The default model to use for requests. type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_pagerduty: - title: Connector response properties for a PagerDuty connector - type: object required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + - apiProvider + - apiUrl + title: Connector request properties for an OpenAI connector + type: object + Connectors_config_properties_index: + description: Defines properties for connectors when type is `.index`. + type: object properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_pagerduty' - connector_type_id: - type: string - description: The type of connector. - enum: - - .pagerduty - id: + executionTimeField: + default: null + description: A field that indicates when the document was indexed. + nullable: true type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + index: + description: The Elasticsearch index to be written to. type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_resilient: - title: Connector response properties for a IBM Resilient connector - type: object + refresh: + default: false + description: > + The refresh policy for the write request, which affects when changes + are made visible to search. Refer to the refresh setting for + Elasticsearch document APIs. + type: boolean required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + - index + title: Connector request properties for an index connector + Connectors_config_properties_jira: + description: Defines properties for connectors when type is `.jira`. + type: object properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_resilient' - connector_type_id: - type: string - description: The type of connector. - enum: - - .resilient - id: + apiUrl: + description: The Jira instance URL. type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + projectKey: + description: The Jira project key. type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_sentinelone: - title: Connector response properties for a SentinelOne connector + required: + - apiUrl + - projectKey + title: Connector request properties for a Jira connector + Connectors_config_properties_opsgenie: + description: Defines properties for connectors when type is `.opsgenie`. type: object + properties: + apiUrl: + description: > + The Opsgenie URL. For example, `https://api.opsgenie.com` or + `https://api.eu.opsgenie.com`. If you are using the + `xpack.actions.allowedHosts` setting, add the hostname to the + allowed hosts. + type: string required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + - apiUrl + title: Connector request properties for an Opsgenie connector + Connectors_config_properties_pagerduty: + description: Defines properties for connectors when type is `.pagerduty`. properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_sentinelone' - connector_type_id: + apiUrl: + description: The PagerDuty event URL. + example: 'https://events.pagerduty.com/v2/enqueue' + nullable: true type: string - description: The type of connector. - enum: - - .sentinelone - id: + title: Connector request properties for a PagerDuty connector + type: object + Connectors_config_properties_resilient: + description: Defines properties for connectors when type is `.resilient`. + type: object + properties: + apiUrl: + description: The IBM Resilient instance URL. type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + orgId: + description: The IBM Resilient organization ID. type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_serverlog: - title: Connector response properties for a server log connector + required: + - apiUrl + - orgId + title: Connector request properties for a IBM Resilient connector + Connectors_config_properties_sentinelone: + description: Defines properties for connectors when type is `.sentinelone`. type: object + properties: + url: + description: > + The SentinelOne tenant URL. If you are using the + `xpack.actions.allowedHosts` setting, add the hostname to the + allowed hosts. + type: string required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + - url + title: Connector request properties for a SentinelOne connector + Connectors_config_properties_servicenow: + description: Defines properties for connectors when type is `.servicenow`. + type: object properties: - config: - type: object - nullable: true - connector_type_id: + apiUrl: + description: The ServiceNow instance URL. type: string - description: The type of connector. - enum: - - .server-log - id: + clientId: + description: > + The client ID assigned to your OAuth application. This property is + required when `isOAuth` is `true`. type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + isOAuth: + default: false + description: > + The type of authentication to use. The default value is false, which + means basic authentication is used instead of open authorization + (OAuth). + type: boolean + jwtKeyId: + description: > + The key identifier assigned to the JWT verifier map of your OAuth + application. This property is required when `isOAuth` is `true`. type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_servicenow: - title: Connector response properties for a ServiceNow ITSM connector - type: object + userIdentifierValue: + description: > + The identifier to use for OAuth authentication. This identifier + should be the user field you selected when you created an OAuth JWT + API endpoint for external clients in your ServiceNow instance. For + example, if the selected user field is `Email`, the user identifier + should be the user's email address. This property is required when + `isOAuth` is `true`. + type: string + usesTableApi: + default: true + description: > + Determines whether the connector uses the Table API or the Import + Set API. This property is supported only for ServiceNow ITSM and + ServiceNow SecOps connectors. NOTE: If this property is set to + `false`, the Elastic application should be installed in ServiceNow. + type: boolean required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + - apiUrl + title: Connector request properties for a ServiceNow ITSM connector + Connectors_config_properties_servicenow_itom: + description: Defines properties for connectors when type is `.servicenow`. + type: object properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow' - connector_type_id: + apiUrl: + description: The ServiceNow instance URL. type: string - description: The type of connector. - enum: - - .servicenow - id: + clientId: + description: > + The client ID assigned to your OAuth application. This property is + required when `isOAuth` is `true`. type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + isOAuth: + default: false + description: > + The type of authentication to use. The default value is false, which + means basic authentication is used instead of open authorization + (OAuth). + type: boolean + jwtKeyId: + description: > + The key identifier assigned to the JWT verifier map of your OAuth + application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: > + The identifier to use for OAuth authentication. This identifier + should be the user field you selected when you created an OAuth JWT + API endpoint for external clients in your ServiceNow instance. For + example, if the selected user field is `Email`, the user identifier + should be the user's email address. This property is required when + `isOAuth` is `true`. type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_servicenow_itom: - title: Connector response properties for a ServiceNow ITOM connector - type: object required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + - apiUrl + title: Connector request properties for a ServiceNow ITSM connector + Connectors_config_properties_slack_api: + description: Defines properties for connectors when type is `.slack_api`. properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow_itom' - connector_type_id: - type: string - description: The type of connector. - enum: - - .servicenow-itom - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_servicenow_sir: - title: Connector response properties for a ServiceNow SecOps connector + allowedChannels: + description: A list of valid Slack channels. + items: + maxItems: 25 + type: object + properties: + id: + description: The Slack channel ID. + example: C123ABC456 + minLength: 1 + type: string + name: + description: The Slack channel name. + minLength: 1 + type: string + required: + - id + - name + type: array + title: Connector request properties for a Slack connector + type: object + Connectors_config_properties_swimlane: + description: Defines properties for connectors when type is `.swimlane`. type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow' - connector_type_id: + apiUrl: + description: The Swimlane instance URL. type: string - description: The type of connector. - enum: - - .servicenow-sir - id: + appId: + description: The Swimlane application ID. type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + connectorType: + description: >- + The type of connector. Valid values are `all`, `alerts`, and + `cases`. + enum: + - all + - alerts + - cases type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_slack_api: - title: Connector response properties for a Slack connector - type: object + mappings: + description: The field mapping. + properties: + alertIdConfig: + description: Mapping for the alert ID. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Alert identifier mapping + type: object + caseIdConfig: + description: Mapping for the case ID. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Case identifier mapping + type: object + caseNameConfig: + description: Mapping for the case name. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Case name mapping + type: object + commentsConfig: + description: Mapping for the case comments. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Case comment mapping + type: object + descriptionConfig: + description: Mapping for the case description. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Case description mapping + type: object + ruleNameConfig: + description: Mapping for the name of the alert's rule. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Rule name mapping + type: object + severityConfig: + description: Mapping for the severity. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Severity mapping + type: object + title: Connector mappings properties for a Swimlane connector + type: object required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + - apiUrl + - appId + - connectorType + title: Connector request properties for a Swimlane connector + Connectors_config_properties_tines: + description: Defines properties for connectors when type is `.tines`. properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_slack_api' - connector_type_id: - type: string - description: The type of connector. - enum: - - .slack_api - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + url: + description: > + The Tines tenant URL. If you are using the + `xpack.actions.allowedHosts` setting, make sure this hostname is + added to the allowed hosts. type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_slack_webhook: - title: Connector response properties for a Slack connector - type: object required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - connector_type_id: - type: string - description: The type of connector. - enum: - - .slack - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_swimlane: - title: Connector response properties for a Swimlane connector + - url + title: Connector request properties for a Tines connector type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + Connectors_config_properties_torq: + description: Defines properties for connectors when type is `.torq`. properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_swimlane' - connector_type_id: - type: string - description: The type of connector. - enum: - - .swimlane - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + webhookIntegrationUrl: + description: The endpoint URL of the Elastic Security integration in Torq. type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_teams: - title: Connector response properties for a Microsoft Teams connector - type: object required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - type: object - connector_type_id: - type: string - description: The type of connector. - enum: - - .teams - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_tines: - title: Connector response properties for a Tines connector + - webhookIntegrationUrl + title: Connector request properties for a Torq connector type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + Connectors_config_properties_webhook: + description: Defines properties for connectors when type is `.webhook`. properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_tines' - connector_type_id: - type: string - description: The type of connector. + authType: + description: | + The type of authentication to use: basic, SSL, or none. enum: - - .tines - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + - webhook-authentication-basic + - webhook-authentication-ssl + nullable: true type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_torq: - title: Connector response properties for a Torq connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_torq' - connector_type_id: + ca: + description: > + A base64 encoded version of the certificate authority file that the + connector can trust to sign and validate certificates. This option + is available for all authentication types. type: string - description: The type of connector. + certType: + description: > + If the `authType` is `webhook-authentication-ssl`, specifies whether + the certificate authentication data is in a CRT and key file format + or a PFX file format. enum: - - .torq - id: + - ssl-crt-key + - ssl-pfx type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + hasAuth: + description: > + If `true`, a user name and password must be provided for login type + authentication. + type: boolean + headers: + description: A set of key-value pairs sent as headers with the request. + nullable: true + type: object + method: + default: post + description: | + The HTTP request method, either `post` or `put`. + enum: + - post + - put type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_webhook: - title: Connector response properties for a Webhook connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_webhook' - connector_type_id: + url: + description: > + The request URL. If you are using the `xpack.actions.allowedHosts` + setting, add the hostname to the allowed hosts. type: string - description: The type of connector. + verificationMode: + default: full + description: > + Controls the verification of certificates. Use `full` to validate + that the certificate has an issue date within the `not_before` and + `not_after` dates, chains to a trusted certificate authority (CA), + and has a hostname or IP address that matches the names within the + certificate. Use `certificate` to validate the certificate and + verify that it is signed by a trusted authority; this option does + not check the certificate hostname. Use `none` to skip certificate + validation. enum: - - .webhook - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + - certificate + - full + - none type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_xmatters: - title: Connector response properties for an xMatters connector + title: Connector request properties for a Webhook connector type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name + Connectors_config_properties_xmatters: + description: Defines properties for connectors when type is `.xmatters`. properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_xmatters' - connector_type_id: - type: string - description: The type of connector. - enum: - - .xmatters - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: + configUrl: + description: > + The request URL for the Elastic Alerts trigger in xMatters. It is + applicable only when `usesBasic` is `true`. + nullable: true type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_is_deprecated: - type: boolean - description: Indicates whether the connector type is deprecated. - example: false - Connectors_is_missing_secrets: - type: boolean - description: >- - Indicates whether secrets are missing for the connector. Secrets - configuration properties vary depending on the connector type. - example: false - Connectors_is_preconfigured: - type: boolean - description: > - Indicates whether it is a preconfigured connector. If true, the `config` - and `is_missing_secrets` properties are omitted from the response. - example: false - Connectors_is_system_action: - type: boolean - description: Indicates whether the connector is used for system actions. - example: false - Connectors_referenced_by_count: - type: integer - description: > - Indicates the number of saved objects that reference the connector. If - `is_preconfigured` is true, this value is not calculated. This property - is returned only by the get all connectors API. - example: 2 + usesBasic: + default: true + description: >- + Specifies whether the connector uses HTTP basic authentication + (`true`) or URL authentication (`false`). + type: boolean + title: Connector request properties for an xMatters connector + type: object Connectors_connector_response_properties: - title: Connector response properties description: The properties vary depending on the connector type. + discriminator: + mapping: + .bedrock: >- + #/components/schemas/Connectors_connector_response_properties_bedrock + .cases-webhook: >- + #/components/schemas/Connectors_connector_response_properties_cases_webhook + .d3security: >- + #/components/schemas/Connectors_connector_response_properties_d3security + .email: '#/components/schemas/Connectors_connector_response_properties_email' + .gemini: '#/components/schemas/Connectors_connector_response_properties_gemini' + .gen-ai: '#/components/schemas/Connectors_connector_response_properties_genai' + .index: '#/components/schemas/Connectors_connector_response_properties_index' + .jira: '#/components/schemas/Connectors_connector_response_properties_jira' + .opsgenie: >- + #/components/schemas/Connectors_connector_response_properties_opsgenie + .pagerduty: >- + #/components/schemas/Connectors_connector_response_properties_pagerduty + .resilient: >- + #/components/schemas/Connectors_connector_response_properties_resilient + .sentinelone: >- + #/components/schemas/Connectors_connector_response_properties_sentinelone + .server-log: >- + #/components/schemas/Connectors_connector_response_properties_serverlog + .servicenow: >- + #/components/schemas/Connectors_connector_response_properties_servicenow + .servicenow-itom: >- + #/components/schemas/Connectors_connector_response_properties_servicenow_itom + .servicenow-sir: >- + #/components/schemas/Connectors_connector_response_properties_servicenow_sir + .slack: >- + #/components/schemas/Connectors_connector_response_properties_slack_webhook + .slack_api: >- + #/components/schemas/Connectors_connector_response_properties_slack_api + .swimlane: >- + #/components/schemas/Connectors_connector_response_properties_swimlane + .teams: '#/components/schemas/Connectors_connector_response_properties_teams' + .tines: '#/components/schemas/Connectors_connector_response_properties_tines' + .torq: '#/components/schemas/Connectors_connector_response_properties_torq' + .webhook: >- + #/components/schemas/Connectors_connector_response_properties_webhook + .xmatters: >- + #/components/schemas/Connectors_connector_response_properties_xmatters + propertyName: connector_type_id oneOf: - $ref: >- #/components/schemas/Connectors_connector_response_properties_bedrock @@ -4484,406 +11389,798 @@ components: #/components/schemas/Connectors_connector_response_properties_webhook - $ref: >- #/components/schemas/Connectors_connector_response_properties_xmatters - discriminator: - propertyName: connector_type_id - mapping: - .bedrock: >- - #/components/schemas/Connectors_connector_response_properties_bedrock - .gemini: '#/components/schemas/Connectors_connector_response_properties_gemini' - .cases-webhook: >- - #/components/schemas/Connectors_connector_response_properties_cases_webhook - .d3security: >- - #/components/schemas/Connectors_connector_response_properties_d3security - .email: '#/components/schemas/Connectors_connector_response_properties_email' - .gen-ai: '#/components/schemas/Connectors_connector_response_properties_genai' - .index: '#/components/schemas/Connectors_connector_response_properties_index' - .jira: '#/components/schemas/Connectors_connector_response_properties_jira' - .opsgenie: >- - #/components/schemas/Connectors_connector_response_properties_opsgenie - .pagerduty: >- - #/components/schemas/Connectors_connector_response_properties_pagerduty - .resilient: >- - #/components/schemas/Connectors_connector_response_properties_resilient - .sentinelone: >- - #/components/schemas/Connectors_connector_response_properties_sentinelone - .server-log: >- - #/components/schemas/Connectors_connector_response_properties_serverlog - .servicenow: >- - #/components/schemas/Connectors_connector_response_properties_servicenow - .servicenow-itom: >- - #/components/schemas/Connectors_connector_response_properties_servicenow_itom - .servicenow-sir: >- - #/components/schemas/Connectors_connector_response_properties_servicenow_sir - .slack_api: >- - #/components/schemas/Connectors_connector_response_properties_slack_api - .slack: >- - #/components/schemas/Connectors_connector_response_properties_slack_webhook - .swimlane: >- - #/components/schemas/Connectors_connector_response_properties_swimlane - .teams: '#/components/schemas/Connectors_connector_response_properties_teams' - .tines: '#/components/schemas/Connectors_connector_response_properties_tines' - .torq: '#/components/schemas/Connectors_connector_response_properties_torq' - .webhook: >- - #/components/schemas/Connectors_connector_response_properties_webhook - .xmatters: >- - #/components/schemas/Connectors_connector_response_properties_xmatters - Connectors_update_connector_request_bedrock: - title: Update Amazon Bedrock connector request + title: Connector response properties + Connectors_connector_response_properties_bedrock: + title: Connector response properties for an Amazon Bedrock connector type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_bedrock' + connector_type_id: + description: The type of connector. + enum: + - .bedrock + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string required: - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name + Connectors_connector_response_properties_cases_webhook: + title: Connector request properties for a Webhook - Case Management connector + type: object properties: config: - $ref: '#/components/schemas/Connectors_config_properties_bedrock' - name: + $ref: '#/components/schemas/Connectors_config_properties_cases_webhook' + connector_type_id: + description: The type of connector. + enum: + - .cases-webhook type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_bedrock' - Connectors_update_connector_request_gemini: - title: Update Google Gemini connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name + Connectors_connector_response_properties_d3security: + title: Connector response properties for a D3 Security connector + type: object properties: config: - $ref: '#/components/schemas/Connectors_config_properties_gemini' - name: + $ref: '#/components/schemas/Connectors_config_properties_d3security' + connector_type_id: + description: The type of connector. + enum: + - .d3security + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_gemini' - Connectors_update_connector_request_cases_webhook: - title: Update Webhook - Case Managment connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name + Connectors_connector_response_properties_email: + title: Connector response properties for an email connector + type: object properties: config: - $ref: '#/components/schemas/Connectors_config_properties_cases_webhook' - name: + $ref: '#/components/schemas/Connectors_config_properties_email' + connector_type_id: + description: The type of connector. + enum: + - .email + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_cases_webhook' - Connectors_update_connector_request_d3security: - title: Update D3 Security connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_gemini: + title: Connector response properties for a Google Gemini connector + type: object properties: config: - $ref: '#/components/schemas/Connectors_config_properties_d3security' - name: + $ref: '#/components/schemas/Connectors_config_properties_gemini' + connector_type_id: + description: The type of connector. + enum: + - .gemini + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_d3security' - Connectors_update_connector_request_email: - title: Update email connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name + Connectors_connector_response_properties_genai: + title: Connector response properties for an OpenAI connector + type: object properties: config: - $ref: '#/components/schemas/Connectors_config_properties_email' - name: + $ref: '#/components/schemas/Connectors_config_properties_genai' + connector_type_id: + description: The type of connector. + enum: + - .gen-ai + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_email' - Connectors_update_connector_request_index: - title: Update index connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name + Connectors_connector_response_properties_index: + title: Connector response properties for an index connector + type: object properties: config: $ref: '#/components/schemas/Connectors_config_properties_index' - name: + connector_type_id: + description: The type of connector. + enum: + - .index + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - Connectors_update_connector_request_jira: - title: Update Jira connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_jira: + title: Connector response properties for a Jira connector + type: object properties: config: $ref: '#/components/schemas/Connectors_config_properties_jira' - name: + connector_type_id: + description: The type of connector. + enum: + - .jira + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_jira' - Connectors_update_connector_request_opsgenie: - title: Update Opsgenie connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_opsgenie: + title: Connector response properties for an Opsgenie connector + type: object properties: config: $ref: '#/components/schemas/Connectors_config_properties_opsgenie' - name: + connector_type_id: + description: The type of connector. + enum: + - .opsgenie + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_opsgenie' - Connectors_update_connector_request_pagerduty: - title: Update PagerDuty connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_pagerduty: + title: Connector response properties for a PagerDuty connector + type: object properties: config: $ref: '#/components/schemas/Connectors_config_properties_pagerduty' + connector_type_id: + description: The type of connector. + enum: + - .pagerduty + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' name: - type: string description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_pagerduty' - Connectors_update_connector_request_resilient: - title: Update IBM Resilient connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_resilient: + title: Connector response properties for a IBM Resilient connector + type: object properties: config: $ref: '#/components/schemas/Connectors_config_properties_resilient' - name: + connector_type_id: + description: The type of connector. + enum: + - .resilient + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_resilient' - Connectors_update_connector_request_sentinelone: - title: Update SentinelOne connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_sentinelone: + title: Connector response properties for a SentinelOne connector + type: object properties: config: $ref: '#/components/schemas/Connectors_config_properties_sentinelone' - name: + connector_type_id: + description: The type of connector. + enum: + - .sentinelone + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_sentinelone' - Connectors_update_connector_request_serverlog: - title: Update server log connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name + Connectors_connector_response_properties_serverlog: + title: Connector response properties for a server log connector + type: object properties: - name: + config: + nullable: true + type: object + connector_type_id: + description: The type of connector. + enum: + - .server-log + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - Connectors_update_connector_request_servicenow: - title: Update ServiceNow ITSM connector or ServiceNow SecOps request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_servicenow: + title: Connector response properties for a ServiceNow ITSM connector + type: object properties: config: $ref: '#/components/schemas/Connectors_config_properties_servicenow' - name: + connector_type_id: + description: The type of connector. + enum: + - .servicenow + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' - Connectors_update_connector_request_servicenow_itom: - title: Create ServiceNow ITOM connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_servicenow_itom: + title: Connector response properties for a ServiceNow ITOM connector + type: object properties: config: $ref: '#/components/schemas/Connectors_config_properties_servicenow_itom' - name: + connector_type_id: + description: The type of connector. + enum: + - .servicenow-itom type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' - Connectors_update_connector_request_slack_api: - title: Update Slack connector request + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_servicenow_sir: + title: Connector response properties for a ServiceNow SecOps connector type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow' + connector_type_id: + description: The type of connector. + enum: + - .servicenow-sir + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_slack_api: + title: Connector response properties for a Slack connector + type: object properties: config: $ref: '#/components/schemas/Connectors_config_properties_slack_api' - name: + connector_type_id: + description: The type of connector. + enum: + - .slack_api type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_slack_api' - Connectors_update_connector_request_slack_webhook: - title: Update Slack connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_slack_webhook: + title: Connector response properties for a Slack connector + type: object properties: - name: + connector_type_id: + description: The type of connector. + enum: + - .slack + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_slack_webhook' - Connectors_update_connector_request_swimlane: - title: Update Swimlane connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_swimlane: + title: Connector response properties for a Swimlane connector + type: object properties: config: $ref: '#/components/schemas/Connectors_config_properties_swimlane' - name: + connector_type_id: + description: The type of connector. + enum: + - .swimlane + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_swimlane' - Connectors_update_connector_request_teams: - title: Update Microsoft Teams connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_teams: + title: Connector response properties for a Microsoft Teams connector + type: object properties: - name: + config: + type: object + connector_type_id: + description: The type of connector. + enum: + - .teams + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_teams' - Connectors_update_connector_request_tines: - title: Update Tines connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_tines: + title: Connector response properties for a Tines connector + type: object properties: config: $ref: '#/components/schemas/Connectors_config_properties_tines' - name: + connector_type_id: + description: The type of connector. + enum: + - .tines + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_tines' - Connectors_update_connector_request_torq: - title: Update Torq connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_torq: + title: Connector response properties for a Torq connector + type: object properties: config: $ref: '#/components/schemas/Connectors_config_properties_torq' - name: + connector_type_id: + description: The type of connector. + enum: + - .torq + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_torq' - Connectors_update_connector_request_webhook: - title: Update Webhook connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets + Connectors_connector_response_properties_webhook: + title: Connector response properties for a Webhook connector + type: object properties: config: $ref: '#/components/schemas/Connectors_config_properties_webhook' - name: + connector_type_id: + description: The type of connector. + enum: + - .webhook + type: string + id: + description: The identifier for the connector. type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_webhook' - Connectors_update_connector_request_xmatters: - title: Update xMatters connector request - type: object + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' required: - - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_xmatters: + title: Connector response properties for an xMatters connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_xmatters' + connector_type_id: + description: The type of connector. + enum: + - .xmatters + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_xmatters' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_xmatters' - Connectors_update_connector_request: - title: Update connector request body properties - description: The properties vary depending on the connector type. - oneOf: - - $ref: '#/components/schemas/Connectors_update_connector_request_bedrock' - - $ref: '#/components/schemas/Connectors_update_connector_request_gemini' - - $ref: >- - #/components/schemas/Connectors_update_connector_request_cases_webhook - - $ref: '#/components/schemas/Connectors_update_connector_request_d3security' - - $ref: '#/components/schemas/Connectors_update_connector_request_email' - - $ref: '#/components/schemas/Connectors_create_connector_request_genai' - - $ref: '#/components/schemas/Connectors_update_connector_request_index' - - $ref: '#/components/schemas/Connectors_update_connector_request_jira' - - $ref: '#/components/schemas/Connectors_update_connector_request_opsgenie' - - $ref: '#/components/schemas/Connectors_update_connector_request_pagerduty' - - $ref: '#/components/schemas/Connectors_update_connector_request_resilient' - - $ref: '#/components/schemas/Connectors_update_connector_request_sentinelone' - - $ref: '#/components/schemas/Connectors_update_connector_request_serverlog' - - $ref: '#/components/schemas/Connectors_update_connector_request_servicenow' - - $ref: >- - #/components/schemas/Connectors_update_connector_request_servicenow_itom - - $ref: '#/components/schemas/Connectors_update_connector_request_slack_api' - - $ref: >- - #/components/schemas/Connectors_update_connector_request_slack_webhook - - $ref: '#/components/schemas/Connectors_update_connector_request_swimlane' - - $ref: '#/components/schemas/Connectors_update_connector_request_teams' - - $ref: '#/components/schemas/Connectors_update_connector_request_tines' - - $ref: '#/components/schemas/Connectors_update_connector_request_torq' - - $ref: '#/components/schemas/Connectors_update_connector_request_webhook' - - $ref: '#/components/schemas/Connectors_update_connector_request_xmatters' - Connectors_features: - type: string - description: | - The feature that uses the connector. - enum: - - alerting - - cases - - generativeAIForSecurity - - generativeAIForObservability - - generativeAIForSearchPlayground - - siem - - uptime Connectors_connector_types: - title: Connector types - type: string description: >- The type of connector. For example, `.email`, `.index`, `.jira`, `.opsgenie`, or `.server-log`. @@ -4913,3766 +12210,13439 @@ components: - .webhook - .xmatters example: .server-log - Data_views_400_response: - title: Bad request - type: object - required: - - statusCode - - error - - message - properties: - statusCode: - type: number - example: 400 - error: - type: string - example: Bad Request - message: - type: string - Data_views_allownoindex: - type: boolean - description: Allows the data view saved object to exist before the data is available. - Data_views_fieldattrs: - type: object - description: A map of field attributes by field name. - properties: - count: - type: integer - description: Popularity count for the field. - customDescription: - type: string - description: Custom description for the field. - maxLength: 300 - customLabel: - type: string - description: Custom label for the field. - Data_views_fieldformats: - type: object - description: A map of field formats by field name. - Data_views_namespaces: - type: array - description: >- - An array of space identifiers for sharing the data view between multiple - spaces. - items: - type: string - default: default - Data_views_runtimefieldmap: - type: object - description: A map of runtime field definitions by field name. - required: - - script - - type - properties: - script: - type: object - properties: - source: - type: string - description: Script for the runtime field. - type: - type: string - description: Mapping type of the runtime field. - Data_views_sourcefilters: - type: array - description: The array of field names you want to filter out in Discover. - items: - type: object - required: - - value - properties: - value: - type: string - Data_views_timefieldname: - type: string - description: The timestamp field name, which you use for time-based data views. - Data_views_title: - type: string - description: >- - Comma-separated list of data streams, indices, and aliases that you want - to search. Supports wildcards (`*`). - Data_views_type: + title: Connector types type: string - description: When set to `rollup`, identifies the rollup data views. - Data_views_typemeta: - type: object - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - required: - - aggs - - params - properties: - aggs: - type: object - description: A map of rollup restrictions by aggregation type and field name. - params: - type: object - description: Properties for retrieving rollup fields. - Data_views_create_data_view_request_object: - title: Create data view request - type: object - required: - - data_view - properties: - data_view: - type: object - required: - - title - description: The data view object. - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - type: object - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - type: string - name: - type: string - description: The data view name. - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - type: object - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: - type: string - override: - type: boolean - description: >- - Override an existing data view if a data view with the provided - title already exists. - default: false - Data_views_typemeta_response: - type: object + Connectors_create_connector_request: + description: The properties vary depending on the connector type. + discriminator: + mapping: + .bedrock: '#/components/schemas/Connectors_create_connector_request_bedrock' + .cases-webhook: >- + #/components/schemas/Connectors_create_connector_request_cases_webhook + .d3security: '#/components/schemas/Connectors_create_connector_request_d3security' + .email: '#/components/schemas/Connectors_create_connector_request_email' + .gemini: '#/components/schemas/Connectors_create_connector_request_gemini' + .gen-ai: '#/components/schemas/Connectors_create_connector_request_genai' + .index: '#/components/schemas/Connectors_create_connector_request_index' + .jira: '#/components/schemas/Connectors_create_connector_request_jira' + .opsgenie: '#/components/schemas/Connectors_create_connector_request_opsgenie' + .pagerduty: '#/components/schemas/Connectors_create_connector_request_pagerduty' + .resilient: '#/components/schemas/Connectors_create_connector_request_resilient' + .sentinelone: '#/components/schemas/Connectors_create_connector_request_sentinelone' + .server-log: '#/components/schemas/Connectors_create_connector_request_serverlog' + .servicenow: '#/components/schemas/Connectors_create_connector_request_servicenow' + .servicenow-itom: >- + #/components/schemas/Connectors_create_connector_request_servicenow_itom + .servicenow-sir: >- + #/components/schemas/Connectors_create_connector_request_servicenow_sir + .slack: >- + #/components/schemas/Connectors_create_connector_request_slack_webhook + .slack_api: '#/components/schemas/Connectors_create_connector_request_slack_api' + .swimlane: '#/components/schemas/Connectors_create_connector_request_swimlane' + .teams: '#/components/schemas/Connectors_create_connector_request_teams' + .tines: '#/components/schemas/Connectors_create_connector_request_tines' + .torq: '#/components/schemas/Connectors_create_connector_request_torq' + .webhook: '#/components/schemas/Connectors_create_connector_request_webhook' + .xmatters: '#/components/schemas/Connectors_create_connector_request_xmatters' + propertyName: connector_type_id + oneOf: + - $ref: '#/components/schemas/Connectors_create_connector_request_bedrock' + - $ref: '#/components/schemas/Connectors_create_connector_request_gemini' + - $ref: >- + #/components/schemas/Connectors_create_connector_request_cases_webhook + - $ref: '#/components/schemas/Connectors_create_connector_request_d3security' + - $ref: '#/components/schemas/Connectors_create_connector_request_email' + - $ref: '#/components/schemas/Connectors_create_connector_request_genai' + - $ref: '#/components/schemas/Connectors_create_connector_request_index' + - $ref: '#/components/schemas/Connectors_create_connector_request_jira' + - $ref: '#/components/schemas/Connectors_create_connector_request_opsgenie' + - $ref: '#/components/schemas/Connectors_create_connector_request_pagerduty' + - $ref: '#/components/schemas/Connectors_create_connector_request_resilient' + - $ref: '#/components/schemas/Connectors_create_connector_request_sentinelone' + - $ref: '#/components/schemas/Connectors_create_connector_request_serverlog' + - $ref: '#/components/schemas/Connectors_create_connector_request_servicenow' + - $ref: >- + #/components/schemas/Connectors_create_connector_request_servicenow_itom + - $ref: >- + #/components/schemas/Connectors_create_connector_request_servicenow_sir + - $ref: '#/components/schemas/Connectors_create_connector_request_slack_api' + - $ref: >- + #/components/schemas/Connectors_create_connector_request_slack_webhook + - $ref: '#/components/schemas/Connectors_create_connector_request_swimlane' + - $ref: '#/components/schemas/Connectors_create_connector_request_teams' + - $ref: '#/components/schemas/Connectors_create_connector_request_tines' + - $ref: '#/components/schemas/Connectors_create_connector_request_torq' + - $ref: '#/components/schemas/Connectors_create_connector_request_webhook' + - $ref: '#/components/schemas/Connectors_create_connector_request_xmatters' + title: Create connector request body properties + Connectors_create_connector_request_bedrock: description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - nullable: true - properties: - aggs: - type: object - description: A map of rollup restrictions by aggregation type and field name. - params: - type: object - description: Properties for retrieving rollup fields. - Data_views_data_view_response_object: - title: Data view response properties - type: object + The Amazon Bedrock connector uses axios to send a POST request to Amazon + Bedrock. properties: - data_view: - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - type: object - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - type: string - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: - type: string - description: The data view name. - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - type: object - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' - version: - type: string - example: WzQ2LDJd - Data_views_404_response: + config: + $ref: '#/components/schemas/Connectors_config_properties_bedrock' + connector_type_id: + description: The type of connector. + enum: + - .bedrock + example: .bedrock + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_bedrock' + required: + - config + - connector_type_id + - name + - secrets + title: Create Amazon Bedrock connector request type: object + Connectors_create_connector_request_cases_webhook: + description: > + The Webhook - Case Management connector uses axios to send POST, PUT, + and GET requests to a case management RESTful API web service. properties: - error: - type: string - example: Not Found + config: + $ref: '#/components/schemas/Connectors_config_properties_cases_webhook' + connector_type_id: + description: The type of connector. enum: - - Not Found - message: + - .cases-webhook + example: .cases-webhook type: string - example: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] - not found - statusCode: - type: integer - example: 404 - enum: - - 404 - Data_views_update_data_view_request_object: - title: Update data view request - type: object + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_cases_webhook' required: - - data_view - properties: - data_view: - type: object - description: > - The data view properties you want to update. Only the specified - properties are updated in the data view. Unspecified fields stay as - they are persisted. - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - name: - type: string - runtimeFieldMap: - type: object - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: - type: boolean - description: Reloads the data view fields after the data view is updated. - default: false - Data_views_swap_data_view_request_object: - title: Data view reference swap request + - config + - connector_type_id + - name + title: Create Webhook - Case Managment connector request type: object - required: - - fromId - - toId + Connectors_create_connector_request_d3security: + description: > + The connector uses axios to send a POST request to a D3 Security + endpoint. properties: - delete: - type: boolean - description: Deletes referenced saved object if all references are removed. - forId: - oneOf: - - type: string - - type: array - items: - type: string - description: Limit the affected saved objects to one or more by identifier. - forType: + config: + $ref: '#/components/schemas/Connectors_config_properties_d3security' + connector_type_id: + description: The type of connector. + enum: + - .d3security + example: .d3security type: string - description: Limit the affected saved objects by type. - fromId: + name: + description: The display name for the connector. + example: my-connector type: string - description: The saved object reference to change. - fromType: + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_d3security' + required: + - config + - connector_type_id + - name + - secrets + title: Create D3 Security connector request + type: object + Connectors_create_connector_request_email: + description: > + The email connector uses the SMTP protocol to send mail messages, using + an integration of Nodemailer. An exception is Microsoft Exchange, which + uses HTTP protocol for sending emails, Send mail. Email message text is + sent as both plain text and html text. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_email' + connector_type_id: + description: The type of connector. + enum: + - .email + example: .email type: string - description: > - Specify the type of the saved object reference to alter. The default - value is `index-pattern` for data views. - toId: + name: + description: The display name for the connector. + example: my-connector type: string - description: New saved object reference value to replace the old value. - Machine_learning_APIs_mlSyncResponseSuccess: - type: boolean - description: The success or failure of the synchronization. - Machine_learning_APIs_mlSyncResponseAnomalyDetectors: + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_email' + required: + - config + - connector_type_id + - name + - secrets + title: Create email connector request type: object - title: Sync API response for anomaly detection jobs + Connectors_create_connector_request_gemini: description: >- - The sync machine learning saved objects API response contains this - object when there are anomaly detection jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. + The Google Gemini connector uses axios to send a POST request to Google + Gemini. properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - Machine_learning_APIs_mlSyncResponseDatafeeds: + config: + $ref: '#/components/schemas/Connectors_config_properties_gemini' + connector_type_id: + description: The type of connector. + enum: + - .gemini + example: .gemini + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_gemini' + required: + - config + - connector_type_id + - name + - secrets + title: Create Google Gemini connector request + type: object + Connectors_create_connector_request_genai: + description: > + The OpenAI connector uses axios to send a POST request to either OpenAI + or Azure OpenAPI. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_genai' + connector_type_id: + description: The type of connector. + enum: + - .gen-ai + example: .gen-ai + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_genai' + required: + - config + - connector_type_id + - name + - secrets + title: Create OpenAI connector request type: object - title: Sync API response for datafeeds - description: >- - The sync machine learning saved objects API response contains this - object when there are datafeeds affected by the synchronization. There - is an object for each relevant datafeed, which contains the - synchronization status. + Connectors_create_connector_request_index: + description: The index connector indexes a document into Elasticsearch. properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: + config: + $ref: '#/components/schemas/Connectors_config_properties_index' + connector_type_id: + description: The type of connector. + enum: + - .index + example: .index + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + required: + - config + - connector_type_id + - name + title: Create index connector request type: object - title: Sync API response for data frame analytics jobs - description: >- - The sync machine learning saved objects API response contains this - object when there are data frame analytics jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. + Connectors_create_connector_request_jira: + description: The Jira connector uses the REST API v2 to create Jira issues. properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: + config: + $ref: '#/components/schemas/Connectors_config_properties_jira' + connector_type_id: + description: The type of connector. + enum: + - .jira + example: .jira + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_jira' + required: + - config + - connector_type_id + - name + - secrets + title: Create Jira connector request type: object - title: Sync API response for created saved objects - description: >- - If saved objects are missing for machine learning jobs or trained - models, they are created when you run the sync machine learning saved - objects API. + Connectors_create_connector_request_opsgenie: + description: The Opsgenie connector uses the Opsgenie alert API. properties: - anomaly-detector: - type: object - description: >- - If saved objects are missing for anomaly detection jobs, they are - created. - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - data-frame-analytics: - type: object - description: >- - If saved objects are missing for data frame analytics jobs, they are - created. - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - trained-model: - type: object - description: If saved objects are missing for trained models, they are created. - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: + config: + $ref: '#/components/schemas/Connectors_config_properties_opsgenie' + connector_type_id: + description: The type of connector. + enum: + - .opsgenie + example: .opsgenie + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_opsgenie' + required: + - config + - connector_type_id + - name + - secrets + title: Create Opsgenie connector request type: object - title: Sync API response for deleted saved objects - description: >- - If saved objects exist for machine learning jobs or trained models that - no longer exist, they are deleted when you run the sync machine learning - saved objects API. + Connectors_create_connector_request_pagerduty: + description: > + The PagerDuty connector uses the v2 Events API to trigger, acknowledge, + and resolve PagerDuty alerts. properties: - anomaly-detector: - type: object - description: >- - If there are saved objects exist for nonexistent anomaly detection - jobs, they are deleted. - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - data-frame-analytics: - type: object - description: >- - If there are saved objects exist for nonexistent data frame - analytics jobs, they are deleted. - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - trained-model: - type: object - description: >- - If there are saved objects exist for nonexistent trained models, - they are deleted. - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - Machine_learning_APIs_mlSyncResponseTrainedModels: + config: + $ref: '#/components/schemas/Connectors_config_properties_pagerduty' + connector_type_id: + description: The type of connector. + enum: + - .pagerduty + example: .pagerduty + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_pagerduty' + required: + - config + - connector_type_id + - name + - secrets + title: Create PagerDuty connector request type: object - title: Sync API response for trained models + Connectors_create_connector_request_resilient: description: >- - The sync machine learning saved objects API response contains this - object when there are trained models affected by the synchronization. - There is an object for each relevant trained model, which contains the - synchronization status. + The IBM Resilient connector uses the RESILIENT REST v2 to create IBM + Resilient incidents. properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - Machine_learning_APIs_mlSync200Response: + config: + $ref: '#/components/schemas/Connectors_config_properties_resilient' + connector_type_id: + description: The type of connector. + enum: + - .resilient + example: .resilient + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_resilient' + required: + - config + - connector_type_id + - name + - secrets + title: Create IBM Resilient connector request type: object - title: Successful sync API response - properties: - datafeedsAdded: - type: object - description: >- - If a saved object for an anomaly detection job is missing a datafeed - identifier, it is added when you run the sync machine learning saved - objects API. - additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - datafeedsRemoved: - type: object - description: >- - If a saved object for an anomaly detection job references a datafeed - that no longer exists, it is deleted when you run the sync machine - learning saved objects API. - additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - savedObjectsCreated: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated - savedObjectsDeleted: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted - Machine_learning_APIs_mlSync4xxResponse: + Connectors_create_connector_request_sentinelone: + description: > + The SentinelOne connector communicates with SentinelOne Management + Console via REST API. This functionality is in technical preview and may + be changed or removed in a future release. Elastic will work to fix any + issues, but features in technical preview are not subject to the support + SLA of official GA features. + title: Create SentinelOne connector request type: object - title: Unsuccessful sync API response properties: - error: + config: + $ref: '#/components/schemas/Connectors_config_properties_sentinelone' + connector_type_id: + description: The type of connector. + enum: + - .sentinelone + example: .sentinelone + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_sentinelone' + required: + - config + - connector_type_id + - name + - secrets + x-technical-preview: true + Connectors_create_connector_request_serverlog: + description: This connector writes an entry to the Kibana server log. + properties: + connector_type_id: + description: The type of connector. + enum: + - .server-log + example: .server-log type: string - example: Unauthorized - message: + name: + description: The display name for the connector. + example: my-connector type: string - statusCode: - type: integer - example: 401 - Serverless_saved_objects_400_response: - title: Bad request - type: object required: - - error - - message - - statusCode + - connector_type_id + - name + title: Create server log connector request + type: object + Connectors_create_connector_request_servicenow: + description: > + The ServiceNow ITSM connector uses the import set API to create + ServiceNow incidents. You can use the connector for rule actions and + cases. properties: - error: - type: string + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow' + connector_type_id: + description: The type of connector. enum: - - Bad Request - message: + - .servicenow + example: .servicenow type: string - statusCode: - type: integer - enum: - - 400 - SLOs_indicator_properties_apm_availability: - title: APM availability + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' required: - - type - - params - description: Defines properties for the APM availability indicator type + - config + - connector_type_id + - name + - secrets + title: Create ServiceNow ITSM connector request type: object + Connectors_create_connector_request_servicenow_itom: + description: > + The ServiceNow ITOM connector uses the event API to create ServiceNow + events. You can use the connector for rule actions. properties: - params: - description: An object containing the indicator parameters. - type: object - nullable: false - required: - - service - - environment - - transactionType - - transactionName - - index - properties: - service: - description: The APM service name - type: string - example: o11y-app - environment: - description: The APM service environment or "*" - type: string - example: production - transactionType: - description: The APM transaction type or "*" - type: string - example: request - transactionName: - description: The APM transaction name or "*" - type: string - example: GET /my/api - filter: - description: KQL query used for filtering the data - type: string - example: 'service.foo : "bar"' - index: - description: The index used by APM metrics - type: string - example: metrics-apm*,apm* - type: - description: The type of indicator. + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow_itom' + connector_type_id: + description: The type of connector. + enum: + - .servicenow-itom + example: .servicenow-itom type: string - example: sli.apm.transactionDuration - SLOs_filter_meta: - title: FilterMeta - description: Defines properties for a filter + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' + required: + - config + - connector_type_id + - name + - secrets + title: Create ServiceNow ITOM connector request type: object + Connectors_create_connector_request_servicenow_sir: + description: > + The ServiceNow SecOps connector uses the import set API to create + ServiceNow security incidents. You can use the connector for rule + actions and cases. properties: - alias: - type: string - nullable: true - disabled: - type: boolean - negate: - type: boolean - controlledBy: - type: string - group: - type: string - index: - type: string - isMultiIndex: - type: boolean - type: + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow' + connector_type_id: + description: The type of connector. + enum: + - .servicenow-sir + example: .servicenow-sir type: string - key: + name: + description: The display name for the connector. + example: my-connector type: string - params: - type: object - value: + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' + required: + - config + - connector_type_id + - name + - secrets + title: Create ServiceNow SecOps connector request + type: object + Connectors_create_connector_request_slack_api: + description: The Slack connector uses an API method to send Slack messages. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_slack_api' + connector_type_id: + description: The type of connector. + enum: + - .slack_api + example: .slack_api type: string - field: + name: + description: The display name for the connector. + example: my-connector type: string - SLOs_filter: - title: Filter - description: Defines properties for a filter + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_slack_api' + required: + - connector_type_id + - name + - secrets + title: Create Slack connector request type: object + Connectors_create_connector_request_slack_webhook: + description: The Slack connector uses Slack Incoming Webhooks. properties: - query: - type: object - meta: - $ref: '#/components/schemas/SLOs_filter_meta' - SLOs_kql_with_filters: - title: KQL with filters - description: Defines properties for a filter - oneOf: - - description: the KQL query to filter the documents with. - type: string - example: 'field.environment : "production" and service.name : "my-service"' - - type: object - properties: - kqlQuery: - type: string - filters: - type: array - items: - $ref: '#/components/schemas/SLOs_filter' - SLOs_kql_with_filters_good: - title: KQL query for good events - description: The KQL query used to define the good events. - oneOf: - - description: the KQL query to filter the documents with. + connector_type_id: + description: The type of connector. + enum: + - .slack + example: .slack type: string - example: 'request.latency <= 150 and request.status_code : "2xx"' - - type: object - properties: - kqlQuery: - type: string - filters: - type: array - items: - $ref: '#/components/schemas/SLOs_filter' - SLOs_kql_with_filters_total: - title: KQL query for all events - description: The KQL query used to define all events. - oneOf: - - description: the KQL query to filter the documents with. + name: + description: The display name for the connector. + example: my-connector type: string - example: 'field.environment : "production" and service.name : "my-service"' - - type: object - properties: - kqlQuery: - type: string - filters: - type: array - items: - $ref: '#/components/schemas/SLOs_filter' - SLOs_indicator_properties_custom_kql: - title: Custom Query - required: - - type - - params - description: Defines properties for a custom query indicator type + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_slack_webhook' + required: + - connector_type_id + - name + - secrets + title: Create Slack connector request type: object + Connectors_create_connector_request_swimlane: + description: >- + The Swimlane connector uses the Swimlane REST API to create Swimlane + records. properties: - params: - description: An object containing the indicator parameters. - type: object - nullable: false - required: - - index - - timestampField - - good - - total - properties: - index: - description: The index or index pattern to use - type: string - example: my-service-* - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - type: string - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - filter: - $ref: '#/components/schemas/SLOs_kql_with_filters' - good: - $ref: '#/components/schemas/SLOs_kql_with_filters_good' - total: - $ref: '#/components/schemas/SLOs_kql_with_filters_total' - timestampField: - description: | - The timestamp field used in the source indice. - type: string - example: timestamp - type: - description: The type of indicator. + config: + $ref: '#/components/schemas/Connectors_config_properties_swimlane' + connector_type_id: + description: The type of connector. + enum: + - .swimlane + example: .swimlane type: string - example: sli.kql.custom - SLOs_indicator_properties_apm_latency: - title: APM latency + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_swimlane' required: - - type - - params - description: Defines properties for the APM latency indicator type + - config + - connector_type_id + - name + - secrets + title: Create Swimlane connector request type: object + Connectors_create_connector_request_teams: + description: The Microsoft Teams connector uses Incoming Webhooks. properties: - params: - description: An object containing the indicator parameters. - type: object - nullable: false - required: - - service - - environment - - transactionType - - transactionName - - index - - threshold - properties: - service: - description: The APM service name - type: string - example: o11y-app - environment: - description: The APM service environment or "*" - type: string - example: production - transactionType: - description: The APM transaction type or "*" - type: string - example: request - transactionName: - description: The APM transaction name or "*" - type: string - example: GET /my/api - filter: - description: KQL query used for filtering the data - type: string - example: 'service.foo : "bar"' - index: - description: The index used by APM metrics - type: string - example: metrics-apm*,apm* - threshold: - description: The latency threshold in milliseconds - type: number - example: 250 - type: - description: The type of indicator. + connector_type_id: + description: The type of connector. + enum: + - .teams + example: .teams type: string - example: sli.apm.transactionDuration - SLOs_indicator_properties_custom_metric: - title: Custom metric + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_teams' required: - - type - - params - description: Defines properties for a custom metric indicator type + - connector_type_id + - name + - secrets + title: Create Microsoft Teams connector request type: object - properties: - params: - description: An object containing the indicator parameters. - type: object - nullable: false - required: - - index - - timestampField - - good - - total - properties: - index: - description: The index or index pattern to use - type: string - example: my-service-* - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - type: string - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - filter: - description: the KQL query to filter the documents with. - type: string - example: 'field.environment : "production" and service.name : "my-service"' - timestampField: - description: | - The timestamp field used in the source indice. - type: string - example: timestamp - good: - description: | - An object defining the "good" metrics and equation - type: object - required: - - metrics - - equation - properties: - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - type: array - items: - type: object - required: - - name - - aggregation - - field - properties: - name: - description: The name of the metric. Only valid options are A-Z - type: string - example: A - pattern: ^[A-Z]$ - aggregation: - description: >- - The aggregation type of the metric. Only valid option - is "sum" - type: string - example: sum - enum: - - sum - field: - description: The field of the metric. - type: string - example: processor.processed - filter: - description: The filter to apply to the metric. - type: string - example: 'processor.outcome: "success"' - equation: - description: The equation to calculate the "good" metric. - type: string - example: A - total: - description: | - An object defining the "total" metrics and equation - type: object - required: - - metrics - - equation - properties: - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - type: array - items: - type: object - required: - - name - - aggregation - - field - properties: - name: - description: The name of the metric. Only valid options are A-Z - type: string - example: A - pattern: ^[A-Z]$ - aggregation: - description: >- - The aggregation type of the metric. Only valid option - is "sum" - type: string - example: sum - enum: - - sum - field: - description: The field of the metric. - type: string - example: processor.processed - filter: - description: The filter to apply to the metric. - type: string - example: 'processor.outcome: *' - equation: - description: The equation to calculate the "total" metric. - type: string - example: A - type: - description: The type of indicator. + Connectors_create_connector_request_tines: + description: > + The Tines connector uses Tines Webhook actions to send events via POST + request. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_tines' + connector_type_id: + description: The type of connector. + enum: + - .tines + example: .tines type: string - example: sli.metric.custom - SLOs_indicator_properties_histogram: - title: Histogram indicator + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_tines' required: - - type - - params - description: Defines properties for a histogram indicator type + - config + - connector_type_id + - name + - secrets + title: Create Tines connector request type: object + Connectors_create_connector_request_torq: + description: > + The Torq connector uses a Torq webhook to trigger workflows with Kibana + actions. properties: - params: - description: An object containing the indicator parameters. - type: object - nullable: false - required: - - index - - timestampField - - good - - total - properties: - index: - description: The index or index pattern to use - type: string - example: my-service-* - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - type: string - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - filter: - description: the KQL query to filter the documents with. - type: string - example: 'field.environment : "production" and service.name : "my-service"' - timestampField: - description: | - The timestamp field used in the source indice. - type: string - example: timestamp - good: - description: | - An object defining the "good" events - type: object - required: - - aggregation - - field - properties: - field: - description: The field use to aggregate the good events. - type: string - example: processor.latency - aggregation: - description: The type of aggregation to use. - type: string - example: value_count - enum: - - value_count - - range - filter: - description: The filter for good events. - type: string - example: 'processor.outcome: "success"' - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - type: number - example: 0 - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - type: number - example: 100 - total: - description: | - An object defining the "total" events - type: object - required: - - aggregation - - field - properties: - field: - description: The field use to aggregate the good events. - type: string - example: processor.latency - aggregation: - description: The type of aggregation to use. - type: string - example: value_count - enum: - - value_count - - range - filter: - description: The filter for total events. - type: string - example: 'processor.outcome : *' - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - type: number - example: 0 - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - type: number - example: 100 - type: - description: The type of indicator. + config: + $ref: '#/components/schemas/Connectors_config_properties_torq' + connector_type_id: + description: The type of connector. + enum: + - .torq + example: .torq type: string - example: sli.histogram.custom - SLOs_timeslice_metric_basic_metric_with_field: - title: Timeslice Metric Basic Metric with Field + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_torq' required: + - config + - connector_type_id - name - - aggregation - - field + - secrets + title: Create Torq connector request type: object + Connectors_create_connector_request_webhook: + description: > + The Webhook connector uses axios to send a POST or PUT request to a web + service. properties: - name: - description: The name of the metric. Only valid options are A-Z + config: + $ref: '#/components/schemas/Connectors_config_properties_webhook' + connector_type_id: + description: The type of connector. + enum: + - .webhook + example: .webhook type: string - example: A - pattern: ^[A-Z]$ - aggregation: - description: The aggregation type of the metric. + name: + description: The display name for the connector. + example: my-connector type: string - example: sum + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_webhook' + required: + - config + - connector_type_id + - name + - secrets + title: Create Webhook connector request + type: object + Connectors_create_connector_request_xmatters: + description: > + The xMatters connector uses the xMatters Workflow for Elastic to send + actionable alerts to on-call xMatters resources. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_xmatters' + connector_type_id: + description: The type of connector. enum: - - sum - - avg - - min - - max - - std_deviation - - last_value - - cardinality - field: - description: The field of the metric. + - .xmatters + example: .xmatters + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_xmatters' + required: + - config + - connector_type_id + - name + - secrets + title: Create xMatters connector request + type: object + Connectors_features: + description: | + The feature that uses the connector. + enum: + - alerting + - cases + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + - siem + - uptime + type: string + Connectors_is_deprecated: + description: Indicates whether the connector type is deprecated. + example: false + type: boolean + Connectors_is_missing_secrets: + description: >- + Indicates whether secrets are missing for the connector. Secrets + configuration properties vary depending on the connector type. + example: false + type: boolean + Connectors_is_preconfigured: + description: > + Indicates whether it is a preconfigured connector. If true, the `config` + and `is_missing_secrets` properties are omitted from the response. + example: false + type: boolean + Connectors_is_system_action: + description: Indicates whether the connector is used for system actions. + example: false + type: boolean + Connectors_referenced_by_count: + description: > + Indicates the number of saved objects that reference the connector. If + `is_preconfigured` is true, this value is not calculated. This property + is returned only by the get all connectors API. + example: 2 + type: integer + Connectors_secrets_properties_bedrock: + description: Defines secrets for connectors when type is `.bedrock`. + properties: + accessKey: + description: The AWS access key for authentication. type: string - example: processor.processed - filter: - description: The filter to apply to the metric. + secret: + description: The AWS secret for authentication. type: string - example: 'processor.outcome: "success"' - SLOs_timeslice_metric_percentile_metric: - title: Timeslice Metric Percentile Metric required: - - name - - aggregation - - field - - percentile + - accessKey + - secret + title: Connector secrets properties for an Amazon Bedrock connector + type: object + Connectors_secrets_properties_cases_webhook: + title: Connector secrets properties for Webhook - Case Management connector type: object properties: - name: - description: The name of the metric. Only valid options are A-Z - type: string - example: A - pattern: ^[A-Z]$ - aggregation: + password: description: >- - The aggregation type of the metric. Only valid option is - "percentile" + The password for HTTP basic authentication. If `hasAuth` is set to + `true`, this property is required. type: string - example: percentile - enum: - - percentile - field: - description: The field of the metric. + user: + description: >- + The username for HTTP basic authentication. If `hasAuth` is set to + `true`, this property is required. type: string - example: processor.processed - percentile: - description: The percentile value. - type: number - example: 95 - filter: - description: The filter to apply to the metric. + Connectors_secrets_properties_d3security: + description: Defines secrets for connectors when type is `.d3security`. + type: object + properties: + token: + description: The D3 Security token. type: string - example: 'processor.outcome: "success"' - SLOs_timeslice_metric_doc_count_metric: - title: Timeslice Metric Doc Count Metric required: - - name - - aggregation - type: object + - token + title: Connector secrets properties for a D3 Security connector + Connectors_secrets_properties_email: + description: Defines secrets for connectors when type is `.email`. properties: - name: - description: The name of the metric. Only valid options are A-Z + clientSecret: + description: > + The Microsoft Exchange Client secret for OAuth 2.0 client + credentials authentication. It must be URL-encoded. If `service` is + `exchange_server`, this property is required. type: string - example: A - pattern: ^[A-Z]$ - aggregation: - description: The aggregation type of the metric. Only valid option is "doc_count" + password: + description: > + The password for HTTP basic authentication. If `hasAuth` is set to + `true`, this property is required. type: string - example: doc_count - enum: - - doc_count - filter: - description: The filter to apply to the metric. + user: + description: > + The username for HTTP basic authentication. If `hasAuth` is set to + `true`, this property is required. type: string - example: 'processor.outcome: "success"' - SLOs_indicator_properties_timeslice_metric: - title: Timeslice metric - required: - - type - - params - description: Defines properties for a timeslice metric indicator type + title: Connector secrets properties for an email connector type: object + Connectors_secrets_properties_gemini: + description: Defines secrets for connectors when type is `.gemini`. properties: - params: - description: An object containing the indicator parameters. - type: object - nullable: false - required: - - index - - timestampField - - metric - properties: - index: - description: The index or index pattern to use - type: string - example: my-service-* - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - type: string - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - filter: - description: the KQL query to filter the documents with. - type: string - example: 'field.environment : "production" and service.name : "my-service"' - timestampField: - description: | - The timestamp field used in the source indice. - type: string - example: timestamp - metric: - description: > - An object defining the metrics, equation, and threshold to - determine if it's a good slice or not - type: object - required: - - metrics - - equation - - comparator - - threshold - properties: - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - type: array - items: - anyOf: - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - equation: - description: The equation to calculate the metric. - type: string - example: A - comparator: - description: >- - The comparator to use to compare the equation to the - threshold. - type: string - example: GT - enum: - - GT - - GTE - - LT - - LTE - threshold: - description: >- - The threshold used to determine if the metric is a good - slice or not. - type: number - example: 100 - type: - description: The type of indicator. + credentialsJSON: + description: >- + The service account credentials JSON file. The service account + should have Vertex AI user IAM role assigned to it. type: string - example: sli.metric.timeslice - SLOs_time_window: - title: Time window required: - - duration - - type - description: Defines properties for the SLO time window + - credentialsJSON + title: Connector secrets properties for a Google Gemini connector type: object + Connectors_secrets_properties_genai: + description: Defines secrets for connectors when type is `.gen-ai`. properties: - duration: - description: >- - the duration formatted as {duration}{unit}. Accepted values for - rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w - (weekly) or 1M (monthly) - type: string - example: 30d - type: - description: >- - Indicates weither the time window is a rolling or a calendar aligned - time window. + apiKey: + description: The OpenAI API key. type: string - example: rolling - enum: - - rolling - - calendarAligned - SLOs_budgeting_method: - title: Budgeting method - type: string - description: The budgeting method to use when computing the rollup data. - enum: - - occurrences - - timeslices - example: occurrences - SLOs_objective: - title: Objective - required: - - target - description: Defines properties for the SLO objective + title: Connector secrets properties for an OpenAI connector + type: object + Connectors_secrets_properties_jira: + description: Defines secrets for connectors when type is `.jira`. type: object properties: - target: - description: the target objective between 0 and 1 excluded - type: number - minimum: 0 - maximum: 100 - exclusiveMinimum: true - exclusiveMaximum: true - example: 0.99 - timesliceTarget: - description: >- - the target objective for each slice when using a timeslices - budgeting method - type: number - minimum: 0 - maximum: 100 - example: 0.995 - timesliceWindow: - description: >- - the duration of each slice when using a timeslices budgeting method, - as {duraton}{unit} + apiToken: + description: The Jira API authentication token for HTTP basic authentication. type: string - example: 5m - SLOs_settings: - title: Settings - description: Defines properties for SLO settings. + email: + description: The account email for HTTP Basic authentication. + type: string + required: + - apiToken + - email + title: Connector secrets properties for a Jira connector + Connectors_secrets_properties_opsgenie: + description: Defines secrets for connectors when type is `.opsgenie`. type: object properties: - syncDelay: - description: The synch delay to apply to the transform. Default 1m - type: string - default: 1m - example: 5m - frequency: - description: Configure how often the transform runs, default 1m + apiKey: + description: The Opsgenie API authentication key for HTTP Basic authentication. type: string - default: 1m - example: 5m - preventInitialBackfill: - description: Prevents the transform from backfilling data when it starts. - type: boolean - default: false - example: true - SLOs_summary_status: - title: summary status - type: string - enum: - - NO_DATA - - HEALTHY - - DEGRADING - - VIOLATED - example: HEALTHY - SLOs_error_budget: - title: Error budget - type: object required: - - initial - - consumed - - remaining - - isEstimated + - apiKey + title: Connector secrets properties for an Opsgenie connector + Connectors_secrets_properties_pagerduty: + description: Defines secrets for connectors when type is `.pagerduty`. properties: - initial: - type: number - description: The initial error budget, as 1 - objective - example: 0.02 - consumed: - type: number - description: The error budget consummed, as a percentage of the initial value. - example: 0.8 - remaining: - type: number - description: The error budget remaining, as a percentage of the initial value. - example: 0.2 - isEstimated: - type: boolean - description: >- - Only for SLO defined with occurrences budgeting method and calendar - aligned time window. - example: true - SLOs_summary: - title: Summary - type: object - description: The SLO computed data + routingKey: + description: > + A 32 character PagerDuty Integration Key for an integration on a + service. + type: string required: - - status - - sliValue - - errorBudget - properties: - status: - $ref: '#/components/schemas/SLOs_summary_status' - sliValue: - type: number - example: 0.9836 - errorBudget: - $ref: '#/components/schemas/SLOs_error_budget' - SLOs_slo_with_summary_response: - title: SLO response + - routingKey + title: Connector secrets properties for a PagerDuty connector + type: object + Connectors_secrets_properties_resilient: + description: Defines secrets for connectors when type is `.resilient`. type: object - required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - summary - - enabled - - groupBy - - instanceId - - tags - - createdAt - - updatedAt - - version properties: - id: - description: The identifier of the SLO. + apiKeyId: + description: The authentication key ID for HTTP Basic authentication. type: string - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - name: - description: The name of the SLO. + apiKeySecret: + description: The authentication key secret for HTTP Basic authentication. type: string - example: My Service SLO - description: - description: The description of the SLO. + required: + - apiKeyId + - apiKeySecret + title: Connector secrets properties for IBM Resilient connector + Connectors_secrets_properties_sentinelone: + description: Defines secrets for connectors when type is `.sentinelone`. + properties: + token: + description: The A SentinelOne API token. type: string - example: My SLO description - indicator: - discriminator: - propertyName: type - mapping: - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - revision: - description: The SLO revision - type: number - example: 2 - summary: - $ref: '#/components/schemas/SLOs_summary' - enabled: - description: Indicate if the SLO is enabled - type: boolean - example: true - groupBy: - description: optional group by field to use to generate an SLO per distinct value + required: + - token + title: Connector secrets properties for a SentinelOne connector + type: object + Connectors_secrets_properties_servicenow: + description: >- + Defines secrets for connectors when type is `.servicenow`, + `.servicenow-sir`, or `.servicenow-itom`. + properties: + clientSecret: + description: >- + The client secret assigned to your OAuth application. This property + is required when `isOAuth` is `true`. type: string - example: some.field - instanceId: - description: the value derived from the groupBy field, if present, otherwise '*' + password: + description: >- + The password for HTTP basic authentication. This property is + required when `isOAuth` is `false`. type: string - example: host-abcde - tags: - description: List of tags - type: array - items: - type: string - createdAt: - description: The creation date + privateKey: + description: >- + The RSA private key that you created for use in ServiceNow. This + property is required when `isOAuth` is `true`. type: string - example: '2023-01-12T10:03:19.000Z' - updatedAt: - description: The last update date + privateKeyPassword: + description: >- + The password for the RSA private key. This property is required when + `isOAuth` is `true` and you set a password on your private key. type: string - example: '2023-01-12T10:03:19.000Z' - version: - description: The internal SLO version - type: number - example: 2 - SLOs_find_slo_response: - title: Find SLO response - description: | - A paginated response of SLOs matching the query. + username: + description: >- + The username for HTTP basic authentication. This property is + required when `isOAuth` is `false`. + type: string + title: >- + Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and + ServiceNow SecOps connectors type: object - properties: - page: - type: number - example: 1 - perPage: - type: number - example: 25 - total: - type: number - example: 34 - results: - type: array - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - SLOs_400_response: - title: Bad request + Connectors_secrets_properties_slack_api: + description: Defines secrets for connectors when type is `.slack`. type: object + properties: + token: + description: Slack bot user OAuth token. + type: string required: - - statusCode - - error - - message + - token + title: Connector secrets properties for a Web API Slack connector + Connectors_secrets_properties_slack_webhook: + description: Defines secrets for connectors when type is `.slack`. + type: object properties: - statusCode: - type: number - example: 400 - error: + webhookUrl: + description: Slack webhook url. type: string - example: Bad Request - message: + required: + - webhookUrl + title: Connector secrets properties for a Webhook Slack connector + Connectors_secrets_properties_swimlane: + description: Defines secrets for connectors when type is `.swimlane`. + properties: + apiToken: + description: Swimlane API authentication token. type: string - example: 'Invalid value ''foo'' supplied to: [...]' - SLOs_401_response: - title: Unauthorized + title: Connector secrets properties for a Swimlane connector type: object + Connectors_secrets_properties_teams: + description: Defines secrets for connectors when type is `.teams`. + properties: + webhookUrl: + description: > + The URL of the incoming webhook. If you are using the + `xpack.actions.allowedHosts` setting, add the hostname to the + allowed hosts. + type: string required: - - statusCode - - error - - message + - webhookUrl + title: Connector secrets properties for a Microsoft Teams connector + type: object + Connectors_secrets_properties_tines: + description: Defines secrets for connectors when type is `.tines`. properties: - statusCode: - type: number - example: 401 - error: + email: + description: The email used to sign in to Tines. type: string - example: Unauthorized - message: + token: + description: The Tines API token. type: string - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" - SLOs_403_response: - title: Unauthorized + required: + - email + - token + title: Connector secrets properties for a Tines connector type: object + Connectors_secrets_properties_torq: + description: Defines secrets for connectors when type is `.torq`. + properties: + token: + description: The secret of the webhook authentication header. + type: string required: - - statusCode - - error - - message + - token + title: Connector secrets properties for a Torq connector + type: object + Connectors_secrets_properties_webhook: + description: Defines secrets for connectors when type is `.webhook`. properties: - statusCode: - type: number - example: 403 - error: + crt: + description: >- + If `authType` is `webhook-authentication-ssl` and `certType` is + `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT + file. type: string - example: Unauthorized - message: + key: + description: >- + If `authType` is `webhook-authentication-ssl` and `certType` is + `ssl-crt-key`, it is a base64 encoded version of the KEY file. type: string - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" - SLOs_404_response: - title: Not found + password: + description: > + The password for HTTP basic authentication or the passphrase for the + SSL certificate files. If `hasAuth` is set to `true` and `authType` + is `webhook-authentication-basic`, this property is required. + type: string + pfx: + description: >- + If `authType` is `webhook-authentication-ssl` and `certType` is + `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. + type: string + user: + description: > + The username for HTTP basic authentication. If `hasAuth` is set to + `true` and `authType` is `webhook-authentication-basic`, this + property is required. + type: string + title: Connector secrets properties for a Webhook connector type: object - required: - - statusCode - - error - - message + Connectors_secrets_properties_xmatters: + description: Defines secrets for connectors when type is `.xmatters`. properties: - statusCode: - type: number - example: 404 - error: + password: + description: > + A user name for HTTP basic authentication. It is applicable only + when `usesBasic` is `true`. type: string - example: Not Found - message: + secretsUrl: + description: > + The request URL for the Elastic Alerts trigger in xMatters with the + API key included in the URL. It is applicable only when `usesBasic` + is `false`. type: string - example: SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found - SLOs_create_slo_request: - title: Create SLO request - description: > - The create SLO API request body varies depending on the type of - indicator, time window and budgeting method. + user: + description: > + A password for HTTP basic authentication. It is applicable only when + `usesBasic` is `true`. + type: string + title: Connector secrets properties for an xMatters connector + type: object + Connectors_update_connector_request: + description: The properties vary depending on the connector type. + oneOf: + - $ref: '#/components/schemas/Connectors_update_connector_request_bedrock' + - $ref: '#/components/schemas/Connectors_update_connector_request_gemini' + - $ref: >- + #/components/schemas/Connectors_update_connector_request_cases_webhook + - $ref: '#/components/schemas/Connectors_update_connector_request_d3security' + - $ref: '#/components/schemas/Connectors_update_connector_request_email' + - $ref: '#/components/schemas/Connectors_create_connector_request_genai' + - $ref: '#/components/schemas/Connectors_update_connector_request_index' + - $ref: '#/components/schemas/Connectors_update_connector_request_jira' + - $ref: '#/components/schemas/Connectors_update_connector_request_opsgenie' + - $ref: '#/components/schemas/Connectors_update_connector_request_pagerduty' + - $ref: '#/components/schemas/Connectors_update_connector_request_resilient' + - $ref: '#/components/schemas/Connectors_update_connector_request_sentinelone' + - $ref: '#/components/schemas/Connectors_update_connector_request_serverlog' + - $ref: '#/components/schemas/Connectors_update_connector_request_servicenow' + - $ref: >- + #/components/schemas/Connectors_update_connector_request_servicenow_itom + - $ref: '#/components/schemas/Connectors_update_connector_request_slack_api' + - $ref: >- + #/components/schemas/Connectors_update_connector_request_slack_webhook + - $ref: '#/components/schemas/Connectors_update_connector_request_swimlane' + - $ref: '#/components/schemas/Connectors_update_connector_request_teams' + - $ref: '#/components/schemas/Connectors_update_connector_request_tines' + - $ref: '#/components/schemas/Connectors_update_connector_request_torq' + - $ref: '#/components/schemas/Connectors_update_connector_request_webhook' + - $ref: '#/components/schemas/Connectors_update_connector_request_xmatters' + title: Update connector request body properties + Connectors_update_connector_request_bedrock: + title: Update Amazon Bedrock connector request type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_bedrock' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_bedrock' required: + - config - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective + Connectors_update_connector_request_cases_webhook: + title: Update Webhook - Case Managment connector request + type: object properties: - id: - description: >- - A optional and unique identifier for the SLO. Must be between 8 and - 36 chars + config: + $ref: '#/components/schemas/Connectors_config_properties_cases_webhook' + name: + description: The display name for the connector. + example: my-connector type: string - example: my-super-slo-id + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_cases_webhook' + required: + - config + - name + Connectors_update_connector_request_d3security: + title: Update D3 Security connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_d3security' name: - description: A name for the SLO. + description: The display name for the connector. type: string - description: - description: A description for the SLO. + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_d3security' + required: + - config + - name + - secrets + Connectors_update_connector_request_email: + title: Update email connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_email' + name: + description: The display name for the connector. type: string - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - groupBy: - description: optional group by field to use to generate an SLO per distinct value + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_email' + required: + - config + - name + Connectors_update_connector_request_gemini: + title: Update Google Gemini connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_gemini' + name: + description: The display name for the connector. type: string - example: some.field - tags: - description: List of tags - type: array - items: - type: string - SLOs_create_slo_response: - title: Create SLO response + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_gemini' + required: + - config + - name + Connectors_update_connector_request_index: + title: Update index connector request type: object - required: - - id properties: - id: + config: + $ref: '#/components/schemas/Connectors_config_properties_index' + name: + description: The display name for the connector. type: string - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - SLOs_409_response: - title: Conflict - type: object required: - - statusCode - - error - - message + - config + - name + Connectors_update_connector_request_jira: + title: Update Jira connector request + type: object properties: - statusCode: - type: number - example: 409 - error: - type: string - example: Conflict - message: + config: + $ref: '#/components/schemas/Connectors_config_properties_jira' + name: + description: The display name for the connector. type: string - example: SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists - SLOs_update_slo_request: - title: Update SLO request - description: > - The update SLO API request body varies depending on the type of - indicator, time window and budgeting method. Partial update is handled. + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_jira' + required: + - config + - name + - secrets + Connectors_update_connector_request_opsgenie: + title: Update Opsgenie connector request type: object properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_opsgenie' name: - description: A name for the SLO. - type: string - description: - description: A description for the SLO. + description: The display name for the connector. type: string - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - type: array - items: - type: string - SLOs_slo_definition_response: - title: SLO definition response - type: object + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_opsgenie' required: - - id + - config - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - enabled - - groupBy - - tags - - createdAt - - updatedAt - - version + - secrets + Connectors_update_connector_request_pagerduty: + title: Update PagerDuty connector request + type: object properties: - id: - description: The identifier of the SLO. - type: string - example: 8853df00-ae2e-11ed-90af-09bb6422b258 + config: + $ref: '#/components/schemas/Connectors_config_properties_pagerduty' name: - description: The name of the SLO. - type: string - example: My Service SLO - description: - description: The description of the SLO. - type: string - example: My SLO description - indicator: - discriminator: - propertyName: type - mapping: - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - revision: - description: The SLO revision - type: number - example: 2 - enabled: - description: Indicate if the SLO is enabled - type: boolean - example: true - groupBy: - description: optional group by field to use to generate an SLO per distinct value - type: string - example: some.field - tags: - description: List of tags - type: array - items: - type: string - createdAt: - description: The creation date + description: The display name for the connector. type: string - example: '2023-01-12T10:03:19.000Z' - updatedAt: - description: The last update date + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_pagerduty' + required: + - config + - name + - secrets + Connectors_update_connector_request_resilient: + title: Update IBM Resilient connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_resilient' + name: + description: The display name for the connector. type: string - example: '2023-01-12T10:03:19.000Z' - version: - description: The internal SLO version - type: number - example: 2 - SLOs_delete_slo_instances_request: - title: Delete SLO instances request - description: > - The delete SLO instances request takes a list of SLO id and instance id, - then delete the rollup and summary data. This API can be used to remove - the staled data of an instance SLO that no longer get updated. + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_resilient' + required: + - config + - name + - secrets + Connectors_update_connector_request_sentinelone: + title: Update SentinelOne connector request type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_sentinelone' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_sentinelone' required: - - list + - config + - name + - secrets + Connectors_update_connector_request_serverlog: + title: Update server log connector request + type: object properties: - list: - description: An array of slo id and instance id - type: array - items: - type: object - required: - - sloId - - instanceId - properties: - sloId: - description: The SLO unique identifier - type: string - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - instanceId: - description: The SLO instance identifier - type: string - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - Kibana_HTTP_APIs_core_status_redactedResponse: - additionalProperties: false - description: A minimal representation of Kibana's operational status. + name: + description: The display name for the connector. + type: string + required: + - name + Connectors_update_connector_request_servicenow: + title: Update ServiceNow ITSM connector or ServiceNow SecOps request + type: object properties: - status: - additionalProperties: false - properties: - overall: - additionalProperties: false - properties: - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - required: - - level - type: object - required: - - overall - type: object + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' required: - - status + - config + - name + - secrets + Connectors_update_connector_request_servicenow_itom: + title: Create ServiceNow ITOM connector request type: object - Kibana_HTTP_APIs_core_status_response: - additionalProperties: false - description: >- - Kibana's operational status as well as a detailed breakdown of plugin - statuses indication of various loads (like event loop utilization and - network traffic) at time of request. properties: - metrics: - additionalProperties: false - description: Metric groups collected by Kibana. - properties: - collection_interval_in_millis: - description: The interval at which metrics should be collected. - type: number - elasticsearch_client: - additionalProperties: false - description: Current network metrics of Kibana's Elasticsearch client. - properties: - totalActiveSockets: - description: Count of network sockets currently in use. - type: number - totalIdleSockets: - description: Count of network sockets currently idle. - type: number - totalQueuedRequests: - description: Count of requests not yet assigned to sockets. - type: number - required: - - totalActiveSockets - - totalIdleSockets - - totalQueuedRequests - type: object - last_updated: - description: The time metrics were collected. - type: string - required: - - elasticsearch_client - - last_updated - - collection_interval_in_millis - type: object + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow_itom' name: - description: Kibana instance name. - type: string - status: - additionalProperties: false - properties: - core: - additionalProperties: false - description: Statuses of core Kibana services. - properties: - elasticsearch: - additionalProperties: false - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: >- - An unstructured set of extra metadata about this - service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - type: object - savedObjects: - additionalProperties: false - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: >- - An unstructured set of extra metadata about this - service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - type: object - required: - - elasticsearch - - savedObjects - type: object - overall: - additionalProperties: false - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - type: object - plugins: - additionalProperties: - additionalProperties: false - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - type: object - description: A dynamic mapping of plugin ID to plugin status. - type: object - required: - - overall - - core - - plugins - type: object - uuid: - description: >- - Unique, generated Kibana instance UUID. This UUID should persist - even if the Kibana process restarts. + description: The display name for the connector. type: string - version: - additionalProperties: false - properties: - build_date: - description: The date and time of this build. - type: string - build_flavor: - description: >- - The build flavour determines configuration and behavior of - Kibana. On premise users will almost always run the - "traditional" flavour, while other flavours are reserved for - Elastic-specific use cases. - enum: - - serverless - - traditional - type: string - build_hash: - description: >- - A unique hash value representing the git commit of this Kibana - build. - type: string - build_number: - description: >- - A monotonically increasing number, each subsequent build will - have a higher number. - type: number - build_snapshot: - description: Whether this build is a snapshot build. - type: boolean - number: - description: A semantic version number. - type: string - required: - - number - - build_hash - - build_number - - build_snapshot - - build_flavor - - build_date - type: object + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' + required: + - config + - name + - secrets + Connectors_update_connector_request_slack_api: + title: Update Slack connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_slack_api' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_slack_api' required: - name - - uuid - - version - - status - - metrics + - secrets + Connectors_update_connector_request_slack_webhook: + title: Update Slack connector request type: object - examples: - Connectors_create_email_connector_request: - summary: Create an email connector. - value: - name: email-connector-1 - connector_type_id: .email - config: - from: tester@example.com - hasAuth: true - host: https://example.com - port: 1025 - secure: false - service: other + properties: + name: + description: The display name for the connector. + type: string secrets: - user: username - password: password - Connectors_create_index_connector_request: - summary: Create an index connector. - value: - name: my-connector - connector_type_id: .index - config: - index: test-index - Connectors_create_webhook_connector_request: - summary: Create a webhook connector with SSL authentication. - value: - name: my-webhook-connector - connector_type_id: .webhook + $ref: '#/components/schemas/Connectors_secrets_properties_slack_webhook' + required: + - name + - secrets + Connectors_update_connector_request_swimlane: + title: Update Swimlane connector request + type: object + properties: config: - method: post - url: https://example.com - authType: webhook-authentication-ssl - certType: ssl-crt-key + $ref: '#/components/schemas/Connectors_config_properties_swimlane' + name: + description: The display name for the connector. + example: my-connector + type: string secrets: - crt: QmFnIEF0dH... - key: LS0tLS1CRUdJ... - password: my-passphrase - Connectors_create_xmatters_connector_request: - summary: Create an xMatters connector with URL authentication. - value: - name: my-xmatters-connector - connector_type_id: .xmatters - config: - usesBasic: false + $ref: '#/components/schemas/Connectors_secrets_properties_swimlane' + required: + - config + - name + - secrets + Connectors_update_connector_request_teams: + title: Update Microsoft Teams connector request + type: object + properties: + name: + description: The display name for the connector. + type: string secrets: - secretsUrl: https://example.com?apiKey=xxxxx - Connectors_create_email_connector_response: - summary: A new email connector. - value: - id: 90a82c60-478f-11ee-a343-f98a117c727f - connector_type_id: .email - name: email-connector-1 - config: - from: tester@example.com - service: other - host: https://example.com - port: 1025 - secure: false - hasAuth: true - tenantId: null - clientId: null - oauthTokenUrl: null - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - Connectors_create_index_connector_response: - summary: A new index connector. - value: - id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad - connector_type_id: .index - name: my-connector - config: - index: test-index - refresh: false - executionTimeField: null - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - Connectors_create_webhook_connector_response: - summary: A new webhook connector. - value: - id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd - name: my-webhook-connector - config: - method: post - url: https://example.com - authType: webhook-authentication-ssl - certType: ssl-crt-key - verificationMode: full - headers: null - hasAuth: true - connector_type_id: .webhook - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - Connectors_create_xmatters_connector_response: - summary: A new xMatters connector. - value: - id: 4d2d8da0-4d1f-11ee-9367-577408be4681 - name: my-xmatters-connector - config: - usesBasic: false - configUrl: null - connector_type_id: .xmatters - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - Connectors_get_connector_response: - summary: Get connector details. - value: - id: df770e30-8b8b-11ed-a780-3b746c987a81 - name: my_server_log_connector - config: {} - connector_type_id: .server-log - is_preconfigured: false - is_deprecated: false - is_missing_secrets: false - is_system_action: false - Connectors_update_index_connector_request: - summary: Update an index connector. - value: - name: updated-connector + $ref: '#/components/schemas/Connectors_secrets_properties_teams' + required: + - name + - secrets + Connectors_update_connector_request_tines: + title: Update Tines connector request + type: object + properties: config: - index: updated-index - Connectors_get_connectors_response: - summary: A list of connectors - value: - - id: preconfigured-email-connector - name: my-preconfigured-email-notification - connector_type_id: .email - is_preconfigured: true - is_deprecated: false - referenced_by_count: 0 - is_system_action: false - - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 - name: my-index-connector - config: - index: test-index - refresh: false - executionTimeField: null - connector_type_id: .index - is_preconfigured: false - is_deprecated: false - referenced_by_count: 2 - is_missing_secrets: false - is_system_action: false - Connectors_get_connector_types_generativeai_response: - summary: A list of connector types for the `generativeAI` feature. - value: - - id: .gen-ai - name: OpenAI - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - - generativeAIForObservability - - generativeAIForSearchPlayground - is_system_action_type: false - - id: .bedrock - name: AWS Bedrock - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - - generativeAIForObservability - - generativeAIForSearchPlayground - is_system_action_type: false - - id: .gemini - name: Google Gemini - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - is_system_action_type: false - Data_views_get_data_views_response: - summary: The get all data views API returns a list of data views. - value: - data_view: - - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - namespaces: - - default - title: kibana_sample_data_ecommerce - typeMeta: {} - name: Kibana Sample Data eCommerce - - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - namespaces: - - default - title: kibana_sample_data_flights - name: Kibana Sample Data Flights - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - namespaces: - - default - title: kibana_sample_data_logs - name: Kibana Sample Data Logs - Data_views_create_data_view_request: - summary: Create a data view with runtime fields. - value: - data_view: - title: logstash-* - name: My Logstash data view - runtimeFieldMap: - runtime_shape_name: - type: keyword - script: - source: emit(doc['shape_name'].value) - Data_views_get_data_view_response: - summary: >- - The get data view API returns a JSON object that contains information - about the data view. - value: + $ref: '#/components/schemas/Connectors_config_properties_tines' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_tines' + required: + - config + - name + - secrets + Connectors_update_connector_request_torq: + title: Update Torq connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_torq' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_torq' + required: + - config + - name + - secrets + Connectors_update_connector_request_webhook: + title: Update Webhook connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_webhook' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_webhook' + required: + - config + - name + - secrets + Connectors_update_connector_request_xmatters: + title: Update xMatters connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_xmatters' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_xmatters' + required: + - config + - name + - secrets + Data_views_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: >- + Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] + not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: Allows the data view saved object to exist before the data is available. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: data_view: - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - version: WzUsMV0= - title: kibana_sample_data_ecommerce - timeFieldName: order_date - sourceFilters: [] - fields: - _id: - count: 0 - name: _id - type: string - esTypes: - - _id - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - _index: - count: 0 - name: _index - type: string - esTypes: - - _index - scripted: false - searchable: true - aggregatable: true - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - _score: - count: 0 - name: _score - type: number - scripted: false - searchable: false - aggregatable: false - readFromDocValues: false - format: - id: number - shortDotsEnable: false - isMapped: true - _source: - count: 0 - name: _source - type: _source - esTypes: - - _source - scripted: false - searchable: false - aggregatable: false - readFromDocValues: false - format: - id: _source - shortDotsEnable: false - isMapped: true - category: - count: 0 - name: category + description: The data view object. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - category.keyword: - count: 0 - name: category.keyword + name: + description: The data view name. type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: category - format: - id: string - shortDotsEnable: false - isMapped: true - currency: - count: 0 - name: currency + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - customer_birth_date: - count: 0 - name: customer_birth_date - type: date - esTypes: - - date - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: date - shortDotsEnable: false - isMapped: true - customer_first_name: - count: 0 - name: customer_first_name + required: + - title + override: + default: false + description: >- + Override an existing data view if a data view with the provided + title already exists. + type: boolean + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - customer_first_name.keyword: - count: 0 - name: customer_first_name.keyword + name: + description: The data view name. type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: customer_first_name - format: - id: string - shortDotsEnable: false - isMapped: true - customer_full_name: - count: 0 - name: customer_full_name + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + example: WzQ2LDJd type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - customer_full_name.keyword: - count: 0 - name: customer_full_name.keyword + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 + type: string + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: >- + An array of space identifiers for sharing the data view between multiple + spaces. + items: + default: default + type: string + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: + type: object + properties: + source: + description: Script for the runtime field. type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: customer_full_name - format: - id: string - shortDotsEnable: false - isMapped: true - customer_gender: - count: 0 - name: customer_gender + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: + type: string + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request + type: object + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: > + Specify the type of the saved object reference to alter. The default + value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + Data_views_timefieldname: + description: 'The timestamp field name, which you use for time-based data views.' + type: string + Data_views_title: + description: >- + Comma-separated list of data streams, indices, and aliases that you want + to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: 'When set to `rollup`, identifies the rollup data views.' + type: string + Data_views_typemeta: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs + - params + Data_views_typemeta_response: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request + type: object + properties: + data_view: + description: > + The data view properties you want to update. Only the specified + properties are updated in the data view. Unspecified fields stay as + they are persisted. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - customer_id: - count: 0 - name: customer_id + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view + Kibana_HTTP_APIs_core_status_redactedResponse: + additionalProperties: false + description: A minimal representation of Kibana's operational status. + type: object + properties: + status: + additionalProperties: false + type: object + properties: + overall: + additionalProperties: false + type: object + properties: + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + required: + - level + required: + - overall + required: + - status + Kibana_HTTP_APIs_core_status_response: + additionalProperties: false + description: >- + Kibana's operational status as well as a detailed breakdown of plugin + statuses indication of various loads (like event loop utilization and + network traffic) at time of request. + type: object + properties: + metrics: + additionalProperties: false + description: Metric groups collected by Kibana. + type: object + properties: + collection_interval_in_millis: + description: The interval at which metrics should be collected. + type: number + elasticsearch_client: + additionalProperties: false + description: Current network metrics of Kibana's Elasticsearch client. + type: object + properties: + totalActiveSockets: + description: Count of network sockets currently in use. + type: number + totalIdleSockets: + description: Count of network sockets currently idle. + type: number + totalQueuedRequests: + description: Count of requests not yet assigned to sockets. + type: number + required: + - totalActiveSockets + - totalIdleSockets + - totalQueuedRequests + last_updated: + description: The time metrics were collected. type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - customer_last_name: - count: 0 - name: customer_last_name + required: + - elasticsearch_client + - last_updated + - collection_interval_in_millis + name: + description: Kibana instance name. + type: string + status: + additionalProperties: false + type: object + properties: + core: + additionalProperties: false + description: Statuses of core Kibana services. + type: object + properties: + elasticsearch: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: >- + An unstructured set of extra metadata about this + service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + savedObjects: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: >- + An unstructured set of extra metadata about this + service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + required: + - elasticsearch + - savedObjects + overall: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + plugins: + additionalProperties: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + description: A dynamic mapping of plugin ID to plugin status. + type: object + required: + - overall + - core + - plugins + uuid: + description: >- + Unique, generated Kibana instance UUID. This UUID should persist + even if the Kibana process restarts. + type: string + version: + additionalProperties: false + type: object + properties: + build_date: + description: The date and time of this build. type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - customer_last_name.keyword: - count: 0 - name: customer_last_name.keyword + build_flavor: + description: >- + The build flavour determines configuration and behavior of + Kibana. On premise users will almost always run the + "traditional" flavour, while other flavours are reserved for + Elastic-specific use cases. + enum: + - serverless + - traditional type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: customer_last_name - format: - id: string - shortDotsEnable: false - isMapped: true - customer_phone: - count: 0 - name: customer_phone + build_hash: + description: >- + A unique hash value representing the git commit of this Kibana + build. + type: string + build_number: + description: >- + A monotonically increasing number, each subsequent build will + have a higher number. + type: number + build_snapshot: + description: Whether this build is a snapshot build. + type: boolean + number: + description: A semantic version number. + type: string + required: + - number + - build_hash + - build_number + - build_snapshot + - build_flavor + - build_date + required: + - name + - uuid + - version + - status + - metrics + Machine_learning_APIs_mlSync200Response: + properties: + datafeedsAdded: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: >- + If a saved object for an anomaly detection job is missing a datafeed + identifier, it is added when you run the sync machine learning saved + objects API. + type: object + datafeedsRemoved: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: >- + If a saved object for an anomaly detection job references a datafeed + that no longer exists, it is deleted when you run the sync machine + learning saved objects API. + type: object + savedObjectsCreated: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated + savedObjectsDeleted: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted + title: Successful sync API response + type: object + Machine_learning_APIs_mlSync4xxResponse: + properties: + error: + example: Unauthorized + type: string + message: + type: string + statusCode: + example: 401 + type: integer + title: Unsuccessful sync API response + type: object + Machine_learning_APIs_mlSyncResponseAnomalyDetectors: + description: >- + The sync machine learning saved objects API response contains this + object when there are anomaly detection jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for anomaly detection jobs + type: object + Machine_learning_APIs_mlSyncResponseDatafeeds: + description: >- + The sync machine learning saved objects API response contains this + object when there are datafeeds affected by the synchronization. There + is an object for each relevant datafeed, which contains the + synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for datafeeds + type: object + Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: + description: >- + The sync machine learning saved objects API response contains this + object when there are data frame analytics jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for data frame analytics jobs + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: + description: >- + If saved objects are missing for machine learning jobs or trained + models, they are created when you run the sync machine learning saved + objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If saved objects are missing for anomaly detection jobs, they are + created. + type: object + data-frame-analytics: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If saved objects are missing for data frame analytics jobs, they are + created. + type: object + trained-model: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: 'If saved objects are missing for trained models, they are created.' + type: object + title: Sync API response for created saved objects + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: + description: >- + If saved objects exist for machine learning jobs or trained models that + no longer exist, they are deleted when you run the sync machine learning + saved objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If there are saved objects exist for nonexistent anomaly detection + jobs, they are deleted. + type: object + data-frame-analytics: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If there are saved objects exist for nonexistent data frame + analytics jobs, they are deleted. + type: object + trained-model: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: >- + If there are saved objects exist for nonexistent trained models, + they are deleted. + type: object + title: Sync API response for deleted saved objects + type: object + Machine_learning_APIs_mlSyncResponseSuccess: + description: The success or failure of the synchronization. + type: boolean + Machine_learning_APIs_mlSyncResponseTrainedModels: + description: >- + The sync machine learning saved objects API response contains this + object when there are trained models affected by the synchronization. + There is an object for each relevant trained model, which contains the + synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for trained models + type: object + Security_AI_Assistant_API_AnonymizationFieldCreateProps: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + field: + type: string + required: + - field + Security_AI_Assistant_API_AnonymizationFieldDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_AI_Assistant_API_AnonymizationFieldResponse: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + createdAt: + type: string + createdBy: + type: string + field: + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + namespace: + description: Kibana space + type: string + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: + type: string + updatedBy: + type: string + required: + - id + - field + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: + enum: + - ANONYMIZATION_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason + required: + - id + - skip_reason + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: + type: object + properties: + anonymization_fields_count: + type: integer + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError + type: array + results: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults + summary: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + required: + - results + - summary + message: + type: string + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: + type: object + properties: + created: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + deleted: + items: + type: string + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult + type: array + updated: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_AnonymizationFieldUpdateProps: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + id: + type: string + required: + - id + Security_AI_Assistant_API_ApiConfig: + type: object + properties: + actionTypeId: + description: action type id + type: string + connectorId: + description: connector id + type: string + defaultSystemPromptId: + description: defaultSystemPromptId + type: string + model: + description: model + type: string + provider: + $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' + description: Provider + required: + - connectorId + - actionTypeId + Security_AI_Assistant_API_BulkCrudActionSummary: + type: object + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_AI_Assistant_API_ChatCompleteProps: + type: object + properties: + connectorId: + type: string + conversationId: + type: string + isStream: + type: boolean + langSmithApiKey: + type: string + langSmithProject: + type: string + messages: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' + type: array + model: + type: string + persist: + type: boolean + promptId: + type: string + responseLanguage: + type: string + required: + - messages + - persist + - connectorId + Security_AI_Assistant_API_ChatMessage: + description: AI assistant message. + type: object + properties: + content: + description: Message content. + type: string + data: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' + description: ECS object to attach to the context of the message. + fields_to_anonymize: + items: + type: string + type: array + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' + description: Message role. + required: + - role + Security_AI_Assistant_API_ChatMessageRole: + description: Message role. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_ConversationCategory: + description: The conversation category. + enum: + - assistant + - insights + type: string + Security_AI_Assistant_API_ConversationConfidence: + description: The conversation confidence. + enum: + - low + - medium + - high + type: string + Security_AI_Assistant_API_ConversationCreateProps: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + description: The conversation id. + type: string + isDefault: + description: Is default conversation. + type: boolean + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + title: + description: The conversation title. + type: string + required: + - title + Security_AI_Assistant_API_ConversationResponse: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + createdAt: + description: The last time conversation was updated. + type: string + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + isDefault: + description: Is default conversation. + type: boolean + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + namespace: + description: Kibana space + type: string + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + title: + description: The conversation title. + type: string + updatedAt: + description: The last time conversation was updated. + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - title + - createdAt + - users + - namespace + - category + Security_AI_Assistant_API_ConversationSummary: + type: object + properties: + confidence: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationConfidence + description: >- + How confident you are about this being a correct and useful + learning. + content: + description: Summary text of the conversation over time. + type: string + public: + description: Define if summary is marked as publicly available. + type: boolean + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The timestamp summary was updated. + Security_AI_Assistant_API_ConversationUpdateProps: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' + title: + description: The conversation title. + type: string + required: + - id + Security_AI_Assistant_API_FindAnonymizationFieldsSortField: + enum: + - created_at + - anonymized + - allowed + - field + - updated_at + type: string + Security_AI_Assistant_API_FindConversationsSortField: + enum: + - created_at + - is_default + - title + - updated_at + type: string + Security_AI_Assistant_API_FindPromptsSortField: + enum: + - created_at + - is_default + - name + - updated_at + type: string + Security_AI_Assistant_API_Message: + description: AI assistant conversation message. + type: object + properties: + content: + description: Message content. + type: string + isError: + description: Is error message. + type: boolean + reader: + $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' + description: Message content. + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' + description: Message role. + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The timestamp message was sent or received. + traceData: + $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' + description: trace Data + required: + - timestamp + - content + - role + Security_AI_Assistant_API_MessageData: + additionalProperties: true + type: object + Security_AI_Assistant_API_MessageRole: + description: Message role. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_AI_Assistant_API_NormalizedAnonymizationFieldError: + type: object + properties: + anonymization_fields: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError + type: array + err_code: + type: string + message: + type: string + status_code: + type: integer + required: + - message + - status_code + - anonymization_fields + Security_AI_Assistant_API_NormalizedPromptError: + type: object + properties: + err_code: + type: string + message: + type: string + prompts: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError + type: array + status_code: + type: integer + required: + - message + - status_code + - prompts + Security_AI_Assistant_API_PromptCreateProps: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + name: + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + required: + - name + - content + - promptType + Security_AI_Assistant_API_PromptDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_AI_Assistant_API_PromptResponse: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + createdAt: + type: string + createdBy: + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + name: + type: string + namespace: + description: Kibana space + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: + type: string + updatedBy: + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - name + - promptType + - content + Security_AI_Assistant_API_PromptsBulkActionSkipReason: + enum: + - PROMPT_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_PromptsBulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason + required: + - id + - skip_reason + Security_AI_Assistant_API_PromptsBulkCrudActionResponse: + type: object + properties: + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError + type: array + results: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults + summary: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + required: + - results + - summary + message: + type: string + prompts_count: + type: integer + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_AI_Assistant_API_PromptsBulkCrudActionResults: + type: object + properties: + created: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + deleted: + items: + type: string + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult + type: array + updated: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_PromptType: + description: Prompt type + enum: + - system + - quick + type: string + Security_AI_Assistant_API_PromptUpdateProps: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + id: + type: string + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + required: + - id + Security_AI_Assistant_API_Provider: + description: Provider + enum: + - OpenAI + - Azure OpenAI + type: string + Security_AI_Assistant_API_Reader: + additionalProperties: true + type: object + Security_AI_Assistant_API_Replacements: + additionalProperties: + type: string + description: Replacements object used to anonymize/deanomymize messsages + type: object + Security_AI_Assistant_API_SortOrder: + enum: + - asc + - desc + type: string + Security_AI_Assistant_API_TraceData: + description: trace Data + type: object + properties: + traceId: + description: 'Could be any string, not necessarily a UUID' + type: string + transactionId: + description: 'Could be any string, not necessarily a UUID' + type: string + Security_AI_Assistant_API_User: + description: 'Could be any string, not necessarily a UUID' + type: object + properties: + id: + description: User id + type: string + name: + description: User name + type: string + Security_Solution_Detections_API_AlertAssignees: + type: object + properties: + add: + description: A list of users ids to assign. + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + remove: + description: A list of users ids to unassign. + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + required: + - add + - remove + Security_Solution_Detections_API_AlertIds: + description: A list of alerts ids. + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + minItems: 1 + type: array + Security_Solution_Detections_API_AlertsIndex: + deprecated: true + description: (deprecated) Has no effect. + type: string + Security_Solution_Detections_API_AlertsIndexNamespace: + description: Has no effect. + type: string + Security_Solution_Detections_API_AlertsSort: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsSortCombinations + - items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsSortCombinations + type: array + Security_Solution_Detections_API_AlertsSortCombinations: + anyOf: + - type: string + - additionalProperties: true + type: object + Security_Solution_Detections_API_AlertStatus: + enum: + - open + - closed + - acknowledged + - in-progress + type: string + Security_Solution_Detections_API_AlertSuppression: + type: object + properties: + duration: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionDuration + group_by: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionGroupBy + missing_fields_strategy: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionMissingFieldsStrategy + required: + - group_by + Security_Solution_Detections_API_AlertSuppressionDuration: + type: object + properties: + unit: + enum: + - s + - m + - h + type: string + value: + minimum: 1 + type: integer + required: + - value + - unit + Security_Solution_Detections_API_AlertSuppressionGroupBy: + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Solution_Detections_API_AlertSuppressionMissingFieldsStrategy: + description: >- + Describes how alerts will be generated for documents with missing + suppress by fields: + + doNotSuppress - per each document a separate alert will be created + + suppress - only alert will be created per suppress by bucket + enum: + - doNotSuppress + - suppress + type: string + Security_Solution_Detections_API_AlertTag: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + Security_Solution_Detections_API_AlertTags: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertTag' + type: array + Security_Solution_Detections_API_AnomalyThreshold: + description: Anomaly threshold + minimum: 0 + type: integer + Security_Solution_Detections_API_BuildingBlockType: + description: >- + Determines if the rule acts as a building block. By default, + building-block alerts are not displayed in the UI. These rules are used + as a foundation for other rules that do generate alerts. Its value must + be default. + type: string + Security_Solution_Detections_API_BulkActionEditPayload: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadTags + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadIndexPatterns + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadInvestigationFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadTimeline + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadRuleActions + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadSchedule + Security_Solution_Detections_API_BulkActionEditPayloadIndexPatterns: + type: object + properties: + overwrite_data_views: + type: boolean + type: + enum: + - add_index_patterns + - delete_index_patterns + - set_index_patterns + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadInvestigationFields: + type: object + properties: + type: + enum: + - add_investigation_fields + - delete_investigation_fields + - set_investigation_fields + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadRuleActions: + type: object + properties: + type: + enum: + - add_rule_actions + - set_rule_actions + type: string + value: + type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NormalizedRuleAction + type: array + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThrottleForBulkActions + required: + - actions + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadSchedule: + type: object + properties: + type: + enum: + - set_schedule + type: string + value: + type: object + properties: + interval: + description: >- + Interval in which the rule runs. For example, `"1h"` means the + rule runs every hour. + example: 1h + pattern: '^[1-9]\d*[smh]$' type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - day_of_week: - count: 0 - name: day_of_week + lookback: + description: Lookback time for the rule + example: 1h + pattern: '^[1-9]\d*[smh]$' type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - day_of_week_i: - count: 0 - name: day_of_week_i - type: number - esTypes: - - integer - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - email: - count: 0 - name: email + required: + - interval + - lookback + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadTags: + type: object + properties: + type: + enum: + - add_tags + - delete_tags + - set_tags + type: string + value: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleTagArray' + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadTimeline: + type: object + properties: + type: + enum: + - set_timeline + type: string + value: + type: object + properties: + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + required: + - timeline_id + - timeline_title + required: + - type + - value + Security_Solution_Detections_API_BulkActionsDryRunErrCode: + enum: + - IMMUTABLE + - MACHINE_LEARNING_AUTH + - MACHINE_LEARNING_INDEX_PATTERN + - ESQL_INDEX_PATTERN + - MANUAL_RULE_RUN_FEATURE + - MANUAL_RULE_RUN_DISABLED_RULE + type: string + Security_Solution_Detections_API_BulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditSkipReason + required: + - id + - skip_reason + Security_Solution_Detections_API_BulkDeleteRules: + type: object + properties: + action: + enum: + - delete + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkDisableRules: + type: object + properties: + action: + enum: + - disable + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkDuplicateRules: + type: object + properties: + action: + enum: + - duplicate + type: string + duplicate: + type: object + properties: + include_exceptions: + description: Whether to copy exceptions from the original rule + type: boolean + include_expired_exceptions: + description: Whether to copy expired exceptions from the original rule + type: boolean + required: + - include_exceptions + - include_expired_exceptions + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkEditActionResponse: + type: object + properties: + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NormalizedRuleError + type: array + results: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditActionResults + summary: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditActionSummary + required: + - results + - summary + message: + type: string + rules_count: + type: integer + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_Solution_Detections_API_BulkEditActionResults: + type: object + properties: + created: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + type: array + deleted: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionSkipResult + type: array + updated: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_Solution_Detections_API_BulkEditActionSummary: + type: object + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_Solution_Detections_API_BulkEditRules: + type: object + properties: + action: + enum: + - edit + type: string + edit: + description: Array of objects containing the edit operations + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayload + minItems: 1 + type: array + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + - edit + Security_Solution_Detections_API_BulkEditSkipReason: + enum: + - RULE_NOT_MODIFIED + type: string + Security_Solution_Detections_API_BulkEnableRules: + type: object + properties: + action: + enum: + - enable + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkExportActionResponse: + type: string + Security_Solution_Detections_API_BulkExportRules: + type: object + properties: + action: + enum: + - export + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkManualRuleRun: + type: object + properties: + action: + enum: + - run + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + run: + type: object + properties: + end_date: + description: End date of the manual rule run type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - event.dataset: - count: 0 - name: event.dataset + start_date: + description: Start date of the manual rule run type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - geoip.city_name: - count: 0 - name: geoip.city_name + required: + - start_date + required: + - action + - run + Security_Solution_Detections_API_ConcurrentSearches: + minimum: 1 + type: integer + Security_Solution_Detections_API_DataViewId: + type: string + Security_Solution_Detections_API_DefaultParams: + type: object + properties: + command: + enum: + - isolate + type: string + comment: + type: string + required: + - command + Security_Solution_Detections_API_EcsMapping: + additionalProperties: + type: object + properties: + field: + type: string + value: + oneOf: + - type: string + - items: + type: string + type: array + type: object + Security_Solution_Detections_API_EndpointResponseAction: + type: object + properties: + action_type_id: + enum: + - .endpoint + type: string + params: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_DefaultParams + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ProcessesParams + required: + - action_type_id + - params + Security_Solution_Detections_API_EqlOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + event_category_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EventCategoryOverride + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + tiebreaker_field: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TiebreakerField + timestamp_field: + $ref: '#/components/schemas/Security_Solution_Detections_API_TimestampField' + Security_Solution_Detections_API_EqlQueryLanguage: + enum: + - eql + type: string + Security_Solution_Detections_API_EqlRequiredFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlQueryLanguage + description: Query language to use + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: EQL query to execute + type: + description: Rule type + enum: + - eql + type: string + required: + - type + - query + - language + Security_Solution_Detections_API_EqlRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleResponseFields + Security_Solution_Detections_API_EqlRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlOptionalFields + Security_Solution_Detections_API_EqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateFields + Security_Solution_Detections_API_EqlRulePatchFields: + allOf: + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlQueryLanguage + description: Query language to use + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: EQL query to execute + type: + description: Rule type + enum: + - eql type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - geoip.continent_name: - count: 0 - name: geoip.continent_name + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlOptionalFields + Security_Solution_Detections_API_EqlRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRulePatchFields + Security_Solution_Detections_API_EqlRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlOptionalFields + Security_Solution_Detections_API_EqlRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateFields + Security_Solution_Detections_API_ErrorSchema: + additionalProperties: false + type: object + properties: + error: + type: object + properties: + message: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - geoip.country_iso_code: - count: 0 - name: geoip.country_iso_code + status_code: + minimum: 400 + type: integer + required: + - status_code + - message + id: + type: string + item_id: + minLength: 1 + type: string + list_id: + minLength: 1 + type: string + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + required: + - error + Security_Solution_Detections_API_EsqlQueryLanguage: + enum: + - esql + type: string + Security_Solution_Detections_API_EsqlRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleResponseFields + Security_Solution_Detections_API_EsqlRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleRequiredFields + Security_Solution_Detections_API_EsqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateFields + Security_Solution_Detections_API_EsqlRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + Security_Solution_Detections_API_EsqlRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlQueryLanguage + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: ESQL query to execute + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + type: + description: Rule type + enum: + - esql type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - geoip.location: - count: 0 - name: geoip.location - type: geo_point - esTypes: - - geo_point - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: geo_point - params: - transform: wkt - shortDotsEnable: false - isMapped: true - geoip.region_name: - count: 0 - name: geoip.region_name + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleOptionalFields + Security_Solution_Detections_API_EsqlRuleRequiredFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlQueryLanguage + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: ESQL query to execute + type: + description: Rule type + enum: + - esql + type: string + required: + - type + - language + - query + Security_Solution_Detections_API_EsqlRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleRequiredFields + Security_Solution_Detections_API_EsqlRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateFields + Security_Solution_Detections_API_EventCategoryOverride: + type: string + Security_Solution_Detections_API_ExceptionListType: + description: The exception type + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Solution_Detections_API_ExternalRuleSource: + description: >- + Type of rule source for externally sourced rules, i.e. rules that have + an external source, such as the Elastic Prebuilt rules repo. + type: object + properties: + is_customized: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsExternalRuleCustomized + type: + enum: + - external + type: string + required: + - type + - is_customized + Security_Solution_Detections_API_FindRulesSortField: + enum: + - created_at + - createdAt + - enabled + - execution_summary.last_execution.date + - execution_summary.last_execution.metrics.execution_gap_duration_s + - execution_summary.last_execution.metrics.total_indexing_duration_ms + - execution_summary.last_execution.metrics.total_search_duration_ms + - execution_summary.last_execution.status + - name + - risk_score + - riskScore + - severity + - updated_at + - updatedAt + type: string + Security_Solution_Detections_API_HistoryWindowStart: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + Security_Solution_Detections_API_IndexPatternArray: + items: + type: string + type: array + Security_Solution_Detections_API_InternalRuleSource: + description: >- + Type of rule source for internally sourced rules, i.e. created within + the Kibana apps. + type: object + properties: + type: + enum: + - internal + type: string + required: + - type + Security_Solution_Detections_API_InvestigationFields: + description: > + Schema for fields relating to investigation fields. These are user + defined fields we use to highlight + + in various features in the UI such as alert details flyout and + exceptions auto-population from alert. + + Added in PR #163235 + + Right now we only have a single field but anticipate adding more related + fields to store various + + configuration states such as `override` - where a user might say if they + want only these fields to + + display, or if they want these fields + the fields we select. When + expanding this field, it may look + + something like: + + ```typescript + + const investigationFields = z.object({ + field_names: NonEmptyArray(NonEmptyString), + override: z.boolean().optional(), + }); + + ``` + type: object + properties: + field_names: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + minItems: 1 + type: array + required: + - field_names + Security_Solution_Detections_API_InvestigationGuide: + description: Notes to help investigate alerts produced by the rule. + type: string + Security_Solution_Detections_API_IsExternalRuleCustomized: + description: >- + Determines whether an external/prebuilt rule has been customized by the + user (i.e. any of its fields have been modified and diverged from the + base value). + type: boolean + Security_Solution_Detections_API_IsRuleEnabled: + description: Determines whether the rule is enabled. + type: boolean + Security_Solution_Detections_API_IsRuleImmutable: + deprecated: true + description: >- + This field determines whether the rule is a prebuilt Elastic rule. It + will be replaced with the `rule_source` field. + type: boolean + Security_Solution_Detections_API_ItemsPerSearch: + minimum: 1 + type: integer + Security_Solution_Detections_API_KqlQueryLanguage: + enum: + - kuery + - lucene + type: string + Security_Solution_Detections_API_MachineLearningJobId: + description: Machine learning job ID + oneOf: + - type: string + - items: + type: string + minItems: 1 + type: array + Security_Solution_Detections_API_MachineLearningRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleResponseFields + Security_Solution_Detections_API_MachineLearningRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleOptionalFields + Security_Solution_Detections_API_MachineLearningRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateFields + Security_Solution_Detections_API_MachineLearningRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + Security_Solution_Detections_API_MachineLearningRulePatchFields: + allOf: + - type: object + properties: + anomaly_threshold: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AnomalyThreshold + machine_learning_job_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningJobId + type: + description: Rule type + enum: + - machine_learning type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - manufacturer: - count: 0 - name: manufacturer + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleOptionalFields + Security_Solution_Detections_API_MachineLearningRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRulePatchFields + Security_Solution_Detections_API_MachineLearningRuleRequiredFields: + type: object + properties: + anomaly_threshold: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AnomalyThreshold + machine_learning_job_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningJobId + type: + description: Rule type + enum: + - machine_learning + type: string + required: + - type + - machine_learning_job_id + - anomaly_threshold + Security_Solution_Detections_API_MachineLearningRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleOptionalFields + Security_Solution_Detections_API_MachineLearningRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateFields + Security_Solution_Detections_API_MaxSignals: + minimum: 1 + type: integer + Security_Solution_Detections_API_NewTermsFields: + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Solution_Detections_API_NewTermsRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleResponseFields + Security_Solution_Detections_API_NewTermsRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleDefaultableFields + Security_Solution_Detections_API_NewTermsRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateFields + Security_Solution_Detections_API_NewTermsRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_NewTermsRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + Security_Solution_Detections_API_NewTermsRulePatchFields: + allOf: + - type: object + properties: + history_window_start: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_HistoryWindowStart + new_terms_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsFields + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - manufacturer.keyword: - count: 0 - name: manufacturer.keyword + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleDefaultableFields + Security_Solution_Detections_API_NewTermsRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRulePatchFields + Security_Solution_Detections_API_NewTermsRuleRequiredFields: + type: object + properties: + history_window_start: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_HistoryWindowStart + new_terms_fields: + $ref: '#/components/schemas/Security_Solution_Detections_API_NewTermsFields' + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms + type: string + required: + - type + - query + - new_terms_fields + - history_window_start + Security_Solution_Detections_API_NewTermsRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_NewTermsRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateFields + Security_Solution_Detections_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Detections_API_NormalizedRuleAction: + additionalProperties: false + type: object + properties: + alerts_filter: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionAlertsFilter + frequency: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionFrequency + group: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionGroup + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleActionId' + params: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionParams + required: + - id + - params + Security_Solution_Detections_API_NormalizedRuleError: + type: object + properties: + err_code: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionsDryRunErrCode + message: + type: string + rules: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDetailsInError + type: array + status_code: + type: integer + required: + - message + - status_code + - rules + Security_Solution_Detections_API_OsqueryParams: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Solution_Detections_API_EcsMapping' + pack_id: + type: string + queries: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_OsqueryQuery' + type: array + query: + type: string + saved_query_id: + type: string + timeout: + type: number + Security_Solution_Detections_API_OsqueryQuery: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Solution_Detections_API_EcsMapping' + id: + description: Query ID + type: string + platform: + type: string + query: + description: Query to run + type: string + removed: + type: boolean + snapshot: + type: boolean + version: + description: Query version + type: string + required: + - id + - query + Security_Solution_Detections_API_OsqueryResponseAction: + type: object + properties: + action_type_id: + enum: + - .osquery + type: string + params: + $ref: '#/components/schemas/Security_Solution_Detections_API_OsqueryParams' + required: + - action_type_id + - params + Security_Solution_Detections_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Detections_API_ProcessesParams: + type: object + properties: + command: + enum: + - kill-process + - suspend-process + type: string + comment: + type: string + config: + type: object + properties: + field: + description: Field to use instead of process.pid type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: manufacturer - format: - id: string - shortDotsEnable: false - isMapped: true - order_date: - count: 0 - name: order_date - type: date - esTypes: - - date - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: date - shortDotsEnable: false - isMapped: true - order_id: - count: 0 - name: order_id + overwrite: + default: true + description: Whether to overwrite field with process.pid + type: boolean + required: + - field + required: + - command + - config + Security_Solution_Detections_API_QueryRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleResponseFields + Security_Solution_Detections_API_QueryRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleDefaultableFields + Security_Solution_Detections_API_QueryRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateFields + Security_Solution_Detections_API_QueryRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + Security_Solution_Detections_API_QueryRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + Security_Solution_Detections_API_QueryRulePatchFields: + allOf: + - type: object + properties: + type: + description: Rule type + enum: + - query type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - products._id: - count: 0 - name: products._id + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleDefaultableFields + Security_Solution_Detections_API_QueryRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRulePatchFields + Security_Solution_Detections_API_QueryRuleRequiredFields: + type: object + properties: + type: + description: Rule type + enum: + - query + type: string + required: + - type + Security_Solution_Detections_API_QueryRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + required: + - query + - language + Security_Solution_Detections_API_QueryRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateFields + Security_Solution_Detections_API_RelatedIntegration: + description: > + Related integration is a potential dependency of a rule. It's assumed + that if the user installs + + one of the related integrations of a rule, the rule might start to work + properly because it will + + have source events (generated by this integration) potentially matching + the rule's query. + + + NOTE: Proper work is not guaranteed, because a related integration, if + installed, can be + + configured differently or generate data that is not necessarily relevant + for this rule. + + + Related integration is a combination of a Fleet package and (optionally) + one of the + + package's "integrations" that this package contains. It is represented + by 3 properties: + + + - `package`: name of the package (required, unique id) + + - `version`: version of the package (required, semver-compatible) + + - `integration`: name of the integration of this package (optional, id + within the package) + + + There are Fleet packages like `windows` that contain only one + integration; in this case, + + `integration` should be unspecified. There are also packages like `aws` + and `azure` that contain + + several integrations; in this case, `integration` should be specified. + + + @example + + const x: RelatedIntegration = { + package: 'windows', + version: '1.5.x', + }; + + + @example + + const x: RelatedIntegration = { + package: 'azure', + version: '~1.1.6', + integration: 'activitylogs', + }; + type: object + properties: + integration: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + package: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + version: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + required: + - package + - version + Security_Solution_Detections_API_RelatedIntegrationArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegration + type: array + Security_Solution_Detections_API_RequiredField: + description: > + Describes an Elasticsearch field that is needed for the rule to + function. + + + Almost all types of Security rules check source event documents for a + match to some kind of + + query or filter. If a document has certain field with certain values, + then it's a match and + + the rule will generate an alert. + + + Required field is an event field that must be present in the source + indices of a given rule. + + + @example + + const standardEcsField: RequiredField = { + name: 'event.action', + type: 'keyword', + ecs: true, + }; + + + @example + + const nonEcsField: RequiredField = { + name: 'winlog.event_data.AttributeLDAPDisplayName', + type: 'keyword', + ecs: false, + }; + type: object + properties: + ecs: + description: Whether the field is an ECS field + type: boolean + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Name of an Elasticsearch field + type: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Type of the Elasticsearch field + required: + - name + - type + - ecs + Security_Solution_Detections_API_RequiredFieldArray: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RequiredField' + type: array + Security_Solution_Detections_API_RequiredFieldInput: + description: >- + Input parameters to create a RequiredField. Does not include the `ecs` + field, because `ecs` is calculated on the backend based on the field + name and type. + type: object + properties: + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Name of an Elasticsearch field + type: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Type of an Elasticsearch field + required: + - name + - type + Security_Solution_Detections_API_ResponseAction: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_OsqueryResponseAction + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EndpointResponseAction + Security_Solution_Detections_API_ResponseFields: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + type: string + execution_summary: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionSummary + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleObjectId' + immutable: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleImmutable + required_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldArray + revision: + minimum: 0 + type: integer + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_source: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleSource' + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - rule_id + - immutable + - updated_at + - updated_by + - created_at + - created_by + - revision + - related_integrations + - required_fields + Security_Solution_Detections_API_RiskScore: + description: Risk score (0 to 100) + maximum: 100 + minimum: 0 + type: integer + Security_Solution_Detections_API_RiskScoreMapping: + description: >- + Overrides generated alerts' risk_score with a value from the source + event + items: + type: object + properties: + field: + type: string + operator: + enum: + - equals + type: string + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + value: + type: string + required: + - field + - operator + - value + type: array + Security_Solution_Detections_API_RuleAction: + type: object + properties: + action_type_id: + description: The action type used for sending notifications. + type: string + alerts_filter: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionAlertsFilter + frequency: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionFrequency + group: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionGroup + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleActionId' + params: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionParams + uuid: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + required: + - action_type_id + - id + - params + Security_Solution_Detections_API_RuleActionAlertsFilter: + additionalProperties: true + type: object + Security_Solution_Detections_API_RuleActionFrequency: + description: >- + The action frequency defines when the action runs (for example, only on + rule execution or at specific time intervals). + type: object + properties: + notifyWhen: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionNotifyWhen + summary: + description: >- + Action summary indicates whether we will send a summary notification + about all the generate alerts or notification per individual alert + type: boolean + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + nullable: true + required: + - summary + - notifyWhen + - throttle + Security_Solution_Detections_API_RuleActionGroup: + description: >- + Optionally groups actions by use cases. Use `default` for alert + notifications. + type: string + Security_Solution_Detections_API_RuleActionId: + description: The connector ID. + type: string + Security_Solution_Detections_API_RuleActionNotifyWhen: + description: >- + The condition for throttling the notification: `onActionGroupChange`, + `onActiveAlert`, or `onThrottleInterval` + enum: + - onActiveAlert + - onThrottleInterval + - onActionGroupChange + type: string + Security_Solution_Detections_API_RuleActionParams: + additionalProperties: true + description: >- + Object containing the allowed connector fields, which varies according + to the connector type. + type: object + Security_Solution_Detections_API_RuleActionThrottle: + description: Defines how often rule actions are taken. + oneOf: + - enum: + - no_actions + - rule + type: string + - description: 'Time interval in seconds, minutes, hours, or days.' + example: 1h + pattern: '^[1-9]\d*[smhd]$' + type: string + Security_Solution_Detections_API_RuleAuthorArray: + items: + type: string + type: array + Security_Solution_Detections_API_RuleCreateProps: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateProps + discriminator: + propertyName: type + Security_Solution_Detections_API_RuleDescription: + minLength: 1 + type: string + Security_Solution_Detections_API_RuleDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_Solution_Detections_API_RuleExceptionList: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: ID of the exception container + list_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: List ID of the exception container + namespace_type: + description: Determines the exceptions validity in rule's Kibana space + enum: + - agnostic + - single + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ExceptionListType + required: + - id + - list_id + - type + - namespace_type + Security_Solution_Detections_API_RuleExecutionMetrics: + type: object + properties: + execution_gap_duration_s: + description: Duration in seconds of execution gap + minimum: 0 + type: integer + total_enrichment_duration_ms: + description: >- + Total time spent enriching documents during current rule execution + cycle + minimum: 0 + type: integer + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during current rule execution + cycle + minimum: 0 + type: integer + total_search_duration_ms: + description: >- + Total time spent performing ES searches as measured by Kibana; + includes network latency and time spent serializing/deserializing + request/response + minimum: 0 + type: integer + Security_Solution_Detections_API_RuleExecutionStatus: + description: >- + Custom execution status of Security rules that is different from the + status used in the Alerting Framework. We merge our custom status with + the Framework's status to determine the resulting status of a rule. + + - going to run - @deprecated Replaced by the 'running' status but left + for backwards compatibility with rule execution events already written + to Event Log in the prior versions of Kibana. Don't use when writing + rule status changes. + + - running - Rule execution started but not reached any intermediate or + final status. + + - partial failure - Rule can partially fail for various reasons either + in the middle of an execution (in this case we update its status right + away) or in the end of it. So currently this status can be both + intermediate and final at the same time. A typical reason for a partial + failure: not all the indices that the rule searches over actually exist. + + - failed - Rule failed to execute due to unhandled exception or a reason + defined in the business logic of its executor function. + + - succeeded - Rule executed successfully without any issues. Note: this + status is just an indication of a rule's "health". The rule might or + might not generate any alerts despite of it. + enum: + - going to run + - running + - partial failure + - failed + - succeeded + type: string + Security_Solution_Detections_API_RuleExecutionStatusOrder: + type: integer + Security_Solution_Detections_API_RuleExecutionSummary: + type: object + properties: + last_execution: + type: object + properties: + date: + description: Date of the last execution + format: date-time type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - products._id.keyword: - count: 0 - name: products._id.keyword + message: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: products._id - format: - id: string - shortDotsEnable: false - isMapped: true - products.base_price: - count: 0 - name: products.base_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - products.base_unit_price: - count: 0 - name: products.base_unit_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - products.category: - count: 0 - name: products.category + metrics: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionMetrics + status: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionStatus + description: Status of the last execution + status_order: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionStatusOrder + required: + - date + - status + - status_order + - message + - metrics + required: + - last_execution + Security_Solution_Detections_API_RuleFalsePositiveArray: + items: + type: string + type: array + Security_Solution_Detections_API_RuleFilterArray: + items: {} + type: array + Security_Solution_Detections_API_RuleInterval: + description: >- + Frequency of rule execution, using a date math range. For example, "1h" + means the rule runs every hour. Defaults to 5m (5 minutes). + type: string + Security_Solution_Detections_API_RuleIntervalFrom: + description: >- + Time from which data is analyzed each time the rule runs, using a date + math range. For example, now-4200s means the rule analyzes data from 70 + minutes before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). + format: date-math + type: string + Security_Solution_Detections_API_RuleIntervalTo: + type: string + Security_Solution_Detections_API_RuleLicense: + description: The rule's license. + type: string + Security_Solution_Detections_API_RuleMetadata: + additionalProperties: true + type: object + Security_Solution_Detections_API_RuleName: + minLength: 1 + type: string + Security_Solution_Detections_API_RuleNameOverride: + description: Sets the source field for the alert's signal.rule.name value + type: string + Security_Solution_Detections_API_RuleObjectId: + $ref: '#/components/schemas/Security_Solution_Detections_API_UUID' + Security_Solution_Detections_API_RulePatchProps: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRulePatchProps + Security_Solution_Detections_API_RulePreviewLogs: + type: object + properties: + duration: + description: Execution duration in milliseconds + type: integer + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + startedAt: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + warnings: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + required: + - errors + - warnings + - duration + Security_Solution_Detections_API_RulePreviewParams: + type: object + properties: + invocationCount: + type: integer + timeframeEnd: + format: date-time + type: string + required: + - invocationCount + - timeframeEnd + Security_Solution_Detections_API_RuleQuery: + type: string + Security_Solution_Detections_API_RuleReferenceArray: + items: + type: string + type: array + Security_Solution_Detections_API_RuleResponse: + anyOf: + - $ref: '#/components/schemas/Security_Solution_Detections_API_EqlRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_QueryRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_ThresholdRule' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRule + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRule + - $ref: '#/components/schemas/Security_Solution_Detections_API_NewTermsRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_EsqlRule' + discriminator: + propertyName: type + Security_Solution_Detections_API_RuleSignatureId: + description: 'Could be any string, not necessarily a UUID' + type: string + Security_Solution_Detections_API_RuleSource: + description: >- + Discriminated union that determines whether the rule is internally + sourced (created within the Kibana app) or has an external source, such + as the Elastic Prebuilt rules repo. + discriminator: + propertyName: type + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ExternalRuleSource + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_InternalRuleSource + Security_Solution_Detections_API_RuleTagArray: + description: >- + String array containing words and phrases to help categorize, filter, + and search rules. Defaults to an empty array. + items: + type: string + type: array + Security_Solution_Detections_API_RuleUpdateProps: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleUpdateProps + discriminator: + propertyName: type + Security_Solution_Detections_API_RuleVersion: + description: The rule's version number. + minimum: 1 + type: integer + Security_Solution_Detections_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Solution_Detections_API_SavedObjectResolveAliasTargetId: + type: string + Security_Solution_Detections_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Solution_Detections_API_SavedQueryId: + type: string + Security_Solution_Detections_API_SavedQueryRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleResponseFields + Security_Solution_Detections_API_SavedQueryRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleDefaultableFields + Security_Solution_Detections_API_SavedQueryRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateFields + Security_Solution_Detections_API_SavedQueryRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_SavedQueryRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + Security_Solution_Detections_API_SavedQueryRulePatchFields: + allOf: + - type: object + properties: + saved_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryId + type: + description: Rule type + enum: + - saved_query + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleDefaultableFields + Security_Solution_Detections_API_SavedQueryRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRulePatchFields + Security_Solution_Detections_API_SavedQueryRuleRequiredFields: + type: object + properties: + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + type: + description: Rule type + enum: + - saved_query + type: string + required: + - type + - saved_id + Security_Solution_Detections_API_SavedQueryRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_SavedQueryRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateFields + Security_Solution_Detections_API_SetAlertsStatusByIds: + type: object + properties: + signal_ids: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + minItems: 1 + type: array + status: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertStatus' + required: + - signal_ids + - status + Security_Solution_Detections_API_SetAlertsStatusByQuery: + type: object + properties: + conflicts: + default: abort + enum: + - abort + - proceed + type: string + query: + additionalProperties: true + type: object + status: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertStatus' + required: + - query + - status + Security_Solution_Detections_API_SetAlertTags: + type: object + properties: + tags_to_add: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertTags' + tags_to_remove: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertTags' + required: + - tags_to_add + - tags_to_remove + Security_Solution_Detections_API_SetupGuide: + type: string + Security_Solution_Detections_API_Severity: + description: Severity of the rule + enum: + - low + - medium + - high + - critical + type: string + Security_Solution_Detections_API_SeverityMapping: + description: Overrides generated alerts' severity with values from the source event + items: + type: object + properties: + field: + type: string + operator: + enum: + - equals + type: string + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + value: + type: string + required: + - field + - operator + - severity + - value + type: array + Security_Solution_Detections_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Detections_API_SortOrder: + enum: + - asc + - desc + type: string + Security_Solution_Detections_API_Threat: + type: object + properties: + framework: + description: Relevant attack framework + type: string + tactic: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatTactic' + technique: + description: Array containing information on the attack techniques (optional) + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatTechnique + type: array + required: + - framework + - tactic + Security_Solution_Detections_API_ThreatArray: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_Threat' + type: array + Security_Solution_Detections_API_ThreatFilters: + items: + description: >- + Query and filter context array used to filter documents from the + Elasticsearch index containing the threat values + type: array + Security_Solution_Detections_API_ThreatIndex: + items: + type: string + type: array + Security_Solution_Detections_API_ThreatIndicatorPath: + description: >- + Defines the path to the threat indicator in the indicator documents + (optional) + type: string + Security_Solution_Detections_API_ThreatMapping: + items: + type: object + properties: + entries: + items: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: + enum: + - mapping + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + required: + - field + - type + - value + type: array + required: + - entries + minItems: 1 + type: array + Security_Solution_Detections_API_ThreatMatchRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleResponseFields + Security_Solution_Detections_API_ThreatMatchRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleDefaultableFields + Security_Solution_Detections_API_ThreatMatchRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateFields + Security_Solution_Detections_API_ThreatMatchRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_ThreatMatchRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + concurrent_searches: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ConcurrentSearches + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + items_per_search: + $ref: '#/components/schemas/Security_Solution_Detections_API_ItemsPerSearch' + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + threat_filters: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatFilters' + threat_indicator_path: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatIndicatorPath + threat_language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_ThreatMatchRulePatchFields: + allOf: + - type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threat_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatIndex + threat_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMapping + threat_query: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatQuery + type: + description: Rule type + enum: + - threat_match type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - products.category.keyword: - count: 0 - name: products.category.keyword + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleDefaultableFields + Security_Solution_Detections_API_ThreatMatchRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRulePatchFields + Security_Solution_Detections_API_ThreatMatchRuleRequiredFields: + type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threat_index: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatQuery' + type: + description: Rule type + enum: + - threat_match + type: string + required: + - type + - query + - threat_query + - threat_mapping + - threat_index + Security_Solution_Detections_API_ThreatMatchRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_ThreatMatchRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateFields + Security_Solution_Detections_API_ThreatQuery: + description: Query to run + type: string + Security_Solution_Detections_API_ThreatSubtechnique: + type: object + properties: + id: + description: Subtechnique ID + type: string + name: + description: Subtechnique name + type: string + reference: + description: Subtechnique reference + type: string + required: + - id + - name + - reference + Security_Solution_Detections_API_ThreatTactic: + type: object + properties: + id: + description: Tactic ID + type: string + name: + description: Tactic name + type: string + reference: + description: Tactic reference + type: string + required: + - id + - name + - reference + Security_Solution_Detections_API_ThreatTechnique: + type: object + properties: + id: + description: Technique ID + type: string + name: + description: Technique name + type: string + reference: + description: Technique reference + type: string + subtechnique: + description: Array containing more specific information on the attack technique + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatSubtechnique + type: array + required: + - id + - name + - reference + Security_Solution_Detections_API_Threshold: + type: object + properties: + cardinality: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdCardinality + field: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThresholdField' + value: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThresholdValue' + required: + - field + - value + Security_Solution_Detections_API_ThresholdAlertSuppression: + type: object + properties: + duration: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionDuration + required: + - duration + Security_Solution_Detections_API_ThresholdCardinality: + items: + type: object + properties: + field: + type: string + value: + minimum: 0 + type: integer + required: + - field + - value + type: array + Security_Solution_Detections_API_ThresholdField: + description: Field to aggregate on + oneOf: + - type: string + - items: + type: string + type: array + Security_Solution_Detections_API_ThresholdRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleResponseFields + Security_Solution_Detections_API_ThresholdRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleDefaultableFields + Security_Solution_Detections_API_ThresholdRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateFields + Security_Solution_Detections_API_ThresholdRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_ThresholdRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdAlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + Security_Solution_Detections_API_ThresholdRulePatchFields: + allOf: + - type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Solution_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: products.category - format: - id: string - shortDotsEnable: false - isMapped: true - products.created_on: - count: 0 - name: products.created_on - type: date - esTypes: - - date - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: date - shortDotsEnable: false - isMapped: true - products.discount_amount: - count: 0 - name: products.discount_amount - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - products.discount_percentage: - count: 0 - name: products.discount_percentage - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - products.manufacturer: - count: 1 - name: products.manufacturer + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleDefaultableFields + Security_Solution_Detections_API_ThresholdRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRulePatchFields + Security_Solution_Detections_API_ThresholdRuleRequiredFields: + type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Solution_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold + type: string + required: + - type + - query + - threshold + Security_Solution_Detections_API_ThresholdRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_ThresholdRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateFields + Security_Solution_Detections_API_ThresholdValue: + description: Threshold value + minimum: 1 + type: integer + Security_Solution_Detections_API_ThrottleForBulkActions: + description: >- + The condition for throttling the notification: 'rule', 'no_actions', or + time duration + enum: + - rule + - 1h + - 1d + - 7d + type: string + Security_Solution_Detections_API_TiebreakerField: + description: Sets a secondary field for sorting events + type: string + Security_Solution_Detections_API_TimelineTemplateId: + description: Timeline template ID + type: string + Security_Solution_Detections_API_TimelineTemplateTitle: + description: Timeline template title + type: string + Security_Solution_Detections_API_TimestampField: + description: Contains the event timestamp used for sorting a sequence of events + type: string + Security_Solution_Detections_API_TimestampOverride: + description: Sets the time field used to query indices + type: string + Security_Solution_Detections_API_TimestampOverrideFallbackDisabled: + description: Disables the fallback to the event's @timestamp field + type: boolean + Security_Solution_Detections_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Solution_Detections_API_WarningSchema: + type: object + properties: + actionPath: + type: string + buttonLabel: + type: string + message: + type: string + type: + type: string + required: + - type + - message + - actionPath + Security_Solution_Endpoint_Exceptions_API_EndpointList: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionList + - additionalProperties: false + type: object + Security_Solution_Endpoint_Exceptions_API_EndpointListItem: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItem + Security_Solution_Endpoint_Exceptions_API_ExceptionList: + type: object + properties: + _version: + type: string + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListId + immutable: + type: boolean + list_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListType + updated_at: + format: date-time + type: string + updated_by: + type: string + version: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListVersion + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Endpoint_Exceptions_API_ExceptionListDescription: + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListHumanId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + description: 'Human readable string identifier, e.g. `trusted-linux-processes`' + Security_Solution_Endpoint_Exceptions_API_ExceptionListId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItem: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + item_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + created_at: + format: date-time + type: string + created_by: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + updated_at: + format: date-time + type: string + updated_by: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + required: + - id + - comment + - created_at + - created_by + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemComment + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription: + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntry + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + list: + type: object + properties: + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ListId + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ListType + required: + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + required: + - type + - field + - value + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + minItems: 1 + type: array + required: + - type + - field + - value + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - wildcard + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + required: + - type + - field + - value + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 + type: array + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + type: + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryExists + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListMeta: + additionalProperties: true + type: object + Security_Solution_Endpoint_Exceptions_API_ExceptionListName: + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListOsType: + enum: + - linux + - macos + - windows + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListTags: + items: + type: string + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListType: + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListVersion: + minimum: 1 + type: integer + Security_Solution_Endpoint_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Solution_Endpoint_Exceptions_API_FindEndpointListItemsFilter: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ListId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Solution_Endpoint_Exceptions_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Endpoint_Management_API_ActionLogRequestQuery: + type: object + properties: + end_date: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndDate + page: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Page' + page_size: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PageSize + start_date: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_StartDate + Security_Solution_Endpoint_Management_API_ActionStateSuccessResponse: + type: object + properties: + body: + type: object + properties: + data: + type: object + properties: + canEncrypt: + type: boolean + required: + - data + required: + - body + Security_Solution_Endpoint_Management_API_ActionStatusSuccessResponse: + type: object + properties: + body: + type: object + properties: + data: + type: object + properties: + agent_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentId + pending_actions: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionsSchema + required: + - agent_id + - pending_actions + required: + - data + required: + - body + Security_Solution_Endpoint_Management_API_AgentId: + description: Agent ID + type: string + Security_Solution_Endpoint_Management_API_AgentIds: + minLength: 1 + oneOf: + - items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_AgentTypes: + enum: + - endpoint + - sentinel_one + - crowdstrike + type: string + Security_Solution_Endpoint_Management_API_AlertIds: + description: A list of alerts ids. + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NonEmptyString + minItems: 1 + type: array + Security_Solution_Endpoint_Management_API_CaseIds: + description: Case IDs to be updated (cannot contain empty strings) + items: + minLength: 1 + type: string + minItems: 1 + type: array + Security_Solution_Endpoint_Management_API_Command: + description: The command to be executed (cannot be an empty string) + enum: + - isolate + - unisolate + - kill-process + - suspend-process + - running-processes + - get-file + - execute + - upload + - scan + minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_Commands: + items: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Command' + type: array + Security_Solution_Endpoint_Management_API_Comment: + description: Optional comment + type: string + Security_Solution_Endpoint_Management_API_EndDate: + description: End date + type: string + Security_Solution_Endpoint_Management_API_EndpointIds: + description: List of endpoint IDs (cannot contain empty strings) + items: + minLength: 1 + type: string + minItems: 1 + type: array + Security_Solution_Endpoint_Management_API_ExecuteRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + command: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Command + timeout: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Timeout + required: + - command + required: + - parameters + Security_Solution_Endpoint_Management_API_GetEndpointActionListRouteQuery: + type: object + properties: + agentIds: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentIds + agentTypes: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + commands: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Commands + endDate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndDate + page: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Page' + pageSize: + default: 10 + description: Number of items per page + maximum: 10000 + minimum: 1 + type: integer + startDate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_StartDate + types: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Types' + userIds: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_UserIds + withOutputs: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_WithOutputs + Security_Solution_Endpoint_Management_API_GetFileRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: + type: string + required: + - path + required: + - parameters + Security_Solution_Endpoint_Management_API_GetProcessesRouteRequestBody: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NoParametersRequestSchema + Security_Solution_Endpoint_Management_API_IsolateRouteRequestBody: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NoParametersRequestSchema + Security_Solution_Endpoint_Management_API_KillOrSuspendActionSchema: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + oneOf: + - type: object + properties: + pid: + minimum: 1 + type: integer + - type: object + properties: + entity_id: + minLength: 1 + type: string + required: + - parameters + Security_Solution_Endpoint_Management_API_ListRequestQuery: + type: object + properties: + hostStatuses: + items: + enum: + - healthy + - offline + - updating + - inactive + - unenrolled + type: string + type: array + kuery: + nullable: true + type: string + page: + default: 0 + description: Page number + minimum: 0 + type: integer + pageSize: + default: 10 + description: Number of items per page + maximum: 10000 + minimum: 1 + type: integer + sortDirection: + enum: + - asc + - desc + nullable: true + type: string + sortField: + enum: + - enrolled_at + - metadata.host.hostname + - host_status + - metadata.Endpoint.policy.applied.name + - metadata.Endpoint.policy.applied.status + - metadata.host.os.name + - metadata.host.ip + - metadata.agent.version + - last_checkin + type: string + required: + - hostStatuses + Security_Solution_Endpoint_Management_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Endpoint_Management_API_NoParametersRequestSchema: + type: object + properties: + body: + type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + required: + - body + Security_Solution_Endpoint_Management_API_Page: + default: 1 + description: Page number + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_PageSize: + default: 10 + description: Number of items per page + maximum: 100 + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_Parameters: + description: Optional parameters object + type: object + Security_Solution_Endpoint_Management_API_PendingActionDataType: + type: integer + Security_Solution_Endpoint_Management_API_PendingActionsSchema: + oneOf: + - type: object + properties: + execute: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + get-file: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + isolate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + kill-process: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + running-processes: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + scan: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + suspend-process: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + unisolate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + upload: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + - additionalProperties: true + type: object + Security_Solution_Endpoint_Management_API_ProtectionUpdatesNoteResponse: + type: object + properties: + note: + type: string + Security_Solution_Endpoint_Management_API_ScanRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: + type: string + required: + - path + required: + - parameters + Security_Solution_Endpoint_Management_API_StartDate: + description: Start date + type: string + Security_Solution_Endpoint_Management_API_SuccessResponse: + type: object + properties: {} + Security_Solution_Endpoint_Management_API_Timeout: + description: The maximum timeout value in milliseconds (optional) + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_Type: + description: Type of response action + enum: + - automated + - manual + type: string + Security_Solution_Endpoint_Management_API_Types: + description: List of types of response actions + items: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Type' + maxLength: 2 + minLength: 1 + type: array + Security_Solution_Endpoint_Management_API_UnisolateRouteRequestBody: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NoParametersRequestSchema + Security_Solution_Endpoint_Management_API_UploadRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + file: + format: binary type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - products.manufacturer.keyword: - count: 0 - name: products.manufacturer.keyword + parameters: + type: object + properties: + overwrite: + default: false + type: boolean + required: + - parameters + - file + Security_Solution_Endpoint_Management_API_UserIds: + description: User IDs + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_WithOutputs: + description: Shows detailed outputs for an action response + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: + type: object + properties: + index: + type: integer + message: + type: string + required: + - message + - index + Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadStats: + type: object + properties: + failed: + type: integer + successful: + type: integer + total: + type: integer + required: + - successful + - failed + - total + Security_Solution_Entity_Analytics_API_AssetCriticalityLevel: + description: The criticality level of the asset. + enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + Security_Solution_Entity_Analytics_API_AssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord + - type: object + properties: + '@timestamp': + description: The time the record was created or updated. + example: '2017-07-21T17:32:28Z' + format: date-time + type: string + required: + - '@timestamp' + Security_Solution_Entity_Analytics_API_AssetCriticalityRecordIdParts: + type: object + properties: + id_field: + $ref: '#/components/schemas/Security_Solution_Entity_Analytics_API_IdField' + description: The field representing the ID. + example: host.name + id_value: + description: The ID value of the asset. + type: string + required: + - id_value + - id_field + Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecordIdParts + - type: object + properties: + criticality_level: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality_level + Security_Solution_Entity_Analytics_API_IdField: + enum: + - host.name + - user.name + type: string + Security_Solution_Exceptions_API_CreateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - comment + Security_Solution_Exceptions_API_CreateExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateExceptionListItemComment + type: array + Security_Solution_Exceptions_API_CreateRuleExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - comment + Security_Solution_Exceptions_API_CreateRuleExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateRuleExceptionListItemComment + type: array + Security_Solution_Exceptions_API_CreateRuleExceptionListItemProps: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateRuleExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + Security_Solution_Exceptions_API_ExceptionList: + type: object + properties: + _version: + type: string + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + immutable: + type: boolean + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListType + updated_at: + format: date-time + type: string + updated_by: + type: string + version: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListVersion + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Exceptions_API_ExceptionListDescription: + type: string + Security_Solution_Exceptions_API_ExceptionListHumanId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + description: 'Human readable string identifier, e.g. `trusted-linux-processes`' + Security_Solution_Exceptions_API_ExceptionListId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItem: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemCommentArray + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + created_at: + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + updated_at: + format: date-time + type: string + updated_by: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - id + - comment + - created_at + - created_by + Security_Solution_Exceptions_API_ExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemComment + type: array + Security_Solution_Exceptions_API_ExceptionListItemDescription: + type: string + Security_Solution_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Solution_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntry + type: array + Security_Solution_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + list: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_ListType' + required: + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_NonEmptyString + minItems: 1 + type: array + required: + - type + - field + - value + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - wildcard + type: string + value: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 + type: array + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + type: + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Solution_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryExists + Security_Solution_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Solution_Exceptions_API_ExceptionListItemHumanId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItemId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Solution_Exceptions_API_ExceptionListItemName: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Exceptions_API_ExceptionListItemTags: + items: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + type: array + Security_Solution_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Solution_Exceptions_API_ExceptionListMeta: + additionalProperties: true + type: object + Security_Solution_Exceptions_API_ExceptionListName: + type: string + Security_Solution_Exceptions_API_ExceptionListOsType: + enum: + - linux + - macos + - windows + type: string + Security_Solution_Exceptions_API_ExceptionListOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Exceptions_API_ExceptionListsImportBulkError: + type: object + properties: + error: + type: object + properties: + message: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: products.manufacturer - format: - id: string - shortDotsEnable: false - isMapped: true - products.min_price: - count: 0 - name: products.min_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - products.price: - count: 1 - name: products.price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - products.product_id: - count: 0 - name: products.product_id - type: number - esTypes: - - long - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - products.product_name: - count: 1 - name: products.product_name + status_code: + type: integer + required: + - status_code + - message + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + required: + - error + Security_Solution_Exceptions_API_ExceptionListsImportBulkErrorArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListsImportBulkError + type: array + Security_Solution_Exceptions_API_ExceptionListTags: + items: + type: string + type: array + Security_Solution_Exceptions_API_ExceptionListType: + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Solution_Exceptions_API_ExceptionListVersion: + minimum: 1 + type: integer + Security_Solution_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Solution_Exceptions_API_FindExceptionListItemsFilter: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_FindExceptionListsFilter: + type: string + Security_Solution_Exceptions_API_ListId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Solution_Exceptions_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Exceptions_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Exceptions_API_RuleId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_UUID' + Security_Solution_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Exceptions_API_UpdateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - comment + Security_Solution_Exceptions_API_UpdateExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_UpdateExceptionListItemComment + type: array + Security_Solution_Exceptions_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Solution_Lists_API_FindListItemsCursor: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_FindListItemsFilter: + type: string + Security_Solution_Lists_API_FindListsCursor: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_FindListsFilter: + type: string + Security_Solution_Lists_API_List: + type: object + properties: + _version: + type: string + '@timestamp': + format: date-time + type: string + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListDescription' + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + immutable: + type: boolean + meta: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + serializer: + type: string + tie_breaker_id: + type: string + type: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + updated_at: + format: date-time + type: string + updated_by: + type: string + version: + minimum: 1 + type: integer + required: + - id + - type + - name + - description + - immutable + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Lists_API_ListDescription: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListId: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListItem: + type: object + properties: + _version: + type: string + '@timestamp': + format: date-time + type: string + created_at: + format: date-time + type: string + created_by: + type: string + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemMetadata' + serializer: + type: string + tie_breaker_id: + type: string + type: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + updated_at: + format: date-time + type: string + updated_by: + type: string + value: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemValue' + required: + - id + - type + - list_id + - value + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Lists_API_ListItemId: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListItemMetadata: + additionalProperties: true + type: object + Security_Solution_Lists_API_ListItemPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Solution_Lists_API_ListItemValue: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListMetadata: + additionalProperties: true + type: object + Security_Solution_Lists_API_ListName: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Solution_Lists_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Solution_Lists_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Lists_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Lists_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Osquery_API_ArrayQueries: + items: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ArrayQueriesItem' + type: array + Security_Solution_Osquery_API_ArrayQueriesItem: + type: object + properties: + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PlatformOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Query' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_CreateLiveQueryRequestBody: + type: object + properties: + agent_all: + type: boolean + agent_ids: + items: + type: string + type: array + agent_platforms: + items: + type: string + type: array + agent_policy_ids: + items: + type: string + type: array + alert_ids: + items: + type: string + type: array + case_ids: + items: + type: string + type: array + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + event_ids: + items: + type: string + type: array + metadata: + nullable: true + type: object + pack_id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackIdOrUndefined' + queries: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ArrayQueries' + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_QueryOrUndefined' + saved_query_id: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SavedQueryIdOrUndefined + Security_Solution_Osquery_API_CreatePacksRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + enabled: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_EnabledOrUndefined + name: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackName' + policy_ids: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PolicyIdsOrUndefined + queries: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Shards' + Security_Solution_Osquery_API_CreateSavedQueryRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Interval' + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_QueryOrUndefined' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_DefaultSuccessResponse: + type: object + properties: {} + Security_Solution_Osquery_API_Description: + type: string + Security_Solution_Osquery_API_DescriptionOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Description' + nullable: true + Security_Solution_Osquery_API_ECSMapping: + additionalProperties: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ECSMappingItem' + type: object + Security_Solution_Osquery_API_ECSMappingItem: + type: object + properties: + field: + type: string + value: + oneOf: + - type: string + - items: + type: string + type: array + Security_Solution_Osquery_API_ECSMappingOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ECSMapping' + nullable: true + Security_Solution_Osquery_API_Enabled: + type: boolean + Security_Solution_Osquery_API_EnabledOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Enabled' + nullable: true + Security_Solution_Osquery_API_FindLiveQueryRequestQuery: + type: object + properties: + kuery: + $ref: '#/components/schemas/Security_Solution_Osquery_API_KueryOrUndefined' + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_FindPacksRequestQuery: + type: object + properties: + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_FindSavedQueryRequestQuery: + type: object + properties: + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_GetLiveQueryResultsRequestQuery: + type: object + properties: + kuery: + $ref: '#/components/schemas/Security_Solution_Osquery_API_KueryOrUndefined' + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_Id: + type: string + Security_Solution_Osquery_API_Interval: + type: string + Security_Solution_Osquery_API_IntervalOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Interval' + nullable: true + Security_Solution_Osquery_API_KueryOrUndefined: + nullable: true + type: string + Security_Solution_Osquery_API_ObjectQueries: + additionalProperties: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ObjectQueriesItem' + type: object + Security_Solution_Osquery_API_ObjectQueriesItem: + type: object + properties: + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PlatformOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Query' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + saved_query_id: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SavedQueryIdOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_PackId: + type: string + Security_Solution_Osquery_API_PackIdOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + nullable: true + Security_Solution_Osquery_API_PackName: + type: string + Security_Solution_Osquery_API_PageOrUndefined: + nullable: true + type: integer + Security_Solution_Osquery_API_PageSizeOrUndefined: + nullable: true + type: integer + Security_Solution_Osquery_API_Platform: + type: string + Security_Solution_Osquery_API_PlatformOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Platform' + nullable: true + Security_Solution_Osquery_API_PolicyIds: + items: + type: string + type: array + Security_Solution_Osquery_API_PolicyIdsOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PolicyIds' + nullable: true + Security_Solution_Osquery_API_Query: + type: string + Security_Solution_Osquery_API_QueryOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Query' + nullable: true + Security_Solution_Osquery_API_Removed: + type: boolean + Security_Solution_Osquery_API_RemovedOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Removed' + nullable: true + Security_Solution_Osquery_API_SavedQueryId: + type: string + Security_Solution_Osquery_API_SavedQueryIdOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + nullable: true + Security_Solution_Osquery_API_Shards: + additionalProperties: + type: number + type: object + Security_Solution_Osquery_API_Snapshot: + type: boolean + Security_Solution_Osquery_API_SnapshotOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Snapshot' + nullable: true + Security_Solution_Osquery_API_SortOrderOrUndefined: + oneOf: + - nullable: true + type: string + - enum: + - asc + - desc + Security_Solution_Osquery_API_SortOrUndefined: + nullable: true + type: string + Security_Solution_Osquery_API_UpdatePacksRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + enabled: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_EnabledOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + policy_ids: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PolicyIdsOrUndefined + queries: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Shards' + Security_Solution_Osquery_API_UpdateSavedQueryRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + interval: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_IntervalOrUndefined + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_QueryOrUndefined' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_Version: + type: string + Security_Solution_Osquery_API_VersionOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Version' + nullable: true + Security_Solution_Timeline_API_BareNote: + type: object + properties: + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + eventId: + nullable: true + type: string + note: + nullable: true + type: string + timelineId: + nullable: true + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + required: + - timelineId + Security_Solution_Timeline_API_ColumnHeaderResult: + type: object + properties: + aggregatable: + type: boolean + category: + type: string + columnHeaderType: + type: string + description: + type: string + example: + oneOf: + - type: string + - type: number + id: + type: string + indexes: + items: + type: string + type: array + name: + type: string + placeholder: + type: string + searchable: + type: boolean + type: + type: string + Security_Solution_Timeline_API_DataProviderQueryMatch: + type: object + properties: + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Solution_Timeline_API_QueryMatchResult' + Security_Solution_Timeline_API_DataProviderResult: + type: object + properties: + and: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_DataProviderQueryMatch + nullable: true + type: array + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Solution_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Solution_Timeline_API_DataProviderType' + nullable: true + Security_Solution_Timeline_API_DataProviderType: + description: >- + The type of data provider to create. Valid values are `default` and + `template`. + enum: + - default + - template + type: string + Security_Solution_Timeline_API_DocumentIds: + oneOf: + - items: + type: string + type: array + - type: string + Security_Solution_Timeline_API_FavoriteTimelineResponse: + type: object + properties: + code: + nullable: true + type: number + favorite: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FavoriteTimelineResult + type: array + message: + nullable: true + type: string + savedObjectId: + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + version: + type: string + required: + - savedObjectId + - version + Security_Solution_Timeline_API_FavoriteTimelineResult: + type: object + properties: + favoriteDate: + nullable: true + type: number + fullName: + nullable: true + type: string + userName: + nullable: true + type: string + Security_Solution_Timeline_API_FilterTimelineResult: + type: object + properties: + exists: + type: boolean + match_all: + type: string + meta: + type: object + properties: + alias: type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - products.product_name.keyword: - count: 0 - name: products.product_name.keyword + controlledBy: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: products.product_name - format: - id: string - shortDotsEnable: false - isMapped: true - products.quantity: - count: 0 - name: products.quantity - type: number - esTypes: - - integer - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - products.sku: - count: 0 - name: products.sku + disabled: + type: boolean + field: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - products.tax_amount: - count: 0 - name: products.tax_amount - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - products.taxful_price: - count: 0 - name: products.taxful_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - products.taxless_price: - count: 0 - name: products.taxless_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - products.unit_discount_amount: - count: 0 - name: products.unit_discount_amount - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - sku: - count: 0 - name: sku + formattedValue: + type: string + index: + type: string + key: + type: string + negate: + type: boolean + params: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - taxful_total_price: - count: 0 - name: taxful_total_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.[00] - shortDotsEnable: false - isMapped: true - taxless_total_price: - count: 0 - name: taxless_total_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - total_quantity: - count: 1 - name: total_quantity - type: number - esTypes: - - integer - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - total_unique_products: - count: 0 - name: total_unique_products - type: number - esTypes: - - integer - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true type: - count: 0 - name: type type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - user: - count: 0 - name: user + value: + type: string + missing: + type: string + query: + type: string + range: + type: string + script: + type: string + Security_Solution_Timeline_API_ImportTimelineResult: + type: object + properties: + errors: + items: + type: object + properties: + error: + type: object + properties: + message: + type: string + status_code: + type: number + id: + type: string + type: array + success: + type: boolean + success_count: + type: number + timelines_installed: + type: number + timelines_updated: + type: number + Security_Solution_Timeline_API_ImportTimelines: + allOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_SavedTimeline' + - type: object + properties: + eventNotes: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + nullable: true + type: array + globalNotes: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + savedObjectId: + nullable: true + type: string + version: + nullable: true + type: string + Security_Solution_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + - type: object + properties: + noteId: + type: string + version: + type: string + Security_Solution_Timeline_API_PinnedEvent: + type: object + properties: + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + eventId: + type: string + pinnedEventId: + type: string + timelineId: + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + version: + type: string + required: + - eventId + - pinnedEventId + - timelineId + - version + Security_Solution_Timeline_API_QueryMatchResult: + type: object + properties: + displayField: + nullable: true + type: string + displayValue: + nullable: true + type: string + field: + nullable: true + type: string + operator: + nullable: true + type: string + value: + nullable: true + type: string + Security_Solution_Timeline_API_Readable: + type: object + properties: + _data: + additionalProperties: true + type: object + _encoding: + type: string + _events: + additionalProperties: true + type: object + _eventsCount: + type: number + _maxListeners: + additionalProperties: true + type: object + _position: + type: number + _read: + additionalProperties: true + type: object + _readableState: + additionalProperties: true + type: object + readable: + type: boolean + Security_Solution_Timeline_API_RowRendererId: + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Solution_Timeline_API_SavedTimeline: + type: object + properties: + columns: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ColumnHeaderResult + nullable: true + type: array + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + dataProviders: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_DataProviderResult + nullable: true + type: array + dataViewId: + nullable: true + type: string + dateRange: + nullable: true + type: object + properties: + end: + oneOf: + - type: string + - type: number + start: + oneOf: + - type: string + - type: number + description: + nullable: true + type: string + eqlOptions: + nullable: true + type: object + properties: + eventCategoryField: + nullable: true + type: string + query: + nullable: true type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - typeMeta: {} - fieldFormats: - taxful_total_price: - id: number - params: - pattern: $0,0.[00] - products.price: - id: number - params: - pattern: $0,0.00 - taxless_total_price: - id: number - params: - pattern: $0,0.00 - products.taxless_price: - id: number - params: - pattern: $0,0.00 - products.taxful_price: - id: number - params: - pattern: $0,0.00 - products.min_price: - id: number - params: - pattern: $0,0.00 - products.base_unit_price: - id: number - params: - pattern: $0,0.00 - products.base_price: - id: number - params: - pattern: $0,0.00 - runtimeFieldMap: {} - fieldAttrs: - products.manufacturer: - count: 1 - products.price: - count: 1 - products.product_name: - count: 1 - total_quantity: - count: 1 - allowNoIndex: false - name: Kibana Sample Data eCommerce - namespaces: - - default - Data_views_update_data_view_request: - summary: Update some properties for a data view. - value: - data_view: - title: kibana_sample_data_ecommerce - timeFieldName: order_date - allowNoIndex: false - name: Kibana Sample Data eCommerce - refresh_fields: true - Data_views_update_field_metadata_request: - summary: Update metadata for multiple fields. - value: - fields: - field1: - count: 123 - customLabel: Field 1 label - field2: - customLabel: Field 2 label - customDescription: Field 2 description - Data_views_create_runtime_field_request: - summary: Create a runtime field. - value: - name: runtimeFoo - runtimeField: - type: long - script: - source: emit(doc["foo"].value) - Data_views_get_runtime_field_response: - summary: >- - The get runtime field API returns a JSON object that contains - information about the runtime field (`hour_of_day`) and the data view - (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). - value: - fields: - - count: 0 - name: hour_of_day - type: number - esTypes: - - long - scripted: false - searchable: true - aggregatable: true - readFromDocValues: false - shortDotsEnable: false - runtimeField: - type: long - script: - source: emit(doc['timestamp'].value.getHour()); - data_view: - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - version: WzM2LDJd - title: kibana_sample_data_flights - timeFieldName: timestamp - sourceFilters: [] - fields: - hour_of_day: - count: 0 - name: hour_of_day - type: number - esTypes: - - long - scripted: false - searchable: true - aggregatable: true - readFromDocValues: false - format: - id: number - params: - pattern: '00' - shortDotsEnable: false - runtimeField: - type: long - script: - source: emit(doc['timestamp'].value.getHour()); - AvgTicketPrice: - count: 0 - name: AvgTicketPrice - type: number - esTypes: - - float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.[00] - shortDotsEnable: false - isMapped: true - Cancelled: - count: 0 - name: Cancelled - type: boolean - esTypes: - - boolean - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: boolean - shortDotsEnable: false - isMapped: true - Carrier: - count: 0 - name: Carrier + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true + type: string + timestampField: + nullable: true + type: string + eventType: + nullable: true + type: string + excludedRowRendererIds: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_RowRendererId' + nullable: true + type: array + favorite: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FavoriteTimelineResult + nullable: true + type: array + filters: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FilterTimelineResult + nullable: true + type: array + indexNames: + items: + type: string + nullable: true + type: array + kqlMode: + nullable: true + type: string + kqlQuery: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SerializedFilterQueryResult + nullable: true + savedQueryId: + nullable: true + type: string + savedSearchId: + nullable: true + type: string + sort: + $ref: '#/components/schemas/Security_Solution_Timeline_API_Sort' + nullable: true + status: + enum: + - active + - draft + - immutable + nullable: true + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + nullable: true + title: + nullable: true + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + Security_Solution_Timeline_API_SerializedFilterQueryResult: + type: object + properties: + filterQuery: + nullable: true + type: object + properties: + kuery: + nullable: true + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: + nullable: true + type: string + Security_Solution_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_SortObject' + type: array + Security_Solution_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Solution_Timeline_API_SortObject: + type: object + properties: + columnId: + nullable: true + type: string + columnType: + nullable: true + type: string + sortDirection: + nullable: true + type: string + Security_Solution_Timeline_API_TimelineResponse: + allOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_SavedTimeline' + - type: object + properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_Note' + type: array + noteIds: + items: + type: string + type: array + notes: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_Note' + type: array + pinnedEventIds: + items: + type: string + type: array + pinnedEventsSaveObject: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_PinnedEvent + type: array + savedObjectId: + type: string + version: + type: string + required: + - savedObjectId + - version + Security_Solution_Timeline_API_TimelineStatus: + description: >- + The status of the timeline. Valid values are `active`, `draft`, and + `immutable`. + enum: + - active + - draft + - immutable + type: string + Security_Solution_Timeline_API_TimelineType: + description: >- + The type of timeline to create. Valid values are `default` and + `template`. + enum: + - default + - template + type: string + Serverless_saved_objects_400_response: + title: Bad request + type: object + properties: + error: + enum: + - Bad Request + type: string + message: + type: string + statusCode: + enum: + - 400 + type: integer + required: + - error + - message + - statusCode + SLOs_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Invalid value ''foo'' supplied to: [...]' + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + SLOs_401_response: + title: Unauthorized + type: object + properties: + error: + example: Unauthorized + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 401 + type: number + required: + - statusCode + - error + - message + SLOs_403_response: + title: Unauthorized + type: object + properties: + error: + example: Unauthorized + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 403 + type: number + required: + - statusCode + - error + - message + SLOs_404_response: + title: Not found + type: object + properties: + error: + example: Not Found + type: string + message: + example: 'SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found' + type: string + statusCode: + example: 404 + type: number + required: + - statusCode + - error + - message + SLOs_409_response: + title: Conflict + type: object + properties: + error: + example: Conflict + type: string + message: + example: 'SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists' + type: string + statusCode: + example: 409 + type: number + required: + - statusCode + - error + - message + SLOs_budgeting_method: + description: The budgeting method to use when computing the rollup data. + enum: + - occurrences + - timeslices + example: occurrences + title: Budgeting method + type: string + SLOs_create_slo_request: + description: > + The create SLO API request body varies depending on the type of + indicator, time window and budgeting method. + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. + type: string + groupBy: + description: optional group by field to use to generate an SLO per distinct value + example: some.field + type: string + id: + description: >- + A optional and unique identifier for the SLO. Must be between 8 and + 36 chars + example: my-super-slo-id + type: string + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + required: + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + title: Create SLO request + type: object + SLOs_create_slo_response: + title: Create SLO response + type: object + properties: + id: + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - id + SLOs_delete_slo_instances_request: + description: > + The delete SLO instances request takes a list of SLO id and instance id, + then delete the rollup and summary data. This API can be used to remove + the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo id and instance id + items: + type: object + properties: + instanceId: + description: The SLO instance identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + sloId: + description: The SLO unique identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - sloId + - instanceId + type: array + required: + - list + title: Delete SLO instances request + type: object + SLOs_error_budget: + title: Error budget + type: object + properties: + consumed: + description: 'The error budget consummed, as a percentage of the initial value.' + example: 0.8 + type: number + initial: + description: 'The initial error budget, as 1 - objective' + example: 0.02 + type: number + isEstimated: + description: >- + Only for SLO defined with occurrences budgeting method and calendar + aligned time window. + example: true + type: boolean + remaining: + description: 'The error budget remaining, as a percentage of the initial value.' + example: 0.2 + type: number + required: + - initial + - consumed + - remaining + - isEstimated + SLOs_filter: + description: Defines properties for a filter + properties: + meta: + $ref: '#/components/schemas/SLOs_filter_meta' + query: + type: object + title: Filter + type: object + SLOs_filter_meta: + description: Defines properties for a filter + properties: + alias: + nullable: true + type: string + controlledBy: + type: string + disabled: + type: boolean + field: + type: string + group: + type: string + index: + type: string + isMultiIndex: + type: boolean + key: + type: string + negate: + type: boolean + params: + type: object + type: + type: string + value: + type: string + title: FilterMeta + type: object + SLOs_find_slo_response: + description: | + A paginated response of SLOs matching the query. + properties: + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + total: + example: 34 + type: number + title: Find SLO response + type: object + SLOs_indicator_properties_apm_availability: + description: Defines properties for the APM availability indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - Dest: - count: 0 - name: Dest + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - DestAirportID: - count: 0 - name: DestAirportID + index: + description: The index used by APM metrics + example: 'metrics-apm*,apm*' type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - DestCityName: - count: 0 - name: DestCityName + service: + description: The APM service name + example: o11y-app type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - DestCountry: - count: 0 - name: DestCountry + transactionName: + description: The APM transaction name or "*" + example: GET /my/api type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - DestLocation: - count: 0 - name: DestLocation - type: geo_point - esTypes: - - geo_point - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: geo_point - params: - transform: wkt - shortDotsEnable: false - isMapped: true - DestRegion: - count: 0 - name: DestRegion + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM availability + SLOs_indicator_properties_apm_latency: + description: Defines properties for the APM latency indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production + type: string + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: 'metrics-apm*,apm*' + type: string + service: + description: The APM service name + example: o11y-app + type: string + threshold: + description: The latency threshold in milliseconds + example: 250 + type: number + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + - threshold + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM latency + SLOs_indicator_properties_custom_kql: + description: Defines properties for a custom query indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - DestWeather: - count: 0 - name: DestWeather + filter: + $ref: '#/components/schemas/SLOs_kql_with_filters' + good: + $ref: '#/components/schemas/SLOs_kql_with_filters_good' + index: + description: The index or index pattern to use + example: my-service-* type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - DistanceKilometers: - count: 0 - name: DistanceKilometers - type: number - esTypes: - - float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - DistanceMiles: - count: 0 - name: DistanceMiles - type: number - esTypes: - - float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - FlightDelay: - count: 0 - name: FlightDelay - type: boolean - esTypes: - - boolean - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: boolean - shortDotsEnable: false - isMapped: true - FlightDelayMin: - count: 0 - name: FlightDelayMin - type: number - esTypes: - - integer - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - FlightDelayType: - count: 0 - name: FlightDelayType + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - FlightNum: - count: 0 - name: FlightNum + total: + $ref: '#/components/schemas/SLOs_kql_with_filters_total' + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.kql.custom + type: string + required: + - type + - params + title: Custom Query + SLOs_indicator_properties_custom_metric: + description: Defines properties for a custom metric indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - FlightTimeHour: - count: 0 - name: FlightTimeHour + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - FlightTimeMin: - count: 0 - name: FlightTimeMin - type: number - esTypes: - - float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - Origin: - count: 0 - name: Origin + good: + description: | + An object defining the "good" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "good" metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + type: object + properties: + aggregation: + description: >- + The aggregation type of the metric. Only valid option + is "sum" + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: '^[A-Z]$' + type: string + required: + - name + - aggregation + - field + type: array + required: + - metrics + - equation + index: + description: The index or index pattern to use + example: my-service-* type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - OriginAirportID: - count: 0 - name: OriginAirportID + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - OriginCityName: - count: 0 - name: OriginCityName + total: + description: | + An object defining the "total" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "total" metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + type: object + properties: + aggregation: + description: >- + The aggregation type of the metric. Only valid option + is "sum" + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: '^[A-Z]$' + type: string + required: + - name + - aggregation + - field + type: array + required: + - metrics + - equation + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.metric.custom + type: string + required: + - type + - params + title: Custom metric + SLOs_indicator_properties_histogram: + description: Defines properties for a histogram indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - OriginCountry: - count: 0 - name: OriginCountry + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - OriginLocation: - count: 0 - name: OriginLocation - type: geo_point - esTypes: - - geo_point - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: geo_point - params: - transform: wkt - shortDotsEnable: false - isMapped: true - OriginRegion: - count: 0 - name: OriginRegion + good: + description: | + An object defining the "good" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for good events. + example: 'processor.outcome: "success"' + type: string + from: + description: >- + The starting value of the range. Only required for "range" + aggregations. + example: 0 + type: number + to: + description: >- + The ending value of the range. Only required for "range" + aggregations. + example: 100 + type: number + required: + - aggregation + - field + index: + description: The index or index pattern to use + example: my-service-* type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - OriginWeather: - count: 0 - name: OriginWeather + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - _id: - count: 0 - name: _id + total: + description: | + An object defining the "total" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for total events. + example: 'processor.outcome : *' + type: string + from: + description: >- + The starting value of the range. Only required for "range" + aggregations. + example: 0 + type: number + to: + description: >- + The ending value of the range. Only required for "range" + aggregations. + example: 100 + type: number + required: + - aggregation + - field + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.histogram.custom + type: string + required: + - type + - params + title: Histogram indicator + SLOs_indicator_properties_timeslice_metric: + description: Defines properties for a timeslice metric indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 type: string - esTypes: - - _id - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - _index: - count: 0 - name: _index + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' type: string - esTypes: - - _index - scripted: false - searchable: true - aggregatable: true - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - _score: - count: 0 - name: _score - type: number - scripted: false - searchable: false - aggregatable: false - readFromDocValues: false - format: - id: number - shortDotsEnable: false - isMapped: true - _source: - count: 0 - name: _source - type: _source - esTypes: - - _source - scripted: false - searchable: false - aggregatable: false - readFromDocValues: false - format: - id: _source - shortDotsEnable: false - isMapped: true - dayOfWeek: - count: 0 - name: dayOfWeek - type: number - esTypes: - - integer - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - timestamp: - count: 0 - name: timestamp - type: date - esTypes: - - date - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: date - shortDotsEnable: false - isMapped: true - fieldFormats: - hour_of_day: - id: number - params: - pattern: '00' - AvgTicketPrice: - id: number - params: - pattern: $0,0.[00] - runtimeFieldMap: - hour_of_day: - type: long - script: - source: emit(doc['timestamp'].value.getHour()); - fieldAttrs: {} - allowNoIndex: false - name: Kibana Sample Data Flights - Data_views_update_runtime_field_request: - summary: Update an existing runtime field on a data view. - value: - runtimeField: - script: - source: emit(doc["bar"].value) - Data_views_get_default_data_view_response: - summary: The get default data view API returns the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - Data_views_set_default_data_view_request: - summary: Set the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - force: true - Data_views_swap_data_view_request: - summary: >- - Swap references from data view ID "abcd-efg" to "xyz-123" and remove the - data view that is no longer referenced. - value: - fromId: abcd-efg - toId: xyz-123 - delete: true - Data_views_preview_swap_data_view_request: - summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". - value: - fromId: abcd-efg - toId: xyz-123 - Machine_learning_APIs_mlSyncExample: - summary: Two anomaly detection jobs required synchronization in this example. - value: - savedObjectsCreated: - anomaly-detector: - myjob1: - success: true - myjob2: - success: true - savedObjectsDeleted: {} - datafeedsAdded: {} - datafeedsRemoved: {} - Serverless_saved_objects_export_objects_request: - summary: Export a specific saved object. - value: - objects: - - type: map - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - includeReferencesDeep: false - excludeExportDetails: true - Serverless_saved_objects_export_objects_response: - summary: >- - The export objects API response contains a JSON record for each exported - object. - value: - attributes: - description: '' - layerListJSON: >- - [{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total - Requests by - Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web - logs - count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual - Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total - Requests and - Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web - logs - count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}] - mapStateJSON: >- - {"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}} - title: '[Logs] Total Requests and Bytes' - uiStateJSON: '{"isDarkMode":false}' - coreMigrationVersion: 8.8.0 - created_at: '2023-08-23T20:03:32.204Z' - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - managed: false - references: - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_1_join_0_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_2_source_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_3_source_index_pattern - type: index-pattern - type: map - typeMigrationVersion: 8.4.0 - updated_at: '2023-08-23T20:03:32.204Z' - version: WzEzLDFd - Serverless_saved_objects_import_objects_request: - value: - file: file.ndjson - Serverless_saved_objects_import_objects_response: - summary: >- - The import objects API response indicates a successful import and the - objects are created. Since these objects are created as new copies, each - entry in the successResults array includes a destinationId attribute. - value: - successCount: 1 - success: true - successResults: - - type: index-pattern - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - meta: - title: Kibana Sample Data Logs - icon: indexPatternApp - managed: false - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 - responses: - Connectors_401: - description: Authorization information is missing or invalid. - content: - application/json: - schema: - type: object - title: Unauthorized response - properties: - error: - type: string - example: Unauthorized - enum: - - Unauthorized - message: - type: string - statusCode: - type: integer - example: 401 - enum: - - 401 - Connectors_404: - description: Object is not found. - content: - application/json: - schema: - type: object - title: Not found response - properties: - error: - type: string - example: Not Found - enum: - - Not Found - message: - type: string - example: >- - Saved object [action/baf33fc0-920c-11ed-b36a-874bd1548a00] not - found - statusCode: - type: integer - example: 404 - enum: - - 404 + index: + description: The index or index pattern to use + example: my-service-* + type: string + metric: + description: > + An object defining the metrics, equation, and threshold to + determine if it's a good slice or not + type: object + properties: + comparator: + description: >- + The comparator to use to compare the equation to the + threshold. + enum: + - GT + - GTE + - LT + - LTE + example: GT + type: string + equation: + description: The equation to calculate the metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + anyOf: + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_percentile_metric + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_doc_count_metric + type: array + threshold: + description: >- + The threshold used to determine if the metric is a good + slice or not. + example: 100 + type: number + required: + - metrics + - equation + - comparator + - threshold + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + required: + - index + - timestampField + - metric + type: + description: The type of indicator. + example: sli.metric.timeslice + type: string + required: + - type + - params + title: Timeslice metric + SLOs_kql_with_filters: + description: Defines properties for a filter + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL with filters + SLOs_kql_with_filters_good: + description: The KQL query used to define the good events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'request.latency <= 150 and request.status_code : "2xx"' + type: string + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL query for good events + SLOs_kql_with_filters_total: + description: The KQL query used to define all events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL query for all events + SLOs_objective: + description: Defines properties for the SLO objective + type: object + properties: + target: + description: the target objective between 0 and 1 excluded + example: 0.99 + exclusiveMaximum: true + exclusiveMinimum: true + maximum: 100 + minimum: 0 + type: number + timesliceTarget: + description: >- + the target objective for each slice when using a timeslices + budgeting method + example: 0.995 + maximum: 100 + minimum: 0 + type: number + timesliceWindow: + description: >- + the duration of each slice when using a timeslices budgeting method, + as {duraton}{unit} + example: 5m + type: string + required: + - target + title: Objective + SLOs_settings: + description: Defines properties for SLO settings. + properties: + frequency: + default: 1m + description: 'Configure how often the transform runs, default 1m' + example: 5m + type: string + preventInitialBackfill: + default: false + description: Prevents the transform from backfilling data when it starts. + example: true + type: boolean + syncDelay: + default: 1m + description: The synch delay to apply to the transform. Default 1m + example: 5m + type: string + title: Settings + type: object + SLOs_slo_definition_response: + title: SLO definition response + type: object + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' + type: string + description: + description: The description of the SLO. + example: My SLO description + type: string + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + description: optional group by field to use to generate an SLO per distinct value + example: some.field + type: string + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - enabled + - groupBy + - tags + - createdAt + - updatedAt + - version + SLOs_slo_with_summary_response: + title: SLO response + type: object + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' + type: string + description: + description: The description of the SLO. + example: My SLO description + type: string + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + description: optional group by field to use to generate an SLO per distinct value + example: some.field + type: string + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + instanceId: + description: 'the value derived from the groupBy field, if present, otherwise ''*''' + example: host-abcde + type: string + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + summary: + $ref: '#/components/schemas/SLOs_summary' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - summary + - enabled + - groupBy + - instanceId + - tags + - createdAt + - updatedAt + - version + SLOs_summary: + description: The SLO computed data + properties: + errorBudget: + $ref: '#/components/schemas/SLOs_error_budget' + sliValue: + example: 0.9836 + type: number + status: + $ref: '#/components/schemas/SLOs_summary_status' + required: + - status + - sliValue + - errorBudget + title: Summary + type: object + SLOs_summary_status: + enum: + - NO_DATA + - HEALTHY + - DEGRADING + - VIOLATED + example: HEALTHY + title: summary status + type: string + SLOs_time_window: + description: Defines properties for the SLO time window + type: object + properties: + duration: + description: >- + the duration formatted as {duration}{unit}. Accepted values for + rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w + (weekly) or 1M (monthly) + example: 30d + type: string + type: + description: >- + Indicates weither the time window is a rolling or a calendar aligned + time window. + enum: + - rolling + - calendarAligned + example: rolling + type: string + required: + - duration + - type + title: Time window + SLOs_timeslice_metric_basic_metric_with_field: + type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + - avg + - min + - max + - std_deviation + - last_value + - cardinality + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: '^[A-Z]$' + type: string + required: + - name + - aggregation + - field + title: Timeslice Metric Basic Metric with Field + SLOs_timeslice_metric_doc_count_metric: + type: object + properties: + aggregation: + description: The aggregation type of the metric. Only valid option is "doc_count" + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: '^[A-Z]$' + type: string + required: + - name + - aggregation + title: Timeslice Metric Doc Count Metric + SLOs_timeslice_metric_percentile_metric: + type: object + properties: + aggregation: + description: >- + The aggregation type of the metric. Only valid option is + "percentile" + enum: + - percentile + example: percentile + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: '^[A-Z]$' + type: string + percentile: + description: The percentile value. + example: 95 + type: number + required: + - name + - aggregation + - field + - percentile + title: Timeslice Metric Percentile Metric + SLOs_update_slo_request: + description: > + The update SLO API request body varies depending on the type of + indicator, time window and budgeting method. Partial update is handled. + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. + type: string + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + title: Update SLO request + type: object securitySchemes: - Kibana_HTTP_APIs_apiKeyAuth: + apiKeyAuth: + description: > + These APIs use key-based authentication. You must create an API key and + use the encoded value in the request header. For example: + `Authorization: ApiKey base64AccessApiKey` in: header name: Authorization type: apiKey - Kibana_HTTP_APIs_basicAuth: - scheme: basic - type: http -x-tagGroups: - - name: APM UI - tags: - - APM agent keys - - APM annotations - - name: Connectors - tags: - - connectors - - name: Data views - tags: - - data views - - name: Machine learning APIs - tags: - - ml - - name: Serverless saved objects - tags: - - saved objects - - name: SLOs - tags: - - slo - - name: Kibana HTTP APIs - tags: - - system +security: + - apiKeyAuth: [] +tags: + - description: > + Configure APM agent keys to authorize requests from APM agents to the APM + Server. + name: APM agent keys + - description: > + Annotate visualizations in the APM app with significant events. + Annotations enable you to easily see how events are impacting the + performance of your applications. + name: APM annotations + - description: Connector APIs enable you to create and manage connectors. + name: connectors + - description: >- + Data view APIs enable you to manage data views, formerly known as Kibana + index patterns. + name: data views + - description: Machine learning + name: ml + - description: >- + Manage Kibana saved objects, including dashboards, visualizations, and + more. + name: saved objects + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + - description: >- + You can create rules that automatically turn events and external alerts + sent to Elastic Security into detection alerts. These alerts are displayed + on the Detections page. + name: Security Solution Detections API + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Solution Endpoint Management API + - description: '' + name: Security Solution Entity Analytics API + - description: >- + Exceptions API allows you to manage detection rule exceptions to prevent a + rule from generating an alert from incoming events even when the rule's + other criteria are met. + name: Security Solution Exceptions API + - description: 'Lists API allows you to manage lists of keywords, IPs or IP ranges items.' + name: Security Solution Lists API + - description: 'Run live queries, manage packs and saved queries.' + name: Security Solution Osquery API + - description: >- + You can create Timelines and Timeline templates via the API, as well as + import new Timelines from an ndjson file. + name: Security Solution Timeline API + - description: 'SLO APIs enable you to define, manage and track service-level objectives' + name: slo + - name: system diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index a16a834c63e73..977a910dabf6b 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -1,6 +1,7 @@ openapi: 3.0.3 info: - title: Kibana APIs + contact: + name: Kibana Team description: > The Kibana REST APIs enable you to manage resources such as connectors, data views, and saved objects. @@ -45,18372 +46,10638 @@ info: For more information about the console, refer to [Run API requests](https://www.elastic.co/guide/en/kibana/current/console-kibana.html). - version: 1.0.2 license: name: Elastic License 2.0 - url: https://www.elastic.co/licensing/elastic-license - contact: - name: Kibana Team + url: 'https://www.elastic.co/licensing/elastic-license' + title: Kibana APIs + version: 1.0.2 servers: - - url: / - - url: https://{kibana_url} + - url: 'https://{kibana_url}' variables: kibana_url: - default: localhost:5601 - - url: http://localhost:5622 -tags: - - name: alerting - description: Alerting APIs enable you to create and manage rules and alerts. - x-displayName: alerting - - name: APM agent keys - description: > - Configure APM agent keys to authorize requests from APM agents to the APM - Server. - x-displayName: APM agent keys - - name: APM annotations - description: > - Annotate visualizations in the APM app with significant events. - Annotations enable you to easily see how events are impacting the - performance of your applications. - x-displayName: APM annotations - - name: cases - description: Case APIs enable you to open and track issues. - x-displayName: cases - - name: connectors - description: Connector APIs enable you to create and manage connectors. - x-displayName: connectors - - name: data views - description: >- - Data view APIs enable you to manage data views, formerly known as Kibana - index patterns. - x-displayName: data views - - name: ml - description: Machine learning - x-displayName: ml - - name: saved objects - description: >- - Manage Kibana saved objects, including dashboards, visualizations, and - more. - x-displayName: saved objects - - name: system - x-displayName: system + default: 'localhost:5601' paths: - /api/alerting/rule: - post: - summary: Create a rule with a random identifier - operationId: createRule - description: > - To create a rule, you must have `all` privileges for the appropriate - Kibana features, depending on the `consumer` and `rule_type_id` of the - rule you're creating. For example, you must have privileges for the - **Management > Stack rules** feature, **Analytics > Discover** and - **Machine Learning** features, **Observability** features, or - **Security** features. If the rule has actions, you must also have - `read` privileges for the **Management > Actions and Connectors** - feature. This API supports both key- and token-based authentication. To - use key-based authentication, create an API key in Kibana and use it in - the header of the API call. To use token-based authentication, provide a - username and password; an API key that matches the current privileges of - the user is created automatically. In both cases, the API key is - subsequently used for authorization when the rule runs. - tags: - - alerting - parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_create_rule_request' - examples: - createEsQueryEsqlRuleRequest: - $ref: >- - #/components/examples/Alerting_create_es_query_esql_rule_request - createEsQueryRuleRequest: - $ref: '#/components/examples/Alerting_create_es_query_rule_request' - createEsQueryKqlRuleRequest: - $ref: >- - #/components/examples/Alerting_create_es_query_kql_rule_request - createIndexThresholdRuleRequest: - $ref: >- - #/components/examples/Alerting_create_index_threshold_rule_request - createTrackingContainmentRuleRequest: - $ref: >- - #/components/examples/Alerting_create_tracking_containment_rule_request + /api/actions: + get: + deprecated: true + description: Deprecated in 7.13.0. Use the get all connectors API instead. + operationId: legacyGetConnectors responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_rule_response_properties' - examples: - createEsQueryEsqlRuleResponse: - $ref: >- - #/components/examples/Alerting_create_es_query_esql_rule_response - createEsQueryRuleResponse: - $ref: '#/components/examples/Alerting_create_es_query_rule_response' - createEsQueryKqlRuleResponse: - $ref: >- - #/components/examples/Alerting_create_es_query_kql_rule_response - createIndexThresholdRuleResponse: - $ref: >- - #/components/examples/Alerting_create_index_threshold_rule_response - createTrackingContainmentRuleResponse: - $ref: >- - #/components/examples/Alerting_create_tracking_containment_rule_response + items: + $ref: '#/components/schemas/Connectors_action_response_properties' + type: array + description: Indicates a successful call. '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' - '404': - description: Object is not found. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_404_response' - /api/alerting/rule/{ruleId}: - get: - summary: Get rule details - operationId: getRule - description: > - You must have `read` privileges for the appropriate Kibana features, - depending on the `consumer` and `rule_type_id` of the rules you're - seeking. For example, the **Management > Stack Rules** feature, - **Analytics > Discover** and **Machine Learning** features, - **Observability** features, or **Security** features. To get rules - associated with the **Stack Monitoring** feature, use the - `monitoring_user` built-in role. + $ref: '#/components/responses/Connectors_401' + summary: Get all connectors tags: - - alerting + - connectors + post: + deprecated: true + description: Deprecated in 7.13.0. Use the create connector API instead. + operationId: legacyCreateConnector parameters: - - $ref: '#/components/parameters/Alerting_rule_id' + - $ref: '#/components/parameters/Connectors_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + title: Legacy create connector request properties + type: object + properties: + actionTypeId: + description: The connector type identifier. + type: string + config: + description: >- + The configuration for the connector. Configuration + properties vary depending on the connector type. + type: object + name: + description: The display name for the connector. + type: string + secrets: + description: > + The secrets configuration for the connector. Secrets + configuration properties vary depending on the connector + type. NOTE: Remember these values. You must provide them + each time you update the connector. + type: object + required: true responses: '200': - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_rule_response_properties' - examples: - getRuleResponse: - $ref: '#/components/examples/Alerting_get_rule_response' + $ref: '#/components/responses/Connectors_200_actions' '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' - '404': - description: Object is not found. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_404_response' + $ref: '#/components/responses/Connectors_401' + summary: Create a connector + tags: + - connectors + '/api/actions/action/{actionId}': delete: - summary: Delete a rule - operationId: deleteRule + deprecated: true description: > - To delete a rule, you must have `all` privileges for the appropriate - Kibana features, depending on the `consumer` and `rule_type_id` of the - rule you're deleting. For example, the **Management** > **Stack Rules** - feature, **Analytics** > **Discover** or **Machine Learning** features, - **Observability**, or **Security** features. WARNING: After you delete a - rule, you cannot recover it. If the API key that is used by the rule was - created automatically, it is deleted. - tags: - - alerting + Deprecated in 7.13.0. Use the delete connector API instead. WARNING: + When you delete a connector, it cannot be recovered. + operationId: legacyDeleteConnector parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - $ref: '#/components/parameters/Alerting_rule_id' + - $ref: '#/components/parameters/Connectors_kbn_xsrf' + - $ref: '#/components/parameters/Connectors_action_id' responses: '204': description: Indicates a successful call. '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' - '404': - description: Object is not found. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_404_response' - post: - summary: Create a rule - operationId: createRuleId - description: > - This API creates a rule with a specific rule identifier. If you omit the - identifer, it is automatically generated. To create a rule, you must - have `all` privileges for the appropriate Kibana features, depending on - the `consumer` and `rule_type_id` of the rule you're creating. For - example, you must have privileges for the **Management > Stack rules** - feature, **Analytics > Discover** and **Machine Learning** features, - **Observability** features, or **Security** features. If the rule has - actions, you must also have `read` privileges for the **Management > - Actions and Connectors** feature. This API supports both key- and - token-based authentication. To use key-based authentication, create an - API key in Kibana and use it in the header of the API call. To use - token-based authentication, provide a username and password; an API key - that matches the current privileges of the user is created - automatically. In both cases, the API key is subsequently used for - authorization when the rule runs. + $ref: '#/components/responses/Connectors_401' + summary: Delete a connector tags: - - alerting + - connectors + get: + deprecated: true + description: Deprecated in 7.13.0. Use the get connector API instead. + operationId: legacyGetConnector parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - in: path - name: ruleId - description: > - An UUID v1 or v4 identifier for the rule. If you omit this - parameter, an identifier is randomly generated. - required: true - schema: - type: string - example: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 + - $ref: '#/components/parameters/Connectors_action_id' + responses: + '200': + $ref: '#/components/responses/Connectors_200_actions' + '401': + $ref: '#/components/responses/Connectors_401' + summary: Get connector information + tags: + - connectors + put: + deprecated: true + description: Deprecated in 7.13.0. Use the update connector API instead. + operationId: legacyUpdateConnector + parameters: + - $ref: '#/components/parameters/Connectors_kbn_xsrf' + - $ref: '#/components/parameters/Connectors_action_id' requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_create_rule_request' - examples: - createEsQueryEsqlRuleIdRequest: - $ref: >- - #/components/examples/Alerting_create_es_query_esql_rule_request - createEsQueryRuleIdRequest: - $ref: '#/components/examples/Alerting_create_es_query_rule_request' - createEsQueryKqlRuleIdRequest: - $ref: >- - #/components/examples/Alerting_create_es_query_kql_rule_request - createIndexThreholdRuleIdRequest: - $ref: >- - #/components/examples/Alerting_create_index_threshold_rule_request + description: The properties vary depending on the connector type. + properties: + config: + description: >- + The new connector configuration. Configuration properties + vary depending on the connector type. + type: object + name: + description: The new name for the connector. + type: string + secrets: + description: >- + The updated secrets configuration for the connector. Secrets + properties vary depending on the connector type. + type: object + title: Legacy update connector request body properties + type: object + required: true responses: '200': - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_rule_response_properties' - examples: - createEsQueryEsqlRuleIdResponse: - $ref: >- - #/components/examples/Alerting_create_es_query_esql_rule_response - createEsQueryRuleIdResponse: - $ref: '#/components/examples/Alerting_create_es_query_rule_response' - createEsQueryKqlRuleIdResponse: - $ref: >- - #/components/examples/Alerting_create_es_query_kql_rule_response - createIndexThresholdRuleIdResponse: - $ref: >- - #/components/examples/Alerting_create_index_threshold_rule_response - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' + $ref: '#/components/responses/Connectors_200_actions' '404': - description: Object is not found. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_404_response' - put: - summary: Update a rule - operationId: updateRule - description: > - To update a rule, you must have `all` privileges for the appropriate - Kibana features, depending on the `consumer` and `rule_type_id` of the - rule you're updating. For example, you must have privileges for the - **Management > Stack rules** feature, **Analytics > Discover** and - **Machine Learning** features, **Observability** features, or - **Security** features. If the rule has actions, you must also have - `read` privileges for the **Management > Actions and Connectors** - feature. This API supports both key- and token-based authentication. To - use key-based authentication, create an API key in Kibana and use it in - the header of the API call. To use token-based authentication, provide a - username and password; an API key that matches the current privileges of - the user is created automatically. In both cases, the API key is - subsequently used for authorization when the rule runs. NOTE: If the API - key has different privileges than the key that created or most recently - updated the rule, the rule behavior might change. Though some properties - are optional, when you update the rule the existing property values are - overwritten with default values. Therefore, it is recommended to - explicitly set all property values. + $ref: '#/components/responses/Connectors_404' + summary: Update a connector tags: - - alerting + - connectors + '/api/actions/action/{actionId}/_execute': + post: + deprecated: true + description: Deprecated in 7.13.0. Use the run connector API instead. + operationId: legacyRunConnector parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - $ref: '#/components/parameters/Alerting_rule_id' + - $ref: '#/components/parameters/Connectors_kbn_xsrf' + - $ref: '#/components/parameters/Connectors_action_id' requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_update_rule_request' - examples: - updateRuleRequest: - $ref: '#/components/examples/Alerting_update_rule_request' + description: The properties vary depending on the connector type. + properties: + params: + description: >- + The parameters of the connector. Parameter properties vary + depending on the connector type. + type: object + required: + - params + title: Legacy run connector request body properties + type: object + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_rule_response_properties' - examples: - updateRuleResponse: - $ref: '#/components/examples/Alerting_update_rule_response' + type: object + properties: + actionId: + type: string + data: + oneOf: + - additionalProperties: true + description: Information returned from the action. + type: object + - description: An array of information returned from the action. + items: + type: object + type: array + status: + description: The status of the action. + type: string + description: Indicates a successful call. '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' - '404': - description: Object is not found. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_404_response' - /api/alerting/rule/{ruleId}/_disable: - post: - summary: Disable a rule - operationId: disableRule - description: > - You must have `all` privileges for the appropriate Kibana features, - depending on the `consumer` and `rule_type_id` of the rule. For example, - the **Management > Stack Rules** feature, **Analytics > Discover** and - **Machine Learning** features, **Observability**, and **Security** - features. + $ref: '#/components/responses/Connectors_401' + summary: Run a connector tags: - - alerting + - connectors + /api/actions/connector: + post: + description: The connector identifier is randomly generated. + operationId: createConnector parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - $ref: '#/components/parameters/Alerting_rule_id' + - $ref: '#/components/parameters/Connectors_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createEmailConnectorRequest: + $ref: >- + #/components/examples/Connectors_create_email_connector_request + createIndexConnectorRequest: + $ref: >- + #/components/examples/Connectors_create_index_connector_request + createWebhookConnectorRequest: + $ref: >- + #/components/examples/Connectors_create_webhook_connector_request + createXmattersConnectorRequest: + $ref: >- + #/components/examples/Connectors_create_xmatters_connector_request + schema: + $ref: '#/components/schemas/Connectors_create_connector_request' + required: true responses: - '204': - description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createEmailConnectorResponse: + $ref: >- + #/components/examples/Connectors_create_email_connector_response + createIndexConnectorResponse: + $ref: >- + #/components/examples/Connectors_create_index_connector_response + createWebhookConnectorResponse: + $ref: >- + #/components/examples/Connectors_create_webhook_connector_response + createXmattersConnectorResponse: + $ref: >- + #/components/examples/Connectors_create_xmatters_connector_response schema: - $ref: '#/components/schemas/Alerting_401_response' - '404': - description: Object is not found. + $ref: '#/components/schemas/Connectors_connector_response_properties' + description: Indicates a successful call. + '401': + $ref: '#/components/responses/Connectors_401' + summary: Create a connector with a random ID + tags: + - connectors + /api/actions/connector_types: + get: + operationId: getConnectorTypes + parameters: + - description: >- + A filter to limit the retrieved connector types to those that + support a specific feature (such as alerting or cases). + in: query + name: feature_id + schema: + $ref: '#/components/schemas/Connectors_features' + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getConnectorTypesServerlessResponse: + $ref: >- + #/components/examples/Connectors_get_connector_types_generativeai_response schema: - $ref: '#/components/schemas/Alerting_404_response' - /api/alerting/rule/{ruleId}/_enable: - post: - summary: Enable a rule - operationId: enableRule - description: > - To enable a rule, you must have `all` privileges for the appropriate - Kibana features, depending on the `consumer` and `rule_type_id` of the - rule. For example, the **Management > Stack Rules** feature, **Analytics - > Discover** and **Machine Learning** features, **Observability**, and - **Security** features. This API supports both key- and token-based - authentication. To use key-based authentication, create an API key in - Kibana and use it in the header of the API call. To use token-based - authentication, provide a username and password; an API key that matches - the current privileges of the user is created automatically. In both - cases, the API key is subsequently used for authorization when the rule - runs. + description: The properties vary for each connector type. + items: + type: object + properties: + enabled: + description: >- + Indicates whether the connector type is enabled in + Kibana. + example: true + type: boolean + enabled_in_config: + description: >- + Indicates whether the connector type is enabled in the + Kibana configuration file. + example: true + type: boolean + enabled_in_license: + description: >- + Indicates whether the connector is enabled in the + license. + example: true + type: boolean + id: + $ref: '#/components/schemas/Connectors_connector_types' + is_system_action_type: + example: false + type: boolean + minimum_license_required: + description: The license that is required to use the connector type. + example: basic + type: string + name: + description: The name of the connector type. + example: Index + type: string + supported_feature_ids: + description: The features that are supported by the connector type. + example: + - alerting + - cases + - siem + items: + $ref: '#/components/schemas/Connectors_features' + type: array + title: Get connector types response body properties + type: array + description: Indicates a successful call. + '401': + $ref: '#/components/responses/Connectors_401' + summary: Get all connector types tags: - - alerting + - connectors + '/api/actions/connector/{connectorId}': + delete: + operationId: deleteConnector parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - $ref: '#/components/parameters/Alerting_rule_id' + - $ref: '#/components/parameters/Connectors_kbn_xsrf' + - $ref: '#/components/parameters/Connectors_connector_id' responses: '204': description: Indicates a successful call. '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' + $ref: '#/components/responses/Connectors_401' '404': - description: Object is not found. + $ref: '#/components/responses/Connectors_404' + summary: Delete a connector + tags: + - connectors + get: + operationId: getConnector + parameters: + - $ref: '#/components/parameters/Connectors_connector_id' + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getConnectorResponse: + $ref: '#/components/examples/Connectors_get_connector_response' schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerting/rules/_find: - get: - summary: Find rule information - operationId: findRules - description: > - You must have `read` privileges for the appropriate Kibana features, - depending on the `consumer` and `rule_type_id` of the rules you're - seeking. For example, you must have privileges for the **Management > - Stack rules** feature, **Analytics > Discover** and **Machine Learning** - features, **Observability** features, or **Security** features. To find - rules associated with the **Stack Monitoring** feature, use the - `monitoring_user` built-in role. + $ref: '#/components/schemas/Connectors_connector_response_properties' + description: Indicates a successful call. + '401': + $ref: '#/components/responses/Connectors_401' + '404': + $ref: '#/components/responses/Connectors_404' + summary: Get a connector information tags: - - alerting + - connectors + post: + operationId: createConnectorId parameters: - - name: default_search_operator - in: query - description: The default operator to use for the simple_query_string. - schema: - type: string - default: OR - example: OR - - name: fields - in: query - description: The fields to return in the `attributes` key of the response. - schema: - type: array - items: - type: string - - name: filter - in: query - description: > - A KQL string that you filter with an attribute from your saved - object. It should look like `savedObjectType.attributes.title: - "myTitle"`. However, if you used a direct attribute of a saved - object, such as `updatedAt`, you must define your filter, for - example, `savedObjectType.updatedAt > 2018-12-22`. - schema: - type: string - - name: has_reference - in: query - description: >- - Filters the rules that have a relation with the reference objects - with a specific type and identifier. - schema: - type: object - properties: - id: - type: string - type: - type: string - - name: page - in: query - description: The page number to return. - schema: - type: integer - default: 1 - example: 1 - - name: per_page - in: query - description: The number of rules to return per page. - schema: - type: integer - default: 20 - example: 20 - - name: search - in: query - description: >- - An Elasticsearch simple_query_string query that filters the objects - in the response. - schema: - type: string - example: threshold +-test* - - name: search_fields - in: query - description: The fields to perform the simple_query_string parsed query against. - schema: - oneOf: - - type: string - example: name - - type: array - items: - type: string - - name: sort_field - in: query - description: > - Determines which field is used to sort the results. The field must - exist in the `attributes` key of the response. - schema: - type: string - - name: sort_order - in: query - description: Determines the sort order. + - $ref: '#/components/parameters/Connectors_kbn_xsrf' + - description: > + A UUID v1 or v4 identifier for the connector. If you omit this + parameter, an identifier is randomly generated. + in: path + name: connectorId + required: true schema: + example: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 type: string - enum: - - asc - - desc - default: desc - example: asc + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createIndexConnectorRequest: + $ref: >- + #/components/examples/Connectors_create_index_connector_request + schema: + $ref: '#/components/schemas/Connectors_create_connector_request' + required: true responses: '200': - description: Indicates a successful call. content: - application/json: - schema: - type: object - properties: - data: - type: array - items: - $ref: '#/components/schemas/Alerting_rule_response_properties' - page: - type: integer - per_page: - type: integer - total: - type: integer + application/json; Elastic-Api-Version=2023-10-31: examples: - findRulesResponse: - $ref: '#/components/examples/Alerting_find_rules_response' - findConditionalActionRulesResponse: + createIndexConnectorResponse: $ref: >- - #/components/examples/Alerting_find_rules_response_conditional_action - '401': - description: Authorization information is missing or invalid. - content: - application/json: + #/components/examples/Connectors_create_index_connector_response schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerting/_health: - get: - summary: Get the alerting framework health - operationId: getAlertingHealth - description: > - You must have `read` privileges for the **Management > Stack Rules** - feature or for at least one of the **Analytics > Discover**, **Analytics - > Machine Learning**, **Observability**, or **Security** features. - tags: - - alerting - responses: - '200': + $ref: '#/components/schemas/Connectors_connector_response_properties' description: Indicates a successful call. - content: - application/json: - schema: - type: object - properties: - alerting_framework_health: - type: object - description: > - Three substates identify the health of the alerting - framework: `decryption_health`, `execution_health`, and - `read_health`. - properties: - decryption_health: - type: object - description: The timestamp and status of the rule decryption. - properties: - status: - type: string - example: ok - enum: - - error - - ok - - warn - timestamp: - type: string - format: date-time - example: '2023-01-13T01:28:00.280Z' - execution_health: - type: object - description: The timestamp and status of the rule run. - properties: - status: - type: string - example: ok - enum: - - error - - ok - - warn - timestamp: - type: string - format: date-time - example: '2023-01-13T01:28:00.280Z' - read_health: - type: object - description: The timestamp and status of the rule reading events. - properties: - status: - type: string - example: ok - enum: - - error - - ok - - warn - timestamp: - type: string - format: date-time - example: '2023-01-13T01:28:00.280Z' - has_permanent_encryption_key: - type: boolean - description: >- - If `false`, the encrypted saved object plugin does not - have a permanent encryption key. - example: true - is_sufficiently_secure: - type: boolean - description: If `false`, security is enabled but TLS is not. - example: true - examples: - getAlertingHealthResponse: - $ref: '#/components/examples/Alerting_get_health_response' '401': - description: Authorization information is missing or invalid. + $ref: '#/components/responses/Connectors_401' + summary: Create a connector + tags: + - connectors + put: + operationId: updateConnector + parameters: + - $ref: '#/components/parameters/Connectors_kbn_xsrf' + - $ref: '#/components/parameters/Connectors_connector_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateIndexConnectorRequest: + $ref: >- + #/components/examples/Connectors_update_index_connector_request + schema: + $ref: '#/components/schemas/Connectors_update_connector_request' + required: true + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerting/rule_types: - get: - summary: Get the rule types - operationId: getRuleTypes - description: > - If you have `read` privileges for one or more Kibana features, the API - response contains information about the appropriate rule types. For - example, there are rule types associated with the **Management > Stack - Rules** feature, **Analytics > Discover** and **Machine Learning** - features, **Observability** features, and **Security** features. To get - rule types associated with the **Stack Monitoring** feature, use the - `monitoring_user` built-in role. + $ref: '#/components/schemas/Connectors_connector_response_properties' + description: Indicates a successful call. + '400': + $ref: '#/components/responses/Connectors_401' + '401': + $ref: '#/components/responses/Connectors_401' + '404': + $ref: '#/components/responses/Connectors_404' + summary: Update a connector tags: - - alerting + - connectors + '/api/actions/connector/{connectorId}/_execute': + post: + description: > + You can use this API to test an action that involves interaction with + Kibana services or integrations with third-party systems. You must have + `read` privileges for the **Actions and Connectors** feature in the + **Management** section of the Kibana feature privileges. If you use an + index connector, you must also have `all`, `create`, `index`, or `write` + indices privileges. + operationId: runConnector + parameters: + - $ref: '#/components/parameters/Connectors_kbn_xsrf' + - $ref: '#/components/parameters/Connectors_connector_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + runCasesWebhookConnectorRequest: + $ref: >- + #/components/examples/Connectors_run_cases_webhook_connector_request + runEmailConnectorRequest: + $ref: '#/components/examples/Connectors_run_email_connector_request' + runIndexConnectorRequest: + $ref: '#/components/examples/Connectors_run_index_connector_request' + runJiraConnectorRequest: + $ref: '#/components/examples/Connectors_run_jira_connector_request' + runPagerDutyConnectorRequest: + $ref: >- + #/components/examples/Connectors_run_pagerduty_connector_request + runServerLogConnectorRequest: + $ref: >- + #/components/examples/Connectors_run_server_log_connector_request + runServiceNowITOMConnectorRequest: + $ref: >- + #/components/examples/Connectors_run_servicenow_itom_connector_request + runSlackConnectorRequest: + $ref: >- + #/components/examples/Connectors_run_slack_api_connector_request + runSwimlaneConnectorRequest: + $ref: >- + #/components/examples/Connectors_run_swimlane_connector_request + schema: + $ref: '#/components/schemas/Connectors_run_connector_request' + required: true responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + runCasesWebhookConnectorResponse: + $ref: >- + #/components/examples/Connectors_run_cases_webhook_connector_response + runEmailConnectorResponse: + $ref: >- + #/components/examples/Connectors_run_email_connector_response + runIndexConnectorResponse: + $ref: >- + #/components/examples/Connectors_run_index_connector_response + runJiraConnectorResponse: + $ref: '#/components/examples/Connectors_run_jira_connector_response' + runPagerDutyConnectorResponse: + $ref: >- + #/components/examples/Connectors_run_pagerduty_connector_response + runServerLogConnectorResponse: + $ref: >- + #/components/examples/Connectors_run_server_log_connector_response + runServiceNowITOMConnectorResponse: + $ref: >- + #/components/examples/Connectors_run_servicenow_itom_connector_response + runSlackConnectorResponse: + $ref: >- + #/components/examples/Connectors_run_slack_api_connector_response + runSwimlaneConnectorResponse: + $ref: >- + #/components/examples/Connectors_run_swimlane_connector_response + schema: + type: object + properties: + connector_id: + description: The identifier for the connector. + type: string + data: + oneOf: + - additionalProperties: true + description: Information returned from the action. + type: object + - description: An array of information returned from the action. + items: + type: object + type: array + status: + description: The status of the action. + enum: + - error + - ok + type: string + required: + - connector_id + - status description: Indicates a successful call. + '401': + $ref: '#/components/responses/Connectors_401' + summary: Run a connector + tags: + - connectors + /api/actions/connectors: + get: + operationId: getConnectors + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getConnectorsResponse: + $ref: '#/components/examples/Connectors_get_connectors_response' schema: + items: + $ref: >- + #/components/schemas/Connectors_connector_response_properties type: array + description: Indicates a successful call. + '401': + $ref: '#/components/responses/Connectors_401' + summary: Get all connectors + tags: + - connectors + /api/actions/list_action_types: + get: + deprecated: true + description: Deprecated in 7.13.0. Use the get all connector types API instead. + operationId: legacyGetConnectorTypes + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + description: The properties vary for each connector type. items: type: object properties: - action_groups: - description: > - An explicit list of groups for which the rule type can - schedule actions, each with the action group's unique ID - and human readable name. Rule actions validation uses - this configuration to ensure that groups are valid. - type: array - items: - type: object - properties: - id: - type: string - name: - type: string - action_variables: - description: > - A list of action variables that the rule type makes - available via context and state in action parameter - templates, and a short human readable description. When - you create a rule in Kibana, it uses this information to - prompt you for these variables in action parameter - editors. - type: object - properties: - context: - type: array - items: - type: object - properties: - name: - type: string - description: - type: string - useWithTripleBracesInTemplates: - type: boolean - params: - type: array - items: - type: object - properties: - description: - type: string - name: - type: string - state: - type: array - items: - type: object - properties: - description: - type: string - name: - type: string - alerts: - type: object - description: > - Details for writing alerts as data documents for this - rule type. - properties: - context: - type: string - description: | - The namespace for this rule type. - enum: - - ml.anomaly-detection - - observability.apm - - observability.logs - - observability.metrics - - observability.slo - - observability.threshold - - observability.uptime - - security - - stack - dynamic: - type: string - description: Indicates whether new fields are added dynamically. - enum: - - 'false' - - runtime - - strict - - 'true' - isSpaceAware: - type: boolean - description: > - Indicates whether the alerts are space-aware. If - true, space-specific alert indices are used. - mappings: - type: object - properties: - fieldMap: - type: object - description: > - Mapping information for each field supported in - alerts as data documents for this rule type. For - more information about mapping parameters, refer - to the Elasticsearch documentation. - additionalProperties: - $ref: >- - #/components/schemas/Alerting_fieldmap_properties - secondaryAlias: - type: string - description: > - A secondary alias. It is typically used to support - the signals alias for detection rules. - shouldWrite: - type: boolean - description: > - Indicates whether the rule should write out alerts - as data. - useEcs: - type: boolean - description: > - Indicates whether to include the ECS component - template for the alerts. - useLegacyAlerts: - type: boolean - default: false - description: > - Indicates whether to include the legacy component - template for the alerts. - authorized_consumers: - description: >- - The list of the plugins IDs that have access to the rule - type. - type: object - properties: - alerts: - type: object - properties: - all: - type: boolean - read: - type: boolean - apm: - type: object - properties: - all: - type: boolean - read: - type: boolean - discover: - type: object - properties: - all: - type: boolean - read: - type: boolean - infrastructure: - type: object - properties: - all: - type: boolean - read: - type: boolean - logs: - type: object - properties: - all: - type: boolean - read: - type: boolean - ml: - type: object - properties: - all: - type: boolean - read: - type: boolean - monitoring: - type: object - properties: - all: - type: boolean - read: - type: boolean - siem: - type: object - properties: - all: - type: boolean - read: - type: boolean - slo: - type: object - properties: - all: - type: boolean - read: - type: boolean - stackAlerts: - type: object - properties: - all: - type: boolean - read: - type: boolean - uptime: - type: object - properties: - all: - type: boolean - read: - type: boolean - category: - type: string - description: >- - The rule category, which is used by features such as - category-specific maintenance windows. - enum: - - management - - observability - - securitySolution - default_action_group_id: - description: The default identifier for the rule type group. - type: string - does_set_recovery_context: + enabled: description: >- - Indicates whether the rule passes context variables to - its recovery action. + Indicates whether the connector type is enabled in + Kibana. type: boolean - enabled_in_license: + enabledInConfig: description: >- - Indicates whether the rule type is enabled or disabled - based on the subscription. - type: boolean - has_alerts_mappings: + Indicates whether the connector type is enabled in the + Kibana `.yml` file. type: boolean + enabledInLicense: description: >- - Indicates whether the rule type has custom mappings for - the alert data. - has_fields_for_a_a_d: + Indicates whether the connector is enabled in the + license. + example: true type: boolean id: - description: The unique identifier for the rule type. + description: The unique identifier for the connector type. type: string - is_exportable: - description: >- - Indicates whether the rule type is exportable in **Stack - Management > Saved Objects**. - type: boolean - minimum_license_required: - description: The subscriptions required to use the rule type. + minimumLicenseRequired: + description: The license that is required to use the connector type. type: string - example: basic name: - description: The descriptive name of the rule type. - type: string - producer: - description: >- - An identifier for the application that produces this - rule type. - type: string - example: stackAlerts - recovery_action_group: - description: >- - An action group to use when an alert goes from an active - state to an inactive one. - type: object - properties: - id: - type: string - name: - type: string - rule_task_timeout: + description: The name of the connector type. type: string - example: 5m - examples: - getRuleTypesResponse: - $ref: '#/components/examples/Alerting_get_rule_types_response' - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerting/rule/{ruleId}/_mute_all: - post: - summary: Mute all alerts - operationId: muteAllAlerts - description: > - This API snoozes the notifications for the rule indefinitely. The rule - checks continue to occur but alerts will not trigger any actions. You - must have `all` privileges for the appropriate Kibana features, - depending on the `consumer` and `rule_type_id` of the rule. For example, - the **Management > Stack Rules** feature, **Analytics > Discover** and - **Machine Learning** features, **Observability**, and **Security** - features. If the rule has actions, you must also have `read` privileges - for the **Management > Actions and Connectors** feature. - tags: - - alerting - parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - $ref: '#/components/parameters/Alerting_rule_id' - responses: - '204': - description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerting/rule/{ruleId}/_unmute_all: - post: - summary: Unmute all alerts - operationId: unmuteAllAlerts - description: > - If the rule has its notifications snoozed indefinitely, this API cancels - the snooze. You must have `all` privileges for the appropriate Kibana - features, depending on the `consumer` and `rule_type_id` of the rule. - For example, the **Management > Stack Rules** feature, **Analytics > - Discover** and **Machine Learning** features, **Observability**, and - **Security** features. If the rule has actions, you must also have - `read` privileges for the **Management > Actions and Connectors** - feature. - tags: - - alerting - parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - $ref: '#/components/parameters/Alerting_rule_id' - responses: - '204': - description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerting/rule/{ruleId}/_update_api_key: - post: - summary: Update the API key for a rule - operationId: updateRuleAPIKey - description: >- - The new API key has the credentials of the user that submits the - request. - tags: - - alerting - parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - $ref: '#/components/parameters/Alerting_rule_id' - responses: - '200': - description: Indicates a successful call. - '400': - description: Bad request - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_400_response' - /api/alerting/rule/{ruleId}/alert/{alertId}/_mute: - post: - summary: Mute an alert - operationId: muteAlert - description: > - You must have `all` privileges for the appropriate Kibana features, - depending on the `consumer` and `rule_type_id` of the rule. For example, - the **Management > Stack Rules** feature, **Analytics > Discover** and - **Machine Learning** features, **Observability**, and **Security** - features. If the rule has actions, you must also have `read` privileges - for the **Management > Actions and Connectors** feature. - tags: - - alerting - parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - $ref: '#/components/parameters/Alerting_alert_id' - - $ref: '#/components/parameters/Alerting_rule_id' - responses: - '204': - description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerting/rule/{ruleId}/alert/{alertId}/_unmute: - post: - summary: Unmute an alert - operationId: unmuteAlert - description: > - You must have `all` privileges for the appropriate Kibana features, - depending on the `consumer` and `rule_type_id` of the rule. For example, - the **Management > Stack Rules** feature, **Analytics > Discover** and - **Machine Learning** features, **Observability**, and **Security** - features. If the rule has actions, you must also have `read` privileges - for the **Management > Actions and Connectors** feature. - tags: - - alerting - parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - $ref: '#/components/parameters/Alerting_alert_id' - - $ref: '#/components/parameters/Alerting_rule_id' - responses: - '204': - description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerts/alert/{alertId}: - delete: - summary: Delete an alert - operationId: legaryDeleteAlert - deprecated: true - description: > - Deprecated in 7.13.0. Use the delete rule API instead. WARNING: After - you delete an alert, you cannot recover it. - tags: - - alerting - parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - in: path - name: alertId - description: The identifier for the alert. - required: true - schema: - type: string - example: 41893910-6bca-11eb-9e0d-85d233e3ee35 - responses: - '204': + title: Legacy get connector types response body properties + type: array description: Indicates a successful call. '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' - get: - summary: Get an alert by identifier - operationId: legacyGetAlert - deprecated: true - description: Deprecated in 7.13.0. Use the get rule API instead. + $ref: '#/components/responses/Connectors_401' + summary: Get connector types tags: - - alerting - parameters: - - in: path - name: alertId - description: The identifier for the alert. - required: true - schema: - type: string - example: 41893910-6bca-11eb-9e0d-85d233e3ee35 - responses: - '200': - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_alert_response_properties' - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' + - connectors + /api/apm/agent_keys: post: - summary: Create an alert - operationId: legacyCreateAlert - deprecated: true - description: Deprecated in 7.13.0. Use the create rule API instead. - tags: - - alerting - parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - in: path - name: alertId - description: >- - An UUID v1 or v4 identifier for the alert. If this parameter is - omitted, the identifier is randomly generated. - required: true - schema: - type: string - example: 41893910-6bca-11eb-9e0d-85d233e3ee35 + description: Create a new agent key for APM. + operationId: createAgentKey requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - title: Legacy create alert request properties type: object - required: - - alertTypeId - - consumer - - name - - notifyWhen - - params - - schedule properties: - actions: - type: array - items: - type: object - required: - - actionTypeId - - group - - id - - params - properties: - actionTypeId: - type: string - description: The identifier for the action type. - group: - type: string - description: > - Grouping actions is recommended for escalations for - different types of alert instances. If you don't need - this functionality, set it to `default`. - id: - type: string - description: The ID of the action saved object. - params: - type: object - description: > - The map to the `params` that the action type will - receive. `params` are handled as Mustache templates - and passed a default set of context. - alertTypeId: - type: string - description: >- - The ID of the alert type that you want to call when the - alert is scheduled to run. - consumer: - type: string - description: >- - The name of the application that owns the alert. This name - has to match the Kibana feature name, as that dictates the - required role-based access control privileges. - enabled: - type: boolean - description: >- - Indicates if you want to run the alert on an interval basis - after it is created. name: type: string - description: A name to reference and search. - notifyWhen: - type: string - description: The condition for throttling the notification. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - params: - type: object - description: >- - The parameters to pass to the alert type executor `params` - value. This will also validate against the alert type params - validator, if defined. - schedule: - type: object - description: > - The schedule specifying when this alert should be run. A - schedule is structured such that the key specifies the - format you wish to use and its value specifies the schedule. - properties: - interval: - type: string - description: >- - The interval format specifies the interval in seconds, - minutes, hours or days at which the alert should run. - example: 10s - tags: - type: array + privileges: items: + enum: + - 'event:write' + - 'config_agent:read' type: string - description: A list of keywords to reference and search. - throttle: - type: string - description: > - How often this alert should fire the same actions. This will - prevent the alert from sending out the same notification - over and over. For example, if an alert with a schedule of 1 - minute stays in a triggered state for 90 minutes, setting a - throttle of `10m` or `1h` will prevent it from sending 90 - notifications during this period. + type: array + required: true responses: '200': - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_alert_response_properties' - '401': - description: Authorization information is missing or invalid. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_401_response' - put: - summary: Update an alert - operationId: legacyUpdateAlert - deprecated: true - description: Deprecated in 7.13.0. Use the update rule API instead. + type: object + properties: + api_key: + type: string + encoded: + type: string + expiration: + format: int64 + type: integer + id: + type: string + name: + type: string + description: Agent key created successfully + summary: Create an APM agent key tags: - - alerting + - APM agent keys + '/api/apm/services/{serviceName}/annotation': + post: + description: Create a new annotation for a specific service. + operationId: createAnnotation parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - in: path - name: alertId - description: The identifier for the alert. + - description: The name of the service + in: path + name: serviceName required: true schema: type: string - example: 41893910-6bca-11eb-9e0d-85d233e3ee35 requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - title: Legacy update alert request properties type: object - required: - - name - - notifyWhen - - params - - schedule properties: - actions: - type: array - items: - type: object - required: - - actionTypeId - - group - - id - - params - properties: - actionTypeId: - type: string - description: The identifier for the action type. - group: - type: string - description: > - Grouping actions is recommended for escalations for - different types of alert instances. If you don't need - this functionality, set it to `default`. - id: - type: string - description: The ID of the action saved object. - params: - type: object - description: > - The map to the `params` that the action type will - receive. `params` are handled as Mustache templates - and passed a default set of context. - name: + '@timestamp': type: string - description: A name to reference and search. - notifyWhen: + message: type: string - description: The condition for throttling the notification. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - params: - type: object - description: >- - The parameters to pass to the alert type executor `params` - value. This will also validate against the alert type params - validator, if defined. - schedule: + service: type: object - description: > - The schedule specifying when this alert should be run. A - schedule is structured such that the key specifies the - format you wish to use and its value specifies the schedule. properties: - interval: + environment: + type: string + version: type: string - description: >- - The interval format specifies the interval in seconds, - minutes, hours or days at which the alert should run. - example: 1d tags: - type: array items: type: string - description: A list of keywords to reference and search. - throttle: - type: string - description: > - How often this alert should fire the same actions. This will - prevent the alert from sending out the same notification - over and over. For example, if an alert with a schedule of 1 - minute stays in a triggered state for 90 minutes, setting a - throttle of `10m` or `1h` will prevent it from sending 90 - notifications during this period. + type: array + required: true responses: '200': - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_alert_response_properties' - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerts/alert/{alertId}/_disable: - post: - summary: Disable an alert - operationId: legacyDisableAlert - deprecated: true - description: Deprecated in 7.13.0. Use the disable rule API instead. - tags: - - alerting - parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - in: path - name: alertId - description: The identifier for the alert. - required: true - schema: - type: string - example: 41893910-6bca-11eb-9e0d-85d233e3ee35 - responses: - '204': - description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerts/alert/{alertId}/_enable: - post: - summary: Enable an alert - operationId: legacyEnableAlert - deprecated: true - description: Deprecated in 7.13.0. Use the enable rule API instead. - tags: - - alerting - parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - in: path - name: alertId - description: The identifier for the alert. + type: object + properties: + _id: + type: string + _index: + type: string + _source: + type: object + properties: + '@timestamp': + type: string + annotation: + type: string + event: + type: object + properties: + created: + type: string + message: + type: string + service: + type: object + properties: + environment: + type: string + name: + type: string + version: + type: string + tags: + items: + type: string + type: array + description: Annotation created successfully + summary: Create a service annotation + tags: + - APM annotations + '/api/apm/services/{serviceName}/annotation/search': + get: + description: Search for annotations related to a specific service. + operationId: getAnnotation + parameters: + - description: The name of the service + in: path + name: serviceName required: true schema: type: string - example: 41893910-6bca-11eb-9e0d-85d233e3ee35 + - description: The environment to filter annotations by + in: query + name: environment + required: false + schema: + type: string + - description: The start date for the search + in: query + name: start + required: false + schema: + type: string + - description: The end date for the search + in: query + name: end + required: false + schema: + type: string responses: - '204': - description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerts/alert/{alertId}/_mute_all: - post: - summary: Mute all alert instances - operationId: legacyMuteAllAlertInstances - deprecated: true - description: Deprecated in 7.13.0. Use the mute all alerts API instead. + type: object + properties: + annotations: + items: + type: object + properties: + '@timestamp': + type: number + id: + type: string + text: + type: string + type: + enum: + - version + type: string + type: array + description: Successful response + summary: Search for annotations tags: - - alerting + - APM annotations + /api/asset_criticality: + delete: + operationId: DeleteAssetCriticalityRecord parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - in: path - name: alertId - description: The identifier for the alert. + - description: The ID value of the asset. + in: query + name: id_value + required: true + schema: + type: string + - description: The field representing the ID. + example: host.name + in: query + name: id_field required: true schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IdField + - description: If 'wait_for' the request will wait for the index refresh. + in: query + name: refresh + required: false + schema: + enum: + - wait_for type: string - example: 41893910-6bca-11eb-9e0d-85d233e3ee35 responses: - '204': - description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerts/alert/{alertId}/_unmute_all: - post: - summary: Unmute all alert instances - operationId: legacyUnmuteAllAlertInstances - deprecated: true - description: Deprecated in 7.13.0. Use the unmute all alerts API instead. + type: object + properties: + deleted: + description: >- + If the record was deleted. If false the record did not + exist. + type: boolean + record: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + required: + - deleted + description: Successful response + '400': + description: Invalid request + summary: Delete Criticality Record tags: - - alerting + - Security Solution Entity Analytics API + get: + operationId: GetAssetCriticalityRecord parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - in: path - name: alertId - description: The identifier for the alert. + - description: The ID value of the asset. + in: query + name: id_value required: true schema: type: string - example: 41893910-6bca-11eb-9e0d-85d233e3ee35 + - description: The field representing the ID. + example: host.name + in: query + name: id_field + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_IdField responses: - '204': - description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerts/alerts/_find: - get: - summary: Get a paginated set of alerts - operationId: legacyFindAlerts - deprecated: true - description: > - Deprecated in 7.13.0. Use the find rules API instead. NOTE: Alert - `params` are stored as a flattened field type and analyzed as keywords. - As alerts change in Kibana, the results on each page of the response - also change. Use the find API for traditional paginated results, but - avoid using it to export large amounts of data. + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + '404': + description: Criticality record not found + summary: Get Criticality Record tags: - - alerting + - Security Solution Entity Analytics API + post: + operationId: CreateAssetCriticalityRecord + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord + - type: object + properties: + refresh: + description: >- + If 'wait_for' the request will wait for the index + refresh. + enum: + - wait_for + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + description: Successful response + '400': + description: Invalid request + summary: Create Criticality Record + tags: + - Security Solution Entity Analytics API + /api/asset_criticality/bulk: + post: + operationId: BulkUpsertAssetCriticalityRecords + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + example: + records: + - criticality_level: low_impact + id_field: host.name + id_value: host-1 + - criticality_level: medium_impact + id_field: host.name + id_value: host-2 + type: object + properties: + records: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord + maxItems: 1000 + minItems: 1 + type: array + required: + - records + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + example: + errors: + - index: 0 + message: Invalid ID field + stats: + failed: 1 + successful: 1 + total: 2 + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem + type: array + stats: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadStats + required: + - errors + - stats + description: Bulk upload successful + '413': + description: File too large + summary: >- + Bulk upsert asset criticality data, creating or updating records as + needed + tags: + - Security Solution Entity Analytics API + /api/asset_criticality/list: + post: + operationId: FindAssetCriticalityRecords parameters: - - name: default_search_operator + - description: The field to sort by. in: query - description: The default operator to use for the `simple_query_string`. + name: sort_field + required: false schema: + enum: + - id_value + - id_field + - criticality_level + - \@timestamp type: string - default: OR - example: OR - - name: fields - in: query - description: The fields to return in the `attributes` key of the response. - schema: - type: array - items: - type: string - - name: filter + - description: The order to sort by. in: query - description: > - A KQL string that you filter with an attribute from your saved - object. It should look like `savedObjectType.attributes.title: - "myTitle"`. However, if you used a direct attribute of a saved - object, such as `updatedAt`, you must define your filter, for - example, `savedObjectType.updatedAt > 2018-12-22`. + name: sort_direction + required: false schema: + enum: + - asc + - desc type: string - - name: has_reference - in: query - description: >- - Filters the rules that have a relation with the reference objects - with a specific type and identifier. - schema: - type: object - properties: - id: - type: string - type: - type: string - - name: page + - description: The page number to return. in: query - description: The page number to return. + name: page + required: false schema: + minimum: 1 type: integer - default: 1 - example: 1 - - name: per_page + - description: The number of records to return per page. in: query - description: The number of alerts to return per page. + name: per_page + required: false schema: + maximum: 1000 + minimum: 1 type: integer - default: 20 - example: 20 - - name: search - in: query - description: >- - An Elasticsearch `simple_query_string` query that filters the alerts - in the response. - schema: - type: string - - name: search_fields - in: query - description: >- - The fields to perform the `simple_query_string` parsed query - against. - schema: - oneOf: - - type: string - - type: array - items: - type: string - - name: sort_field - in: query - description: > - Determines which field is used to sort the results. The field must - exist in the `attributes` key of the response. - schema: - type: string - - name: sort_order + - description: The kuery to filter by. in: query - description: Determines the sort order. + name: kuery + required: false schema: type: string - enum: - - asc - - desc - default: desc - example: asc responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - data: - type: array - items: - $ref: '#/components/schemas/Alerting_alert_response_properties' page: + minimum: 1 type: integer - perPage: + per_page: + maximum: 1000 + minimum: 1 type: integer + records: + items: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecord + type: array total: + minimum: 0 type: integer - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerts/alerts/_health: - get: - summary: Get the alerting framework health - operationId: legacyGetAlertingHealth - deprecated: true - description: Deprecated in 7.13.0. Use the get alerting framework health API instead. + required: + - records + - page + - per_page + - total + description: Bulk upload successful + summary: 'List asset criticality data, filtering and sorting as needed' tags: - - alerting + - Security Solution Entity Analytics API + /api/data_views: + get: + operationId: getAllDataViewsDefault responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getAllDataViewsResponse: + $ref: '#/components/examples/Data_views_get_data_views_response' schema: type: object properties: - alertingFrameworkHealth: - type: object - description: > - Three substates identify the health of the alerting - framework: `decryptionHealth`, `executionHealth`, and - `readHealth`. - properties: - decryptionHealth: - type: object - description: The timestamp and status of the alert decryption. - properties: - status: - type: string - example: ok - enum: - - error - - ok - - warn - timestamp: - type: string - format: date-time - example: '2023-01-13T01:28:00.280Z' - executionHealth: - type: object - description: The timestamp and status of the alert execution. - properties: - status: - type: string - example: ok - enum: - - error - - ok - - warn - timestamp: - type: string - format: date-time - example: '2023-01-13T01:28:00.280Z' - readHealth: - type: object - description: The timestamp and status of the alert reading events. - properties: - status: - type: string - example: ok - enum: - - error - - ok - - warn - timestamp: + data_view: + items: + type: object + properties: + id: + type: string + name: + type: string + namespaces: + items: type: string - format: date-time - example: '2023-01-13T01:28:00.280Z' - hasPermanentEncryptionKey: - type: boolean - description: >- - If `false`, the encrypted saved object plugin does not - have a permanent encryption key. - example: true - isSufficientlySecure: - type: boolean - description: If `false`, security is enabled but TLS is not. - example: true - '401': - description: Authorization information is missing or invalid. + type: array + title: + type: string + typeMeta: + type: object + type: array + description: Indicates a successful call. + '400': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerts/alerts/list_alert_types: - get: - summary: Get the alert types - operationId: legacyGetAlertTypes - deprecated: true - description: Deprecated in 7.13.0. Use the get rule types API instead. + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get all data views tags: - - alerting + - data views + /api/data_views/data_view: + post: + operationId: createDataViewDefaultw + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createDataViewRequest: + $ref: '#/components/examples/Data_views_create_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_create_data_view_request_object' + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: array - items: - type: object - properties: - actionGroups: - description: > - An explicit list of groups for which the alert type can - schedule actions, each with the action group's unique ID - and human readable name. Alert actions validation uses - this configuration to ensure that groups are valid. - type: array - items: - type: object - properties: - id: - type: string - name: - type: string - actionVariables: - description: > - A list of action variables that the alert type makes - available via context and state in action parameter - templates, and a short human readable description. The - Alert UI will use this information to prompt users for - these variables in action parameter editors. - type: object - properties: - context: - type: array - items: - type: object - properties: - name: - type: string - description: - type: string - params: - type: array - items: - type: object - properties: - description: - type: string - name: - type: string - state: - type: array - items: - type: object - properties: - description: - type: string - name: - type: string - authorizedConsumers: - description: >- - The list of the plugins IDs that have access to the - alert type. - type: object - defaultActionGroupId: - description: The default identifier for the alert type group. - type: string - enabledInLicense: - description: >- - Indicates whether the rule type is enabled based on the - subscription. - type: boolean - id: - description: The unique identifier for the alert type. - type: string - isExportable: - description: >- - Indicates whether the alert type is exportable in Saved - Objects Management UI. - type: boolean - minimumLicenseRequired: - description: The subscriptions required to use the alert type. - type: string - name: - description: The descriptive name of the alert type. - type: string - producer: - description: >- - An identifier for the application that produces this - alert type. - type: string - recoveryActionGroup: - description: > - An action group to use when an alert instance goes from - an active state to an inactive one. If it is not - specified, the default recovered action group is used. - type: object - properties: - id: - type: string - name: - type: string - '401': - description: Authorization information is missing or invalid. + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_mute: - post: - summary: Mute an alert instance - operationId: legacyMuteAlertInstance - deprecated: true - description: Deprecated in 7.13.0. Use the mute alert API instead. + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create a data view tags: - - alerting + - data views + '/api/data_views/data_view/{viewId}': + delete: + description: | + WARNING: When you delete a data view, it cannot be recovered. + operationId: deleteDataViewDefault parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - in: path - name: alertId - description: An identifier for the alert. - required: true - schema: - type: string - example: 41893910-6bca-11eb-9e0d-85d233e3ee35 - - in: path - name: alertInstanceId - description: An identifier for the alert instance. - required: true - schema: - type: string - example: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' responses: '204': description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. + '404': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/alerts/alert/{alertId}/alert_instance/{alertInstanceId}/_unmute: - post: - summary: Unmute an alert instance - operationId: legacyUnmuteAlertInstance - deprecated: true - description: Deprecated in 7.13.0. Use the unmute alert API instead. + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a data view tags: - - alerting + - data views + get: + operationId: getDataViewDefault parameters: - - $ref: '#/components/parameters/Alerting_kbn_xsrf' - - in: path - name: alertId - description: An identifier for the alert. - required: true - schema: - type: string - example: 41893910-6bca-11eb-9e0d-85d233e3ee35 - - in: path - name: alertInstanceId - description: An identifier for the alert instance. - required: true - schema: - type: string - example: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 + - $ref: '#/components/parameters/Data_views_view_id' responses: - '204': + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getDataViewResponse: + $ref: '#/components/examples/Data_views_get_data_view_response' + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. + '404': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Alerting_401_response' - /api/apm/agent_keys: - post: - summary: Create an APM agent key - description: Create a new agent key for APM. - operationId: createAgentKey + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a data view tags: - - APM agent keys + - data views + post: + operationId: updateDataViewDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateDataViewRequest: + $ref: '#/components/examples/Data_views_update_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_update_data_view_request_object' required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_data_view_response_object' + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a data view + tags: + - data views + '/api/data_views/data_view/{viewId}/fields': + post: + description: > + Update fields presentation metadata such as count, customLabel, + customDescription, and format. + operationId: updateFieldsMetadataDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateFieldsMetadataRequest: + $ref: '#/components/examples/Data_views_update_field_metadata_request' schema: type: object properties: - name: - type: string - privileges: - type: array - items: - type: string - enum: - - event:write - - config_agent:read + fields: + description: The field object. + type: object + required: + - fields + required: true responses: '200': - description: Agent key created successfully content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - api_key: - type: string - expiration: - type: integer - format: int64 - id: - type: string - name: - type: string - encoded: - type: string - /api/apm/services/{serviceName}/annotation/search: - get: - summary: Search for annotations - description: Search for annotations related to a specific service. - operationId: getAnnotation - tags: - - APM annotations - parameters: - - name: serviceName - in: path - required: true - description: The name of the service - schema: - type: string - - name: environment - in: query - required: false - description: The environment to filter annotations by - schema: - type: string - - name: start - in: query - required: false - description: The start date for the search - schema: - type: string - - name: end - in: query - required: false - description: The end date for the search - schema: - type: string + acknowledged: + type: boolean + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update data view fields metadata + tags: + - data views + '/api/data_views/data_view/{viewId}/runtime_field': + post: + operationId: createRuntimeFieldDefault + parameters: + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_view_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' + schema: + type: object + properties: + name: + description: | + The name for a runtime field. + type: string + runtimeField: + description: | + The runtime field definition object. + type: object + required: + - name + - runtimeField + required: true responses: '200': - description: Successful response content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object - properties: - annotations: - type: array - items: - type: object - properties: - type: - type: string - enum: - - version - id: - type: string - '@timestamp': - type: number - text: - type: string - /api/apm/services/{serviceName}/annotation: - post: - summary: Create a service annotation - description: Create a new annotation for a specific service. - operationId: createAnnotation + description: Indicates a successful call. + summary: Create a runtime field tags: - - APM annotations + - data views + put: + operationId: createUpdateRuntimeFieldDefault parameters: - - name: serviceName + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + - description: | + The ID of the data view fields you want to update. in: path + name: viewId required: true - description: The name of the service schema: type: string requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: + examples: + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_create_runtime_field_request' schema: type: object properties: - '@timestamp': + name: + description: | + The name for a runtime field. type: string - service: + runtimeField: + description: | + The runtime field definition object. type: object - properties: - version: - type: string - environment: - type: string - message: - type: string - tags: - type: array - items: - type: string + required: + - name + - runtimeField + required: true responses: '200': - description: Annotation created successfully content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - _id: - type: string - _index: - type: string - _source: + data_view: type: object - properties: - annotation: - type: string - tags: - type: array - items: - type: string - message: - type: string - service: - type: object - properties: - name: - type: string - environment: - type: string - version: - type: string - event: - type: object - properties: - created: - type: string - '@timestamp': - type: string - /api/cases: - post: - summary: Create a case - operationId: createCaseDefaultSpace - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the - Kibana feature privileges, depending on the owner of the case you're - creating. + fields: + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Create or update a runtime field tags: - - cases + - data views + '/api/data_views/data_view/{viewId}/runtime_field/{fieldName}': + delete: + operationId: deleteRuntimeFieldDefault parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/Cases_create_case_request' - examples: - createCaseRequest: - $ref: '#/components/examples/Cases_create_case_request' + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' responses: '200': description: Indicates a successful call. + '404': content: - application/json: - schema: - $ref: '#/components/schemas/Cases_case_response_properties' - examples: - createCaseResponse: - $ref: '#/components/examples/Cases_create_case_response' - '401': - description: Authorization information is missing or invalid. - content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - delete: - summary: Delete cases - operationId: deleteCaseDefaultSpace - description: > - You must have `read` or `all` privileges and the `delete` sub-feature - privilege for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases you're deleting. + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Delete a runtime field from a data view tags: - - cases + - data views + get: + operationId: getRuntimeFieldDefault parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_ids' + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' responses: - '204': + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getRuntimeFieldResponse: + $ref: '#/components/examples/Data_views_get_runtime_field_response' + schema: + type: object + properties: + data_view: + type: object + fields: + items: + type: object + type: array description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. + '404': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - patch: - summary: Update cases - operationId: updateCaseDefaultSpace - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the - Kibana feature privileges, depending on the owner of the case you're - updating. + $ref: '#/components/schemas/Data_views_404_response' + description: Object is not found. + summary: Get a runtime field tags: - - cases + - data views + post: + operationId: updateRuntimeFieldDefault parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_field_name' + - $ref: '#/components/parameters/Data_views_view_id' requestBody: content: - application/json: - schema: - $ref: '#/components/schemas/Cases_update_case_request' + application/json; Elastic-Api-Version=2023-10-31: examples: - updateCaseRequest: - $ref: '#/components/examples/Cases_update_case_request' + updateRuntimeFieldRequest: + $ref: '#/components/examples/Data_views_update_runtime_field_request' + schema: + type: object + properties: + runtimeField: + description: | + The runtime field definition object. + + You can update following fields: + + - `type` + - `script` + type: object + required: + - runtimeField + required: true responses: '200': description: Indicates a successful call. + '400': content: - application/json: - schema: - type: array - items: - $ref: '#/components/schemas/Cases_case_response_properties' - examples: - updateCaseResponse: - $ref: '#/components/examples/Cases_update_case_response' - '401': - description: Authorization information is missing or invalid. - content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/_find: - get: - summary: Search cases - operationId: findCasesDefaultSpace - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're seeking. + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Update a runtime field tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_assignees' - - $ref: '#/components/parameters/Cases_category' - - $ref: '#/components/parameters/Cases_defaultSearchOperator' - - $ref: '#/components/parameters/Cases_from' - - $ref: '#/components/parameters/Cases_owner' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_reporters' - - $ref: '#/components/parameters/Cases_search' - - $ref: '#/components/parameters/Cases_searchFields' - - $ref: '#/components/parameters/Cases_severity' - - $ref: '#/components/parameters/Cases_sortField' - - $ref: '#/components/parameters/Cases_sort_order' - - $ref: '#/components/parameters/Cases_status' - - $ref: '#/components/parameters/Cases_tags' - - $ref: '#/components/parameters/Cases_to' + - data views + /api/data_views/default: + get: + operationId: getDefaultDataViewDefault responses: '200': - description: Indicates a successful call. content: - application/json: - schema: - type: object - properties: - cases: - type: array - maxItems: 10000 - items: - $ref: '#/components/schemas/Cases_case_response_properties' - count_closed_cases: - type: integer - count_in_progress_cases: - type: integer - count_open_cases: - type: integer - page: - type: integer - per_page: - type: integer - total: - type: integer + application/json; Elastic-Api-Version=2023-10-31: examples: - findCaseResponse: - $ref: '#/components/examples/Cases_find_case_response' - '401': - description: Authorization information is missing or invalid. - content: - application/json: + getDefaultDataViewResponse: + $ref: >- + #/components/examples/Data_views_get_default_data_view_response schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/alerts/{alertId}: - get: - summary: Get cases for an alert - operationId: getCasesByAlertDefaultSpace - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're seeking. - x-technical-preview: true - tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_alert_id' - - $ref: '#/components/parameters/Cases_owner' - responses: - '200': + type: object + properties: + data_view_id: + type: string description: Indicates a successful call. + '400': content: - application/json: - schema: - type: array - maxItems: 10000 - items: - type: object - properties: - id: - type: string - description: The case identifier. - title: - type: string - description: The case title. - example: - - id: 06116b80-e1c3-11ec-be9b-9b1838238ee6 - title: security_case - '401': - description: Authorization information is missing or invalid. - content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/configure: - get: - summary: Get case settings - operationId: getCaseConfigurationDefaultSpace - description: > - Get setting details such as the closure type, custom fields, templatse, - and the default connector for cases. You must have `read` privileges for - the **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on - where the cases were created. + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Get the default data view tags: - - cases + - data views + post: + operationId: setDefaultDatailViewDefault parameters: - - $ref: '#/components/parameters/Cases_owner' + - $ref: '#/components/parameters/Data_views_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + setDefaultDataViewRequest: + $ref: '#/components/examples/Data_views_set_default_data_view_request' + schema: + type: object + properties: + data_view_id: + description: > + The data view identifier. NOTE: The API does not validate + whether it is a valid identifier. Use `null` to unset the + default data view. + nullable: true + type: string + force: + default: false + description: Update an existing default data view identifier. + type: boolean + required: + - data_view_id + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: array - items: - type: object - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are - not used and are not propagated to individual cases, - therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want - a default connector, use `none`. To retrieve - connector IDs, use the find connectors API. - type: string - example: none - name: - description: >- - The name of the connector. If you do not want a - default connector, use `none`. To retrieve connector - names, use the find connectors API. - type: string - example: none - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - type: string - format: date-time - example: '2022-06-01T17:07:17.767Z' - created_by: - type: object - required: - - email - - full_name - - username - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - customFields: - type: array - description: Custom fields configuration details. - items: - type: object - properties: - defaultValue: - oneOf: - - type: string - - type: boolean - description: > - A default value for the custom field. If the - `type` is `text`, the default value must be a - string. If the `type` is `toggle`, the default - value must be boolean. - key: - description: > - A unique key for the custom field. Must be lower - case and composed only of a-z, 0-9, '_', and '-' - characters. It is used in API calls to refer to a - specific custom field. - type: string - minLength: 1 - maxLength: 36 - label: - description: >- - The custom field label that is displayed in the - case. - type: string - minLength: 1 - maxLength: 50 - required: - description: > - Indicates whether the field is required. If - `false`, the custom field can be set to null or - omitted when a case is created or updated. - type: boolean - type: - description: The type of the custom field. - type: string - enum: - - text - - toggle - error: - type: string - nullable: true - example: null - id: - type: string - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - mappings: - type: array - items: - type: object - properties: - action_type: - type: string - example: overwrite - source: - type: string - example: title - target: - type: string - example: summary - owner: - $ref: '#/components/schemas/Cases_owners' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - type: string - format: date-time - nullable: true - example: '2022-06-01T19:58:48.169Z' - updated_by: - type: object - required: - - email - - full_name - - username - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - nullable: true - version: - type: string - example: WzIwNzMsMV0= - examples: - getConfigurationResponse: - $ref: '#/components/examples/Cases_get_case_configuration_response' - '401': - description: Authorization information is missing or invalid. + type: object + properties: + acknowledged: + type: boolean + description: Indicates a successful call. + '400': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' + $ref: '#/components/schemas/Data_views_400_response' + description: Bad request + summary: Set the default data view + tags: + - data views + /api/data_views/swap_references: post: - summary: Add case settings - operationId: setCaseConfigurationDefaultSpace description: > - Case settings include external connection details, custom fields, and - templates. Connectors are used to interface with external systems. You - must create a connector before you can use it in your cases. If you set - a default connector, it is automatically selected when you create cases - in Kibana. If you use the create case API, however, you must still - specify all of the connector details. You must have `all` privileges for - the **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on - where you are creating cases. - tags: - - cases + Changes saved object references from one data view identifier to + another. WARNING: Misuse can break large numbers of saved objects! + Practicing with a backup is recommended. + operationId: swapDataViewsDefault parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' + - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: - application/json: - schema: - $ref: '#/components/schemas/Cases_set_case_configuration_request' + application/json; Elastic-Api-Version=2023-10-31: examples: - setCaseConfigRequest: - $ref: '#/components/examples/Cases_set_case_configuration_request' + swapDataViewRequest: + $ref: '#/components/examples/Data_views_swap_data_view_request' + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are not - used and are not propagated to individual cases, - therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a - default connector, use `none`. To retrieve connector - IDs, use the find connectors API. - type: string - example: none - name: - description: >- - The name of the connector. If you do not want a - default connector, use `none`. To retrieve connector - names, use the find connectors API. - type: string - example: none - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - type: string - format: date-time - example: '2022-06-01T17:07:17.767Z' - created_by: + deleteStatus: type: object - required: - - email - - full_name - - username properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - customFields: - type: array - description: Custom fields configuration details. + deletePerformed: + type: boolean + remainingRefs: + type: integer + result: items: type: object properties: - defaultValue: - oneOf: - - type: string - - type: boolean - description: > - A default value for the custom field. If the `type` - is `text`, the default value must be a string. If - the `type` is `toggle`, the default value must be - boolean. - key: - description: > - A unique key for the custom field. Must be lower - case and composed only of a-z, 0-9, '_', and '-' - characters. It is used in API calls to refer to a - specific custom field. - type: string - minLength: 1 - maxLength: 36 - label: - description: >- - The custom field label that is displayed in the - case. + id: + description: A saved object identifier. type: string - minLength: 1 - maxLength: 50 - required: - description: > - Indicates whether the field is required. If `false`, - the custom field can be set to null or omitted when - a case is created or updated. - type: boolean type: - description: The type of the custom field. + description: The saved object type. type: string - enum: - - text - - toggle - error: - type: string - nullable: true - example: null - id: - type: string - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - mappings: type: array - items: - type: object - properties: - action_type: - type: string - example: overwrite - source: - type: string - example: title - target: - type: string - example: summary - owner: - $ref: '#/components/schemas/Cases_owners' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - type: string - format: date-time - nullable: true - example: '2022-06-01T19:58:48.169Z' - updated_by: - type: object - required: - - email - - full_name - - username - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - nullable: true - version: - type: string - example: WzIwNzMsMV0= - examples: - setCaseConfigResponse: - $ref: '#/components/examples/Cases_set_case_configuration_response' - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/configure/{configurationId}: - patch: - summary: Update case settings - operationId: updateCaseConfigurationDefaultSpace - description: > - Updates setting details such as the closure type, custom fields, - templates, and the default connector for cases. Connectors are used to - interface with external systems. You must create a connector before you - can use it in your cases. You must have `all` privileges for the - **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on - where the case was created. + description: Indicates a successful call. + summary: Swap saved object references tags: - - cases + - data views + /api/data_views/swap_references/_preview: + post: + description: > + Preview the impact of swapping saved object references from one data + view identifier to another. + operationId: previewSwapDataViewsDefault parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_configuration_id' + - $ref: '#/components/parameters/Data_views_kbn_xsrf' requestBody: content: - application/json: - schema: - $ref: '#/components/schemas/Cases_update_case_configuration_request' + application/json; Elastic-Api-Version=2023-10-31: examples: - updateCaseConfigurationRequest: - $ref: '#/components/examples/Cases_update_case_configuration_request' + previewSwapDataViewRequest: + $ref: >- + #/components/examples/Data_views_preview_swap_data_view_request + schema: + $ref: '#/components/schemas/Data_views_swap_data_view_request_object' + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are not - used and are not propagated to individual cases, - therefore it is recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a - default connector, use `none`. To retrieve connector - IDs, use the find connectors API. - type: string - example: none - name: - description: >- - The name of the connector. If you do not want a - default connector, use `none`. To retrieve connector - names, use the find connectors API. - type: string - example: none - type: - $ref: '#/components/schemas/Cases_connector_types' - created_at: - type: string - format: date-time - example: '2022-06-01T17:07:17.767Z' - created_by: - type: object - required: - - email - - full_name - - username - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - customFields: - type: array - description: Custom fields configuration details. + result: items: type: object properties: - defaultValue: - oneOf: - - type: string - - type: boolean - description: > - A default value for the custom field. If the `type` - is `text`, the default value must be a string. If - the `type` is `toggle`, the default value must be - boolean. - key: - description: > - A unique key for the custom field. Must be lower - case and composed only of a-z, 0-9, '_', and '-' - characters. It is used in API calls to refer to a - specific custom field. - type: string - minLength: 1 - maxLength: 36 - label: - description: >- - The custom field label that is displayed in the - case. + id: + description: A saved object identifier. type: string - minLength: 1 - maxLength: 50 - required: - description: > - Indicates whether the field is required. If `false`, - the custom field can be set to null or omitted when - a case is created or updated. - type: boolean type: - description: The type of the custom field. + description: The saved object type. type: string - enum: - - text - - toggle - error: - type: string - nullable: true - example: null - id: - type: string - example: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - mappings: type: array - items: - type: object - properties: - action_type: - type: string - example: overwrite - source: - type: string - example: title - target: - type: string - example: summary - owner: - $ref: '#/components/schemas/Cases_owners' - templates: - $ref: '#/components/schemas/Cases_templates' - updated_at: - type: string - format: date-time - nullable: true - example: '2022-06-01T19:58:48.169Z' - updated_by: - type: object - required: - - email - - full_name - - username - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - nullable: true - version: - type: string - example: WzIwNzMsMV0= - examples: - updateCaseConfigurationResponse: - $ref: >- - #/components/examples/Cases_update_case_configuration_response - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/reporters: - get: - summary: Get case creators - operationId: getCaseReportersDefaultSpace - description: > - Returns information about the users who opened cases. You must have read - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases. The API returns - information about the users as they existed at the time of the case - creation, including their name, full name, and email address. If any of - those details change thereafter or if a user is deleted, the information - returned by this API is unchanged. + description: Indicates a successful call. + summary: Preview a saved object reference swap tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_owner' + - data views + /api/detection_engine/index: + delete: + operationId: DeleteAlertsIndex responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: array - maxItems: 10000 - items: - type: object - required: - - email - - full_name - - username - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - examples: - getReportersResponse: - $ref: '#/components/examples/Cases_get_reporters_response' + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response '401': - description: Authorization information is missing or invalid. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/status: - get: - summary: Get case status summary - operationId: getCaseStatusDefaultSpace - description: > - Returns the number of cases that are open, closed, and in progress. - Deprecated in 8.1.0. This API is deprecated and will be removed in a - future release; use the find cases API instead. You must have `read` - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases you're seeking. - deprecated: true + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Not enough permissions response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: string + description: Index does not exist response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Delete an alerts index tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_owner' + - Security Solution Detections API + - Alert index API + get: + operationId: ReadAlertsIndex responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - count_closed_cases: - type: integer - count_in_progress_cases: - type: integer - count_open_cases: - type: integer + index_mapping_outdated: + nullable: true + type: boolean + name: + type: string + required: + - name + - index_mapping_outdated + description: Successful response '401': - description: Authorization information is missing or invalid. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/tags: - get: - summary: Get case tags - operationId: getCaseTagsDefaultSpace - description: > - Aggregates and returns a list of case tags. You must have read - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases you're seeking. - tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_owner' - responses: - '200': - description: Indicates a successful call. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: array - maxItems: 10000 - items: - type: string - examples: - getTagsResponse: - $ref: '#/components/examples/Cases_get_tags_response' - '401': - description: Authorization information is missing or invalid. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Not enough permissions response + '404': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/{caseId}: - get: - summary: Get case information - operationId: getCaseDefaultSpace - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're seeking. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Reads the alert index name if it exists tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_includeComments' + - Security Solution Detections API + - Alert index API + post: + operationId: CreateAlertsIndex responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_case_response_properties' - examples: - getDefaultCaseResponse: - $ref: '#/components/examples/Cases_get_case_response' - getDefaultObservabilityCaseReponse: - $ref: '#/components/examples/Cases_get_case_observability_response' + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response '401': - description: Authorization information is missing or invalid. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Not enough permissions response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/{caseId}/alerts: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Create an alerts index + tags: + - Security Solution Detections API + - Alert index API + /api/detection_engine/privileges: get: - summary: Get all alerts for a case description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're seeking. - x-technical-preview: true - operationId: getCaseAlertsDefaultSpace - tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_case_id' + Retrieves whether or not the user is authenticated, and the user's + Kibana + + space and index privileges, which determine if the user can create an + + index for the Elastic Security alerts generated by + + detection engine rules. + operationId: ReadPrivileges responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: array - items: - $ref: '#/components/schemas/Cases_alert_response_properties' - examples: - getCaseAlertsResponse: - $ref: '#/components/examples/Cases_get_case_alerts_response' + type: object + properties: + has_encryption_key: + type: boolean + is_authenticated: + type: boolean + required: + - is_authenticated + - has_encryption_key + description: Successful response '401': - description: Authorization information is missing or invalid. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/{caseId}/comments: - post: - summary: Add a case comment or alert - operationId: addCaseCommentDefaultSpace - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're creating. - NOTE: Each case can have a maximum of 1,000 alerts. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Returns user privileges for the Kibana space tags: - - cases + - Security Solution Detections API + - Privileges API + /api/detection_engine/rules: + delete: + description: Delete a detection rule using the `rule_id` or `id` field. + operationId: DeleteRule parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/Cases_add_case_comment_request' - examples: - createCaseCommentRequest: - $ref: '#/components/examples/Cases_add_comment_request' + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId responses: '200': - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Cases_case_response_properties' - examples: - createCaseCommentResponse: - $ref: '#/components/examples/Cases_add_comment_response' - '401': - description: Authorization information is missing or invalid. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - delete: - summary: Delete all case comments and alerts - operationId: deleteCaseCommentsDefaultSpace - description: > - Deletes all comments and alerts from a case. You must have `all` - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases you're deleting. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Delete a detection rule tags: - - cases + - Security Solution Detections API + - Rules API + get: + description: Retrieve a detection rule using the `rule_id` or `id` field. + operationId: ReadRule parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' + - description: The rule's `id` value. + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleObjectId' + - description: The rule's `rule_id` value. + in: query + name: rule_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId responses: - '204': - description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - patch: - summary: Update a case comment or alert - operationId: updateCaseCommentDefaultSpace - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're updating. - NOTE: You cannot change the comment type or the owner of a comment. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Retrieve a detection rule tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' + - Security Solution Detections API + - Rules API + patch: + description: >- + Update specific fields of an existing detection rule using the `rule_id` + or `id` field. + operationId: PatchRule requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_update_case_comment_request' - examples: - updateCaseCommentRequest: - $ref: '#/components/examples/Cases_update_comment_request' + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePatchProps + required: true responses: '200': - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Cases_case_response_properties' - examples: - updateCaseCommentResponse: - $ref: '#/components/examples/Cases_update_comment_response' - '401': - description: Authorization information is missing or invalid. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - get: - summary: Get all case comments - operationId: getAllCaseCommentsDefaultSpace - description: > - Deprecated in 8.1.0. This API is deprecated and will be removed in a - future release; instead, use the get case comment API, which requires a - comment identifier in the path. You must have `read` privileges for the - **Cases** feature in the **Management**, **Observability**, or - **Security** section of the Kibana feature privileges, depending on the - owner of the cases with the comments you're seeking. - deprecated: true + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Patch a detection rule tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_case_id' + - Security Solution Detections API + - Rules API + post: + description: Create a new detection rule. + operationId: CreateRule + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleCreateProps + required: true responses: '200': - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Cases_case_response_properties' - '401': - description: Authorization information is missing or invalid. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/{caseId}/comments/_find: - get: - summary: Find case comments and alerts - operationId: findCaseCommentsDefaultSpace - description: > - Retrieves a paginated list of comments for a case. You must have `read` - privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the cases with the comments you're - seeking. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + description: Indicates a successful call. + summary: Create a detection rule tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_sort_order' + - Security Solution Detections API + - Rules API + put: + description: > + Update a detection rule using the `rule_id` or `id` field. The original + rule is replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` or `rule_id` values. + operationId: UpdateRule + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleUpdateProps + required: true responses: '200': - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Cases_case_response_properties' - '401': - description: Authorization information is missing or invalid. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/{caseId}/comments/{commentId}: - delete: - summary: Delete a case comment or alert - operationId: deleteCaseCommentDefaultSpace - description: > - You must have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases you're deleting. - tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_kbn_xsrf' - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_comment_id' - responses: - '204': + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse description: Indicates a successful call. - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Cases_4xx_response' - get: - summary: Get a case comment or alert - operationId: getCaseCommentDefaultSpace - description: > - You must have `read` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the cases with the - comments you're seeking. + summary: Update a detection rule tags: - - cases + - Security Solution Detections API + - Rules API + /api/detection_engine/rules/_bulk_action: + post: + description: >- + Apply a bulk action, such as bulk edit, duplicate, or delete, to + multiple detection rules. The bulk action is applied to all rules that + match the query or to the rules listed by their IDs. + operationId: PerformRulesBulkAction parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_comment_id' + - description: Enables dry run mode for the request call. + in: query + name: dry_run + required: false + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkDeleteRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkDisableRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEnableRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkExportRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkDuplicateRules + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkManualRuleRun + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditRules responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: oneOf: - $ref: >- - #/components/schemas/Cases_alert_comment_response_properties + #/components/schemas/Security_Solution_Detections_API_BulkEditActionResponse - $ref: >- - #/components/schemas/Cases_user_comment_response_properties - examples: - getCaseCommentResponse: - $ref: '#/components/examples/Cases_get_comment_response' - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/{caseId}/connector/{connectorId}/_push: - post: - summary: Push a case to an external service - description: > - You must have `all` privileges for the **Actions and Connectors** - feature in the **Management** section of the Kibana feature privileges. - You must also have `all` privileges for the **Cases** feature in the - **Management**, **Observability**, or **Security** section of the Kibana - feature privileges, depending on the owner of the case you're pushing. - operationId: pushCaseDefaultSpace + #/components/schemas/Security_Solution_Detections_API_BulkExportActionResponse + description: OK + summary: Apply a bulk action to detection rules tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_connector_id' - - $ref: '#/components/parameters/Cases_kbn_xsrf' + - Security Solution Detections API + - Bulk API + /api/detection_engine/rules/_bulk_create: + post: + deprecated: true + description: Create new detection rules in bulk. + operationId: BulkCreateRules requestBody: content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - nullable: true + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleCreateProps + type: array + description: 'A JSON array of rules, where each rule contains the required fields.' + required: true responses: '200': - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Cases_case_response_properties' - examples: - pushCaseResponse: - $ref: '#/components/examples/Cases_push_case_response' - '401': - description: Authorization information is missing or invalid. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/{caseId}/user_actions: - get: - summary: Get case activity - description: > - Returns all user activity for a case. Deprecated in 8.1.0. This API is - deprecated and will be removed in a future release; use the find user - actions API instead. You must have `read` privileges for the **Cases** - feature in the **Management**, **Observability**, or **Security** - section of the Kibana feature privileges, depending on the owner of the - case you're seeking. - deprecated: true - operationId: getCaseActivityDefaultSpace + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkCrudRulesResponse + description: Indicates a successful call. + summary: Create multiple detection rules tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_case_id' + - Security Solution Detections API + - Bulk API + /api/detection_engine/rules/_bulk_delete: + delete: + deprecated: true + description: Delete detection rules in bulk. + operationId: BulkDeleteRules + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + properties: + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + type: array + description: >- + A JSON array of `id` or `rule_id` fields of the rules you want to + delete. + required: true responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkCrudRulesResponse description: Indicates a successful call. + '400': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: array - items: - $ref: '#/components/schemas/Cases_user_actions_response_properties' + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response '401': - description: Authorization information is missing or invalid. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/{caseId}/user_actions/_find: - get: - summary: Find case activity - description: > - Retrives a paginated list of user activity for a case. You must have - `read` privileges for the **Cases** feature in the **Management**, - **Observability**, or **Security** section of the Kibana feature - privileges, depending on the owner of the case you're seeking. - operationId: findCaseActivityDefaultSpace - tags: - - cases - parameters: - - $ref: '#/components/parameters/Cases_case_id' - - $ref: '#/components/parameters/Cases_page_index' - - $ref: '#/components/parameters/Cases_page_size' - - $ref: '#/components/parameters/Cases_sort_order' - - $ref: '#/components/parameters/Cases_user_action_types' - responses: - '200': - description: Indicates a successful call. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Delete multiple detection rules + tags: + - Security Solution Detections API + - Bulk API + post: + deprecated: true + description: Deletes multiple rules. + operationId: BulkDeleteRulesPost + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: type: object properties: - page: - type: integer - perPage: - type: integer - total: - type: integer - userActions: - type: array - maxItems: 10000 - items: - $ref: >- - #/components/schemas/Cases_user_actions_find_response_properties - examples: - findCaseActivityResponse: - $ref: '#/components/examples/Cases_find_case_activity_response' - '401': - description: Authorization information is missing or invalid. - content: - application/json: - schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/cases/configure/connectors/_find: - get: - summary: Get case connectors - operationId: findCaseConnectorsDefaultSpace - description: > - Get information about connectors that are supported for use in cases. - You must have `read` privileges for the **Actions and Connectors** - feature in the **Management** section of the Kibana feature privileges. - tags: - - cases + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + type: array + description: >- + A JSON array of `id` or `rule_id` fields of the rules you want to + delete. + required: true responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkCrudRulesResponse description: Indicates a successful call. + '400': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: array - items: - type: object - properties: - actionTypeId: - $ref: '#/components/schemas/Cases_connector_types' - config: - type: object - properties: - apiUrl: - type: string - projectKey: - type: string - additionalProperties: true - id: - type: string - isDeprecated: - type: boolean - isMissingSecrets: - type: boolean - isPreconfigured: - type: boolean - name: - type: string - referencedByCount: - type: integer - maxItems: 1000 - examples: - findConnectorResponse: - $ref: '#/components/examples/Cases_find_connector_response' + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response '401': - description: Authorization information is missing or invalid. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Cases_4xx_response' - /api/actions/connector: - post: - summary: Create a connector with a random ID - operationId: createConnector - description: The connector identifier is randomly generated. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Delete multiple detection rules tags: - - connectors - parameters: - - $ref: '#/components/parameters/Connectors_kbn_xsrf' + - Security Solution Detections API + - Bulk API + /api/detection_engine/rules/_bulk_update: + patch: + deprecated: true + description: >- + Update specific fields of existing detection rules using the `rule_id` + or `id` field. + operationId: BulkPatchRules requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Connectors_create_connector_request' - examples: - createEmailConnectorRequest: - $ref: >- - #/components/examples/Connectors_create_email_connector_request - createIndexConnectorRequest: + items: $ref: >- - #/components/examples/Connectors_create_index_connector_request - createWebhookConnectorRequest: + #/components/schemas/Security_Solution_Detections_API_RulePatchProps + type: array + description: 'A JSON array of rules, where each rule contains the required fields.' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: $ref: >- - #/components/examples/Connectors_create_webhook_connector_request - createXmattersConnectorRequest: + #/components/schemas/Security_Solution_Detections_API_BulkCrudRulesResponse + description: Indicates a successful call. + summary: Patch multiple detection rules + tags: + - Security Solution Detections API + - Bulk API + put: + deprecated: true + description: > + Update multiple detection rules using the `rule_id` or `id` field. The + original rules are replaced, and all unspecified fields are deleted. + + > info + + > You cannot modify the `id` or `rule_id` values. + operationId: BulkUpdateRules + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: $ref: >- - #/components/examples/Connectors_create_xmatters_connector_request + #/components/schemas/Security_Solution_Detections_API_RuleUpdateProps + type: array + description: >- + A JSON array where each element includes the `id` or `rule_id` field + of the rule you want to update and the fields you want to modify. + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Connectors_connector_response_properties' - examples: - createEmailConnectorResponse: - $ref: >- - #/components/examples/Connectors_create_email_connector_response - createIndexConnectorResponse: - $ref: >- - #/components/examples/Connectors_create_index_connector_response - createWebhookConnectorResponse: - $ref: >- - #/components/examples/Connectors_create_webhook_connector_response - createXmattersConnectorResponse: - $ref: >- - #/components/examples/Connectors_create_xmatters_connector_response - '401': - $ref: '#/components/responses/Connectors_401' - /api/actions/connector/{connectorId}: - get: - summary: Get a connector information - operationId: getConnector - tags: - - connectors - parameters: - - $ref: '#/components/parameters/Connectors_connector_id' - responses: - '200': + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkCrudRulesResponse description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Connectors_connector_response_properties' - examples: - getConnectorResponse: - $ref: '#/components/examples/Connectors_get_connector_response' - '401': - $ref: '#/components/responses/Connectors_401' - '404': - $ref: '#/components/responses/Connectors_404' - delete: - summary: Delete a connector - operationId: deleteConnector + summary: Update multiple detection rules tags: - - connectors - parameters: - - $ref: '#/components/parameters/Connectors_kbn_xsrf' - - $ref: '#/components/parameters/Connectors_connector_id' - responses: - '204': - description: Indicates a successful call. - '401': - $ref: '#/components/responses/Connectors_401' - '404': - $ref: '#/components/responses/Connectors_404' + - Security Solution Detections API + - Bulk API + /api/detection_engine/rules/_export: post: - summary: Create a connector - operationId: createConnectorId - tags: - - connectors + description: > + Export detection rules to an `.ndjson` file. The following configuration + items are also included in the `.ndjson` file: + + - Actions + + - Exception lists + + > info + + > You cannot export prebuilt rules. + operationId: ExportRules parameters: - - $ref: '#/components/parameters/Connectors_kbn_xsrf' - - in: path - name: connectorId - description: > - A UUID v1 or v4 identifier for the connector. If you omit this - parameter, an identifier is randomly generated. - required: true + - description: Determines whether a summary of the exported rules is returned. + in: query + name: exclude_export_details + required: false + schema: + default: false + type: boolean + - description: File name for saving the exported rules. + in: query + name: file_name + required: false schema: + default: export.ndjson type: string - example: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Connectors_create_connector_request' - examples: - createIndexConnectorRequest: - $ref: >- - #/components/examples/Connectors_create_index_connector_request + nullable: true + type: object + properties: + objects: + description: >- + Array of `rule_id` fields. Exports all rules when + unspecified. + items: + type: object + properties: + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + required: + - rule_id + type: array + required: + - objects + required: false responses: '200': - description: Indicates a successful call. content: - application/json: + application/ndjson; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Connectors_connector_response_properties' - examples: - createIndexConnectorResponse: - $ref: >- - #/components/examples/Connectors_create_index_connector_response - '401': - $ref: '#/components/responses/Connectors_401' - put: - summary: Update a connector - operationId: updateConnector + description: An `.ndjson` file containing the returned rules. + format: binary + type: string + description: Indicates a successful call. + summary: Export detection rules tags: - - connectors + - Security Solution Detections API + - Import/Export API + /api/detection_engine/rules/_find: + get: + description: >- + Retrieve a paginated list of detection rules. By default, the first page + is returned, with 20 results per page. + operationId: FindRules parameters: - - $ref: '#/components/parameters/Connectors_kbn_xsrf' - - $ref: '#/components/parameters/Connectors_connector_id' - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/Connectors_update_connector_request' - examples: - updateIndexConnectorRequest: - $ref: >- - #/components/examples/Connectors_update_index_connector_request + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_FindRulesSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Detections_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Rules per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Connectors_connector_response_properties' - '400': - $ref: '#/components/responses/Connectors_401' - '401': - $ref: '#/components/responses/Connectors_401' - '404': - $ref: '#/components/responses/Connectors_404' - /api/actions/connector/{connectorId}/_execute: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + summary: List all detection rules + tags: + - Security Solution Detections API + - Rules API + /api/detection_engine/rules/_import: post: - summary: Run a connector - operationId: runConnector description: > - You can use this API to test an action that involves interaction with - Kibana services or integrations with third-party systems. You must have - `read` privileges for the **Actions and Connectors** feature in the - **Management** section of the Kibana feature privileges. If you use an - index connector, you must also have `all`, `create`, `index`, or `write` - indices privileges. - tags: - - connectors + Import detection rules from an `.ndjson` file, including actions and + exception lists. The request must include: + + - The `Content-Type: multipart/form-data` HTTP header. + + - A link to the `.ndjson` file containing the rules. + operationId: ImportRules parameters: - - $ref: '#/components/parameters/Connectors_kbn_xsrf' - - $ref: '#/components/parameters/Connectors_connector_id' + - description: >- + Determines whether existing rules with the same `rule_id` are + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing exception lists with the same `list_id` + are overwritten. + in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - description: >- + Determines whether existing actions with the same + `kibana.alert.rule.actions.id` are overwritten. + in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: Generates a new list ID for each imported exception list. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean requestBody: - required: true content: - application/json: + multipart/form-data; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Connectors_run_connector_request' - examples: - runCasesWebhookConnectorRequest: - $ref: >- - #/components/examples/Connectors_run_cases_webhook_connector_request - runEmailConnectorRequest: - $ref: '#/components/examples/Connectors_run_email_connector_request' - runIndexConnectorRequest: - $ref: '#/components/examples/Connectors_run_index_connector_request' - runJiraConnectorRequest: - $ref: '#/components/examples/Connectors_run_jira_connector_request' - runPagerDutyConnectorRequest: - $ref: >- - #/components/examples/Connectors_run_pagerduty_connector_request - runServerLogConnectorRequest: - $ref: >- - #/components/examples/Connectors_run_server_log_connector_request - runServiceNowITOMConnectorRequest: - $ref: >- - #/components/examples/Connectors_run_servicenow_itom_connector_request - runSlackConnectorRequest: - $ref: >- - #/components/examples/Connectors_run_slack_api_connector_request - runSwimlaneConnectorRequest: - $ref: >- - #/components/examples/Connectors_run_swimlane_connector_request + type: object + properties: + file: + description: The `.ndjson` file containing the rules. + format: binary + type: string + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: + additionalProperties: false type: object - required: - - connector_id - - status properties: - connector_id: - type: string - description: The identifier for the connector. - data: - oneOf: - - type: object - description: Information returned from the action. - additionalProperties: true - - type: array - description: An array of information returned from the action. - items: - type: object - status: - type: string - description: The status of the action. - enum: - - error - - ok - examples: - runCasesWebhookConnectorResponse: - $ref: >- - #/components/examples/Connectors_run_cases_webhook_connector_response - runEmailConnectorResponse: - $ref: >- - #/components/examples/Connectors_run_email_connector_response - runIndexConnectorResponse: - $ref: >- - #/components/examples/Connectors_run_index_connector_response - runJiraConnectorResponse: - $ref: '#/components/examples/Connectors_run_jira_connector_response' - runPagerDutyConnectorResponse: - $ref: >- - #/components/examples/Connectors_run_pagerduty_connector_response - runServerLogConnectorResponse: - $ref: >- - #/components/examples/Connectors_run_server_log_connector_response - runServiceNowITOMConnectorResponse: - $ref: >- - #/components/examples/Connectors_run_servicenow_itom_connector_response - runSlackConnectorResponse: - $ref: >- - #/components/examples/Connectors_run_slack_api_connector_response - runSwimlaneConnectorResponse: - $ref: >- - #/components/examples/Connectors_run_swimlane_connector_response - '401': - $ref: '#/components/responses/Connectors_401' - /api/actions/connectors: - get: - summary: Get all connectors - operationId: getConnectors + action_connectors_errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ErrorSchema + type: array + action_connectors_success: + type: boolean + action_connectors_success_count: + minimum: 0 + type: integer + action_connectors_warnings: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_WarningSchema + type: array + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ErrorSchema + type: array + exceptions_errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ErrorSchema + type: array + exceptions_success: + type: boolean + exceptions_success_count: + minimum: 0 + type: integer + rules_count: + minimum: 0 + type: integer + success: + type: boolean + success_count: + minimum: 0 + type: integer + required: + - exceptions_success + - exceptions_success_count + - exceptions_errors + - rules_count + - success + - success_count + - errors + - action_connectors_errors + - action_connectors_warnings + - action_connectors_success + - action_connectors_success_count + description: Indicates a successful call. + summary: Import detection rules tags: - - connectors + - Security Solution Detections API + - Import/Export API + '/api/detection_engine/rules/{id}/exceptions': + post: + operationId: CreateRuleExceptionListItems + parameters: + - description: Detection rule's identifier + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_RuleId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + items: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateRuleExceptionListItemProps + type: array + required: + - items + description: Rule exception list items + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: array items: $ref: >- - #/components/schemas/Connectors_connector_response_properties - examples: - getConnectorsResponse: - $ref: '#/components/examples/Connectors_get_connectors_response' + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response '401': - $ref: '#/components/responses/Connectors_401' - /api/actions/connector_types: - get: - summary: Get all connector types - operationId: getConnectorTypes + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Creates rule exception list items tags: - - connectors - parameters: - - in: query - name: feature_id - description: >- - A filter to limit the retrieved connector types to those that - support a specific feature (such as alerting or cases). - schema: - $ref: '#/components/schemas/Connectors_features' + - Security Solution Exceptions API + /api/detection_engine/rules/prepackaged: + put: + description: Install and update all Elastic prebuilt detection rules and Timelines. + operationId: InstallPrebuiltRulesAndTimelines responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - title: Get connector types response body properties - description: The properties vary for each connector type. - type: array - items: - type: object - properties: - enabled: - type: boolean - description: >- - Indicates whether the connector type is enabled in - Kibana. - example: true - enabled_in_config: - type: boolean - description: >- - Indicates whether the connector type is enabled in the - Kibana configuration file. - example: true - enabled_in_license: - type: boolean - description: >- - Indicates whether the connector is enabled in the - license. - example: true - id: - $ref: '#/components/schemas/Connectors_connector_types' - is_system_action_type: - type: boolean - example: false - minimum_license_required: - type: string - description: The license that is required to use the connector type. - example: basic - name: - type: string - description: The name of the connector type. - example: Index - supported_feature_ids: - type: array - description: The features that are supported by the connector type. - items: - $ref: '#/components/schemas/Connectors_features' - example: - - alerting - - cases - - siem - examples: - getConnectorTypesServerlessResponse: - $ref: >- - #/components/examples/Connectors_get_connector_types_generativeai_response - '401': - $ref: '#/components/responses/Connectors_401' - /api/actions/action/{actionId}: - delete: - summary: Delete a connector - operationId: legacyDeleteConnector - deprecated: true - description: > - Deprecated in 7.13.0. Use the delete connector API instead. WARNING: - When you delete a connector, it cannot be recovered. + additionalProperties: false + type: object + properties: + rules_installed: + description: The number of rules installed + minimum: 0 + type: integer + rules_updated: + description: The number of rules updated + minimum: 0 + type: integer + timelines_installed: + description: The number of timelines installed + minimum: 0 + type: integer + timelines_updated: + description: The number of timelines updated + minimum: 0 + type: integer + required: + - rules_installed + - rules_updated + - timelines_installed + - timelines_updated + description: Indicates a successful call + summary: Install prebuilt detection rules and Timelines tags: - - connectors - parameters: - - $ref: '#/components/parameters/Connectors_kbn_xsrf' - - $ref: '#/components/parameters/Connectors_action_id' - responses: - '204': - description: Indicates a successful call. - '401': - $ref: '#/components/responses/Connectors_401' + - Security Solution Detections API + - Prebuilt Rules API + /api/detection_engine/rules/prepackaged/_status: get: - summary: Get connector information - operationId: legacyGetConnector - description: Deprecated in 7.13.0. Use the get connector API instead. - deprecated: true - tags: - - connectors - parameters: - - $ref: '#/components/parameters/Connectors_action_id' + description: >- + Retrieve the status of all Elastic prebuilt detection rules and + Timelines. + operationId: ReadPrebuiltRulesAndTimelinesStatus responses: '200': - $ref: '#/components/responses/Connectors_200_actions' - '401': - $ref: '#/components/responses/Connectors_401' - put: - summary: Update a connector - operationId: legacyUpdateConnector - deprecated: true - description: Deprecated in 7.13.0. Use the update connector API instead. + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + additionalProperties: false + type: object + properties: + rules_custom_installed: + description: The total number of custom rules + minimum: 0 + type: integer + rules_installed: + description: The total number of installed prebuilt rules + minimum: 0 + type: integer + rules_not_installed: + description: >- + The total number of available prebuilt rules that are not + installed + minimum: 0 + type: integer + rules_not_updated: + description: The total number of outdated prebuilt rules + minimum: 0 + type: integer + timelines_installed: + description: The total number of installed prebuilt timelines + minimum: 0 + type: integer + timelines_not_installed: + description: >- + The total number of available prebuilt timelines that are + not installed + minimum: 0 + type: integer + timelines_not_updated: + description: The total number of outdated prebuilt timelines + minimum: 0 + type: integer + required: + - rules_custom_installed + - rules_installed + - rules_not_installed + - rules_not_updated + - timelines_installed + - timelines_not_installed + - timelines_not_updated + description: Indicates a successful call + summary: Retrieve the status of prebuilt detection rules and Timelines tags: - - connectors - parameters: - - $ref: '#/components/parameters/Connectors_kbn_xsrf' - - $ref: '#/components/parameters/Connectors_action_id' + - Security Solution Detections API + - Prebuilt Rules API + /api/detection_engine/rules/preview: + post: + operationId: RulePreview requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - title: Legacy update connector request body properties - description: The properties vary depending on the connector type. - type: object - properties: - config: - type: object - description: >- - The new connector configuration. Configuration properties - vary depending on the connector type. - name: - type: string - description: The new name for the connector. - secrets: - type: object - description: >- - The updated secrets configuration for the connector. Secrets - properties vary depending on the connector type. + anyOf: + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + - allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewParams + discriminator: + propertyName: type + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied + required: true responses: '200': - $ref: '#/components/responses/Connectors_200_actions' - '404': - $ref: '#/components/responses/Connectors_404' - /api/actions: - get: - summary: Get all connectors - operationId: legacyGetConnectors - deprecated: true - description: Deprecated in 7.13.0. Use the get all connectors API instead. - tags: - - connectors - responses: - '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: array - items: - $ref: '#/components/schemas/Connectors_action_response_properties' + type: object + properties: + isAborted: + type: boolean + logs: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RulePreviewLogs + type: array + previewId: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + required: + - logs + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response '401': - $ref: '#/components/responses/Connectors_401' - post: - summary: Create a connector - operationId: legacyCreateConnector - deprecated: true - description: Deprecated in 7.13.0. Use the create connector API instead. + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Preview rule alerts generated on specified time range tags: - - connectors - parameters: - - $ref: '#/components/parameters/Connectors_kbn_xsrf' + - Security Solution Detections API + - Rule preview API + /api/detection_engine/signals/assignees: + post: + description: | + Assign users to detection alerts, and unassign them from alerts. + > info + > You cannot add and remove the same assignee in the same request. + operationId: SetAlertAssignees requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - title: Legacy create connector request properties type: object properties: - actionTypeId: - type: string - description: The connector type identifier. - config: - type: object - description: >- - The configuration for the connector. Configuration - properties vary depending on the connector type. - name: - type: string - description: The display name for the connector. - secrets: - type: object - description: > - The secrets configuration for the connector. Secrets - configuration properties vary depending on the connector - type. NOTE: Remember these values. You must provide them - each time you update the connector. + assignees: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertAssignees + description: Details about the assignees to assign and unassign. + ids: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertIds + description: List of alerts ids to assign and unassign passed assignees. + required: + - assignees + - ids + required: true responses: '200': - $ref: '#/components/responses/Connectors_200_actions' - '401': - $ref: '#/components/responses/Connectors_401' - /api/actions/list_action_types: - get: - summary: Get connector types - operationId: legacyGetConnectorTypes - deprecated: true - description: Deprecated in 7.13.0. Use the get all connector types API instead. + description: Indicates a successful call. + '400': + description: Invalid request. + summary: Assign and unassign users from detection alerts tags: - - connectors + - Security Solution Detections API + /api/detection_engine/signals/finalize_migration: + post: + description: > + Finalize successful migrations of detection alerts. This replaces the + original index's alias with the successfully migrated index's alias. + + The endpoint is idempotent; therefore, it can safely be used to poll a + given migration and, upon completion, + + finalize it. + operationId: FinalizeAlertsMigration + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + migration_ids: + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + description: Array of `migration_id`s to finalize + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - title: Legacy get connector types response body properties - description: The properties vary for each connector type. - type: array items: - type: object - properties: - enabled: - type: boolean - description: >- - Indicates whether the connector type is enabled in - Kibana. - enabledInConfig: - type: boolean - description: >- - Indicates whether the connector type is enabled in the - Kibana `.yml` file. - enabledInLicense: - type: boolean - description: >- - Indicates whether the connector is enabled in the - license. - example: true - id: - type: string - description: The unique identifier for the connector type. - minimumLicenseRequired: - type: string - description: The license that is required to use the connector type. - name: - type: string - description: The name of the connector type. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MigrationFinalizationResult + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response '401': - $ref: '#/components/responses/Connectors_401' - /api/actions/action/{actionId}/_execute: - post: - summary: Run a connector - operationId: legacyRunConnector - deprecated: true - description: Deprecated in 7.13.0. Use the run connector API instead. + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Finalize detection alert migrations tags: - - connectors - parameters: - - $ref: '#/components/parameters/Connectors_kbn_xsrf' - - $ref: '#/components/parameters/Connectors_action_id' + - Security Solution Detections API + - Alerts migration API + /api/detection_engine/signals/migration: + delete: + description: > + Migrations favor data integrity over shard size. Consequently, unused or + orphaned indices are artifacts of + + the migration process. A successful migration will result in both the + old and new indices being present. + + As such, the old, orphaned index can (and likely should) be deleted. + + + While you can delete these indices manually, + + the endpoint accomplishes this task by applying a deletion policy to the + relevant index, causing it to be deleted + + after 30 days. It also deletes other artifacts specific to the migration + implementation. + operationId: AlertsMigrationCleanup requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - title: Legacy run connector request body properties - description: The properties vary depending on the connector type. type: object - required: - - params properties: - params: - type: object - description: >- - The parameters of the connector. Parameter properties vary - depending on the connector type. + migration_ids: + items: + type: string + minItems: 1 + type: array + required: + - migration_ids + description: Array of `migration_id`s to cleanup + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - actionId: - type: string - data: - oneOf: - - type: object - description: Information returned from the action. - additionalProperties: true - - type: array - description: An array of information returned from the action. - items: - type: object - status: - type: string - description: The status of the action. + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MigrationCleanupResult + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response '401': - $ref: '#/components/responses/Connectors_401' - /api/data_views: - get: - summary: Get all data views - operationId: getAllDataViewsDefault + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Clean up detection alert migrations tags: - - data views + - Security Solution Detections API + - Alerts migration API + post: + description: > + Initiate a migration of detection alerts. + + Migrations are initiated per index. While the process is neither + destructive nor interferes with existing data, it may be + resource-intensive. As such, it is recommended that you plan your + migrations accordingly. + operationId: CreateAlertsMigration + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + allOf: + - type: object + properties: + index: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + minItems: 1 + type: array + required: + - index + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsReindexOptions + description: Alerts migration parameters + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object properties: - data_view: - type: array + indices: items: - type: object - properties: - id: - type: string - name: - type: string - namespaces: - type: array - items: - type: string - title: - type: string - typeMeta: - type: object - examples: - getAllDataViewsResponse: - $ref: '#/components/examples/Data_views_get_data_views_response' + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexMigrationSuccess + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexMigrationError + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SkippedAlertsIndexMigration + type: array + required: + - indices + description: Successful response '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/data_view: - post: - summary: Create a data view - operationId: createDataViewDefaultw - tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_create_data_view_request_object' - examples: - createDataViewRequest: - $ref: '#/components/examples/Data_views_create_data_view_request' - responses: - '200': - description: Indicates a successful call. + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - '400': - description: Bad request + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/data_view/{viewId}: - get: - summary: Get a data view - operationId: getDataViewDefault + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Initiate a detection alert migration tags: - - data views + - Security Solution Detections API + - Alerts migration API + /api/detection_engine/signals/migration_status: + post: + description: >- + Retrieve indices that contain detection alerts of a particular age, + along with migration information for each of those indices. + operationId: ReadAlertsMigrationStatus parameters: - - $ref: '#/components/parameters/Data_views_view_id' + - description: Maximum age of qualifying detection alerts + in: query + name: from + required: true + schema: + description: > + Time from which data is analyzed. For example, now-4200s means the + rule analyzes data from 70 minutes + + before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). + format: date-math + type: string responses: '200': - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - examples: - getDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' - '404': - description: Object is not found. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_404_response' - delete: - summary: Delete a data view - operationId: deleteDataViewDefault - description: | - WARNING: When you delete a data view, it cannot be recovered. - tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '204': - description: Indicates a successful call. - '404': - description: Object is not found. + type: object + properties: + indices: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexMigrationStatus + type: array + required: + - indices + description: Successful response + '400': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_404_response' - post: - summary: Update a data view - operationId: updateDataViewDefault - tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_update_data_view_request_object' - examples: - updateDataViewRequest: - $ref: '#/components/examples/Data_views_update_data_view_request' - responses: - '200': - description: Indicates a successful call. + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - '400': - description: Bad request + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/data_view/{viewId}/fields: - post: - summary: Update data view fields metadata - operationId: updateFieldsMetadataDefault - description: > - Update fields presentation metadata such as count, customLabel, - customDescription, and format. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Retrieve the status of detection alert migrations tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' + - Security Solution Detections API + - Alerts migration API + /api/detection_engine/signals/search: + post: + description: Find and/or aggregate detection alerts that match the given query. + operationId: SearchAlerts requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: + description: Elasticsearch query and aggregation request type: object - required: - - fields properties: + _source: + oneOf: + - type: boolean + - type: string + - items: + type: string + type: array + aggs: + additionalProperties: true + type: object fields: - description: The field object. + items: + type: string + type: array + query: + additionalProperties: true type: object - examples: - updateFieldsMetadataRequest: - $ref: '#/components/examples/Data_views_update_field_metadata_request' + runtime_mappings: + additionalProperties: true + type: object + size: + minimum: 0 + type: integer + sort: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsSort + track_total_hits: + type: boolean + description: Search and/or aggregation query + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: + additionalProperties: true + description: Elasticsearch search response type: object - properties: - acknowledged: - type: boolean + description: Successful response '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/data_view/{viewId}/runtime_field: - post: - summary: Create a runtime field - operationId: createRuntimeFieldDefault + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Find and/or aggregate detection alerts tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' + - Security Solution Detections API + - Alerts API + /api/detection_engine/signals/status: + post: + description: Set the status of one or more detection alerts. + operationId: SetAlertsStatus requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - required: - - name - - runtimeField - properties: - name: - type: string - description: | - The name for a runtime field. - runtimeField: - type: object - description: | - The runtime field definition object. - examples: - createRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SetAlertsStatusByIds + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SetAlertsStatusByQuery + description: >- + An object containing desired status and explicit alert ids or a query + to select alerts + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: + additionalProperties: true + description: Elasticsearch update by query response type: object - put: - summary: Create or update a runtime field - operationId: createUpdateRuntimeFieldDefault + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Set a detection alert status tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - name: viewId - in: path - description: | - The ID of the data view fields you want to update. - required: true - schema: - type: string + - Security Solution Detections API + - Alerts API + /api/detection_engine/signals/tags: + post: + description: | + And tags to detection alerts, and remove them from alerts. + > info + > You cannot add and remove the same alert tag in the same request. + operationId: SetAlertTags requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object - required: - - name - - runtimeField properties: - name: - type: string - description: | - The name for a runtime field. - runtimeField: - type: object - description: | - The runtime field definition object. - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' + ids: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertIds + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SetAlertTags + required: + - ids + - tags + description: >- + An object containing tags to add or remove and alert ids the changes + will be applied + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: + additionalProperties: true + description: Elasticsearch update by query response type: object - properties: - data_view: - type: object - fields: - type: array - items: - type: object + description: Successful response '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/data_view/{viewId}/runtime_field/{fieldName}: - get: - summary: Get a runtime field - operationId: getRuntimeFieldDefault - tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - description: Indicates a successful call. + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Invalid input data response + '401': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - data_view: - type: object - fields: - type: array - items: - type: object - examples: - getRuntimeFieldResponse: - $ref: '#/components/examples/Data_views_get_runtime_field_response' - '404': - description: Object is not found. + $ref: >- + #/components/schemas/Security_Solution_Detections_API_PlatformErrorResponse + description: Unsuccessful authentication response + '500': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_404_response' - delete: - summary: Delete a runtime field from a data view - operationId: deleteRuntimeFieldDefault + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SiemErrorResponse + description: Internal server error response + summary: Add and remove detection alert tags tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' + - Security Solution Detections API + - Alerts API + /api/detection_engine/tags: + get: + description: List all unique tags from all detection rules. + operationId: ReadTags responses: '200': - description: Indicates a successful call. - '404': - description: Object is not found. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_404_response' - post: - summary: Update a runtime field - operationId: updateRuntimeFieldDefault + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + description: Indicates a successful call + summary: List all detection rule tags tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - required: true - content: - application/json: - schema: - type: object - required: - - runtimeField - properties: - runtimeField: - type: object - description: | - The runtime field definition object. + - Security Solution Detections API + - Tags API + /api/encrypted_saved_objects/_rotate_key: + post: + description: > + Superuser role required. - You can update following fields: - - `type` - - `script` - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_update_runtime_field_request' + If a saved object cannot be decrypted using the primary encryption key, + then Kibana will attempt to decrypt it using the specified + decryption-only keys. In most of the cases this overhead is negligible, + but if you're dealing with a large number of saved objects and + experiencing performance issues, you may want to rotate the encryption + key. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: rotateEncryptionKey + parameters: + - description: > + Specifies a maximum number of saved objects that Kibana can process + in a single batch. Bulk key rotation is an iterative process since + Kibana may not be able to fetch and process all required saved + objects in one go and splits processing into consequent batches. By + default, the batch size is 10000, which is also a maximum allowed + value. + in: query + name: batch_size + required: false + schema: + default: 10000 + type: number + - description: > + Limits encryption key rotation only to the saved objects with the + specified type. By default, Kibana tries to rotate the encryption + key for all saved object types that may contain encrypted + attributes. + in: query + name: type + required: false + schema: + type: string responses: '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + rotateEncryptionKeyResponse: + $ref: '#/components/examples/Saved_objects_key_rotation_response' + schema: + type: object + properties: + failed: + description: > + Indicates the number of the saved objects that were still + encrypted with one of the old encryption keys that Kibana + failed to re-encrypt with the primary key. + type: number + successful: + description: > + Indicates the total number of all encrypted saved objects + (optionally filtered by the requested `type`), regardless + of the key Kibana used for encryption. + + + NOTE: In most cases, `total` will be greater than + `successful` even if `failed` is zero. The reason is that + Kibana may not need or may not be able to rotate + encryption keys for all encrypted saved objects. + type: number + total: + description: > + Indicates the total number of all encrypted saved objects + (optionally filtered by the requested `type`), regardless + of the key Kibana used for encryption. + type: number description: Indicates a successful call. '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' description: Bad request + '429': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/default: - get: - summary: Get the default data view - operationId: getDefaultDataViewDefault + type: object + description: Already in progress. + summary: Rotate a key for encrypted saved objects tags: - - data views + - saved objects + /api/endpoint_list: + post: + description: Creates an endpoint list or does nothing if the list already exists + operationId: CreateEndpointList responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - data_view_id: - type: string - examples: - getDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_get_default_data_view_response + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointList + description: Successful response '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_400_response' - post: - summary: Set the default data view - operationId: setDefaultDatailViewDefault - tags: - - data views + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Creates an endpoint list + /api/endpoint_list/items: + delete: + operationId: DeleteEndpointListItem parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - required: true - content: - application/json: - schema: - type: object - required: - - data_view_id - properties: - data_view_id: - type: string - nullable: true - description: > - The data view identifier. NOTE: The API does not validate - whether it is a valid identifier. Use `null` to unset the - default data view. - force: - type: boolean - description: Update an existing default data view identifier. - default: false - examples: - setDefaultDataViewRequest: - $ref: '#/components/examples/Data_views_set_default_data_view_request' + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - acknowledged: - type: boolean + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + description: Successful response '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Data_views_400_response' - /api/data_views/swap_references: - post: - summary: Swap saved object references - operationId: swapDataViewsDefault - description: > - Changes saved object references from one data view identifier to - another. WARNING: Misuse can break large numbers of saved objects! - Practicing with a backup is recommended. - tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - examples: - swapDataViewRequest: - $ref: '#/components/examples/Data_views_swap_data_view_request' - responses: - '200': - description: Indicates a successful call. + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - deleteStatus: - type: object - properties: - deletePerformed: - type: boolean - remainingRefs: - type: integer - result: - type: array - items: - type: object - properties: - id: - type: string - description: A saved object identifier. - type: - type: string - description: The saved object type. - /api/data_views/swap_references/_preview: - post: - summary: Preview a saved object reference swap - operationId: previewSwapDataViewsDefault - description: > - Preview the impact of swapping saved object references from one data - view identifier to another. - tags: - - data views - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - required: true - content: - application/json: - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - examples: - previewSwapDataViewRequest: $ref: >- - #/components/examples/Data_views_preview_swap_data_view_request - responses: - '200': - description: Indicates a successful call. + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - result: - type: array - items: - type: object - properties: - id: - type: string - description: A saved object identifier. - type: - type: string - description: The saved object type. - /api/ml/saved_objects/sync: - get: - summary: Sync saved objects in the default space - description: > - Synchronizes Kibana saved objects for machine learning jobs and trained - models in the default space. You must have `all` privileges for the - **Machine Learning** feature in the **Analytics** section of the Kibana - feature privileges. This API runs automatically when you start Kibana - and periodically thereafter. - operationId: mlSync - tags: - - ml - parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' - responses: - '200': - description: Indicates a successful call + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' - '401': - description: Authorization information is missing or invalid. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - /api/encrypted_saved_objects/_rotate_key: - post: - summary: Rotate a key for encrypted saved objects - operationId: rotateEncryptionKey - description: > - Superuser role required. - - - If a saved object cannot be decrypted using the primary encryption key, - then Kibana will attempt to decrypt it using the specified - decryption-only keys. In most of the cases this overhead is negligible, - but if you're dealing with a large number of saved objects and - experiencing performance issues, you may want to rotate the encryption - key. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - tags: - - saved objects + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Deletes an endpoint list item + get: + operationId: ReadEndpointListItem parameters: - - in: query - name: batch_size - schema: - type: number - default: 10000 + - description: Either `id` or `item_id` must be specified + in: query + name: id required: false - description: > - Specifies a maximum number of saved objects that Kibana can process - in a single batch. Bulk key rotation is an iterative process since - Kibana may not be able to fetch and process all required saved - objects in one go and splits processing into consequent batches. By - default, the batch size is 10000, which is also a maximum allowed - value. - - in: query - name: type schema: - type: string + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id required: false - description: > - Limits encryption key rotation only to the saved objects with the - specified type. By default, Kibana tries to rotate the encryption - key for all saved object types that may contain encrypted - attributes. + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - total: - type: number - description: > - Indicates the total number of all encrypted saved objects - (optionally filtered by the requested `type`), regardless - of the key Kibana used for encryption. - successful: - type: number - description: > - Indicates the total number of all encrypted saved objects - (optionally filtered by the requested `type`), regardless - of the key Kibana used for encryption. - - - NOTE: In most cases, `total` will be greater than - `successful` even if `failed` is zero. The reason is that - Kibana may not need or may not be able to rotate - encryption keys for all encrypted saved objects. - failed: - type: number - description: > - Indicates the number of the saved objects that were still - encrypted with one of the old encryption keys that Kibana - failed to re-encrypt with the primary key. - examples: - rotateEncryptionKeyResponse: - $ref: '#/components/examples/Saved_objects_key_rotation_response' + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + type: array + description: Successful response '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - '429': - description: Already in progress. + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - /api/saved_objects/_bulk_create: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Reads an endpoint list item post: - summary: Create saved objects - operationId: bulkCreateSavedObjects - deprecated: true - tags: - - saved objects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - in: query - name: overwrite - description: When true, overwrites the document with the same identifier. - schema: - type: boolean + operationId: CreateEndpointListItem requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: array - items: - type: object + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray + item_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + description: Successful response '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - /api/saved_objects/_bulk_delete: - post: - summary: Delete saved objects - operationId: bulkDeleteSavedObjects - description: | - WARNING: When you delete a saved object, it cannot be recovered. - deprecated: true - tags: - - saved objects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - in: query - name: force - description: > - When true, force delete objects that exist in multiple namespaces. - Note that the option applies to the whole request. Use the delete - object API to specify per-object deletion behavior. TIP: Use this if - you attempted to delete objects and received an HTTP 400 error with - the following message: "Unable to delete saved object that exists in - multiple namespaces, use the force option to delete it anyway". - WARNING: When you bulk delete objects that exist in multiple - namespaces, the API also deletes legacy url aliases that reference - the object. These requests are batched to minimise the impact but - they can place a heavy load on Kibana. Make sure you limit the - number of objects that exist in multiple namespaces in a single bulk - delete operation. - schema: - type: boolean - requestBody: - required: true - content: - application/json: - schema: - type: array - items: - type: object - responses: - '200': - description: > - Indicates a successful call. NOTE: This HTTP response code indicates - that the bulk operation succeeded. Errors pertaining to individual - objects will be returned in the response body. + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - '400': - description: Bad request + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - /api/saved_objects/_bulk_get: - post: - summary: Get saved objects - operationId: bulkGetSavedObjects - deprecated: true - tags: - - saved objects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - requestBody: - required: true - content: - application/json: - schema: - type: array - items: - type: object - responses: - '200': - description: Indicates a successful call. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '409': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - '400': - description: Bad request + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item already exists + '500': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - /api/saved_objects/_bulk_resolve: - post: - summary: Resolve saved objects - operationId: bulkResolveSavedObjects - deprecated: true - description: > - Retrieve multiple Kibana saved objects by identifier using any legacy - URL aliases if they exist. Under certain circumstances when Kibana is - upgraded, saved object migrations may necessitate regenerating some - object IDs to enable new features. When an object's ID is regenerated, a - legacy URL alias is created for that object, preserving its old ID. In - such a scenario, that object can be retrieved by the bulk resolve API - using either its new ID or its old ID. - tags: - - saved objects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Creates an endpoint list item + put: + operationId: UpdateEndpointListItem requestBody: - required: true content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: array - items: - type: object + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true responses: '200': - description: > - Indicates a successful call. NOTE: This HTTP response code indicates - that the bulk operation succeeded. Errors pertaining to individual - objects will be returned in the response body. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + description: Successful response '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - /api/saved_objects/_bulk_update: - post: - summary: Update saved objects - operationId: bulkUpdateSavedObjects - description: Update the attributes for multiple Kibana saved objects. - deprecated: true - tags: - - saved objects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - requestBody: - required: true - content: - application/json: - schema: - type: array - items: - type: object - responses: - '200': - description: > - Indicates a successful call. NOTE: This HTTP response code indicates - that the bulk operation succeeded. Errors pertaining to individual - objects will be returned in the response body. + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - '400': - description: Bad request + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - /api/saved_objects/_export: - post: - summary: Export saved objects - operationId: exportSavedObjectsDefault - description: > - Retrieve sets of saved objects that you want to import into Kibana. - - You must include `type` or `objects` in the request body. - - - Exported saved objects are not backwards compatible and cannot be - imported into an older version of Kibana. - - - NOTE: The `savedObjects.maxImportExportSize` configuration setting - limits the number of saved objects which may be exported. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - tags: - - saved objects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - requestBody: - required: true - content: - application/json: - schema: - type: object - properties: - excludeExportDetails: - description: Do not add export details entry at the end of the stream. - type: boolean - default: false - includeReferencesDeep: - description: >- - Includes all of the referenced objects in the exported - objects. - type: boolean - objects: - description: A list of objects to export. - type: array - items: - type: object - type: - description: >- - The saved object types to include in the export. Use `*` to - export all the types. - oneOf: - - type: string - - type: array - items: - type: string - examples: - exportSavedObjectsRequest: - $ref: '#/components/examples/Saved_objects_export_objects_request' - responses: - '200': - description: Indicates a successful call. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': content: - application/x-ndjson: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - additionalProperties: true - examples: - exportSavedObjectsResponse: - $ref: '#/components/examples/Saved_objects_export_objects_response' - '400': - description: Bad request. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list item not found + '500': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - /api/saved_objects/_find: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Updates an endpoint list item + /api/endpoint_list/items/_find: get: - summary: Search for saved objects - operationId: findSavedObjects - description: Retrieve a paginated set of Kibana saved objects. - deprecated: true - tags: - - saved objects + operationId: FindEndpointListItems parameters: - - in: query - name: aggs - description: > - An aggregation structure, serialized as a string. The field format - is similar to filter, meaning that to use a saved object type - attribute in the aggregation, the `savedObjectType.attributes.title: - "myTitle"` format must be used. For root fields, the syntax is - `savedObjectType.rootField`. NOTE: As objects change in Kibana, the - results on each page of the response also change. Use the find API - for traditional paginated results, but avoid using it to export - large amounts of data. - schema: - type: string - - in: query - name: default_search_operator - description: The default operator to use for the `simple_query_string`. - schema: - type: string - - in: query - name: fields - description: The fields to return in the attributes key of the response. - schema: - oneOf: - - type: string - - type: array - - in: query + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + in: query name: filter - description: > - The filter is a KQL string with the caveat that if you filter with - an attribute from your saved object type, it should look like that: - `savedObjectType.attributes.title: "myTitle"`. However, if you use a - root attribute of a saved object such as `updated_at`, you will have - to define your filter like that: `savedObjectType.updated_at > - 2018-12-22`. - schema: - type: string - - in: query - name: has_no_reference - description: >- - Filters to objects that do not have a relationship with the type and - identifier combination. - schema: - type: object - - in: query - name: has_no_reference_operator - description: >- - The operator to use for the `has_no_reference` parameter. Either - `OR` or `AND`. Defaults to `OR`. - schema: - type: string - - in: query - name: has_reference - description: >- - Filters to objects that have a relationship with the type and ID - combination. - schema: - type: object - - in: query - name: has_reference_operator - description: >- - The operator to use for the `has_reference` parameter. Either `OR` - or `AND`. Defaults to `OR`. + required: false schema: - type: string - - in: query + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_FindEndpointListItemsFilter + - description: The page number to return + in: query name: page - description: The page of objects to return. + required: false schema: + minimum: 0 type: integer - - in: query + - description: The number of exception list items to return per page + in: query name: per_page - description: The number of objects to return per page. + required: false schema: + minimum: 0 type: integer - - in: query - name: search - description: >- - An Elasticsearch `simple_query_string` query that filters the - objects in the response. - schema: - type: string - - in: query - name: search_fields - description: >- - The fields to perform the `simple_query_string` parsed query - against. - schema: - oneOf: - - type: string - - type: array - - in: query + - description: Determines which field is used to sort the results + in: query name: sort_field - description: > - Sorts the response. Includes "root" and "type" fields. "root" fields - exist for all saved objects, such as "updated_at". "type" fields are - specific to an object type, such as fields returned in the - attributes key of the response. When a single type is defined in the - type parameter, the "root" and "type" fields are allowed, and - validity checks are made in that order. When multiple types are - defined in the type parameter, only "root" fields are allowed. + required: false schema: - type: string - - in: query - name: type - description: The saved object types to include. - required: true + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + - description: 'Determines the sort order, which can be `desc` or `asc`' + in: query + name: sort_order + required: false schema: - oneOf: - - type: string - - type: array + enum: + - desc + - asc + type: string responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_EndpointListItem + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response '400': - description: Bad request content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - /api/saved_objects/_import: - post: - summary: Import saved objects - operationId: importSavedObjectsDefault - description: > - Create sets of Kibana saved objects from a file created by the export - API. - - Saved objects can be imported only into the same version, a newer minor - on the same major, or the next major. Exported saved objects are not - backwards compatible and cannot be imported into an older version of - Kibana. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - tags: - - saved objects + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Invalid input data + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse + description: Insufficient privileges + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Endpoint list not found + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse + description: Internal server error + summary: Finds endpoint list items + /api/endpoint/action: + get: + description: Get a list of action requests and their responses + operationId: EndpointGetActionsList parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - in: query - name: createNewCopies + name: query + required: true schema: - type: boolean - required: false - description: > - Creates copies of saved objects, regenerates each object ID, and - resets the origin. When used, potential conflict errors are avoided. - NOTE: This option cannot be used with the `overwrite` and - `compatibilityMode` options. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_GetEndpointActionListRouteQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Actions List schema + tags: + - Security Solution Endpoint Management API + '/api/endpoint/action_log/{agent_id}': + get: + deprecated: true + description: Get action requests log + operationId: EndpointGetActionLog + parameters: + - in: path + name: agent_id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentId - in: query - name: overwrite + name: query + required: true schema: - type: boolean - required: false - description: > - Overwrites saved objects when they already exist. When used, - potential conflict errors are automatically resolved by overwriting - the destination object. NOTE: This option cannot be used with the - `createNewCopies` option. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ActionLogRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get action requests log schema + tags: + - Security Solution Endpoint Management API + /api/endpoint/action_status: + get: + description: Get action status + operationId: EndpointGetActionsStatus + parameters: - in: query - name: compatibilityMode + name: query + required: true schema: - type: boolean - required: false - description: > - Applies various adjustments to the saved objects that are being - imported to maintain compatibility between different Kibana - versions. Use this option only if you encounter issues with imported - saved objects. NOTE: This option cannot be used with the - `createNewCopies` option. - requestBody: - required: true - content: - multipart/form-data: - schema: - type: object - properties: - file: - description: > - A file exported using the export API. NOTE: The - `savedObjects.maxImportExportSize` configuration setting - limits the number of saved objects which may be included in - this file. Similarly, the - `savedObjects.maxImportPayloadBytes` setting limits the - overall size of the file that can be imported. - examples: - importObjectsRequest: - $ref: '#/components/examples/Saved_objects_import_objects_request' + type: object + properties: + agent_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentIds responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - properties: - success: - type: boolean - description: > - Indicates when the import was successfully completed. When - set to false, some objects may not have been created. For - additional information, refer to the `errors` and - `successResults` properties. - successCount: - type: integer - description: Indicates the number of successfully imported records. - errors: - type: array - items: - type: object - description: > - Indicates the import was unsuccessful and specifies the - objects that failed to import. - - - NOTE: One object may result in multiple errors, which - requires separate steps to resolve. For instance, a - `missing_references` error and conflict error. - successResults: - type: array - items: - type: object - description: > - Indicates the objects that are successfully imported, with - any metadata if applicable. - - - NOTE: Objects are created only when all resolvable errors - are addressed, including conflicts and missing references. - If objects are created as new copies, each entry in the - `successResults` array includes a `destinationId` - attribute. - examples: - importObjectsResponse: - $ref: '#/components/examples/Saved_objects_import_objects_response' - '400': - description: Bad request. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ActionStatusSuccessResponse + description: OK + summary: Get Actions status schema + tags: + - Security Solution Endpoint Management API + '/api/endpoint/action/{action_id}': + get: + description: Get action details + operationId: EndpointGetActionsDetails + parameters: + - in: path + name: action_id + required: true + schema: + type: string + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - /api/saved_objects/_resolve_import_errors: - post: - summary: Resolve import errors - operationId: resolveImportErrors - description: > - To resolve errors from the Import objects API, you can: - - - * Retry certain saved objects - - * Overwrite specific saved objects - - * Change references to different saved objects - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Action details schema tags: - - saved objects + - Security Solution Endpoint Management API + '/api/endpoint/action/{action_id}/file/{file_id}/download`': + get: + description: Download a file from an endpoint + operationId: EndpointFileDownload parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - in: query - name: compatibilityMode + - in: path + name: action_id + required: true schema: - type: boolean - required: false - description: > - Applies various adjustments to the saved objects that are being - imported to maintain compatibility between different Kibana - versions. When enabled during the initial import, also enable when - resolving import errors. This option cannot be used with the - `createNewCopies` option. - - in: query - name: createNewCopies + type: string + - in: path + name: file_id + required: true schema: - type: boolean - required: false - description: > - Creates copies of the saved objects, regenerates each object ID, and - resets the origin. When enabled during the initial import, also - enable when resolving import errors. - requestBody: - required: true - content: - multipart/form-data: - schema: - type: object - required: - - retries - properties: - file: - description: The same file given to the import API. - type: string - format: binary - retries: - description: >- - The retry operations, which can specify how to resolve - different types of errors. - type: array - items: - type: object - required: - - type - - id - properties: - type: - description: The saved object type. - type: string - id: - description: The saved object ID. - type: string - overwrite: - description: >- - When set to `true`, the source object overwrites the - conflicting destination object. When set to `false`, - does nothing. - type: boolean - destinationId: - description: >- - Specifies the destination ID that the imported object - should have, if different from the current ID. - type: string - replaceReferences: - description: >- - A list of `type`, `from`, and `to` used to change the - object references. - type: array - items: - type: object - properties: - type: - type: string - from: - type: string - to: - type: string - ignoreMissingReferences: - description: >- - When set to `true`, ignores missing reference errors. - When set to `false`, does nothing. - type: boolean - examples: - resolveImportErrorsRequest: - $ref: >- - #/components/examples/Saved_objects_resolve_missing_reference_request + type: string responses: '200': - description: Indicates a successful call. - content: - application/json: - schema: - type: object - properties: - success: - type: boolean - description: > - Indicates a successful import. When set to `false`, some - objects may not have been created. For additional - information, refer to the `errors` and `successResults` - properties. - successCount: - type: number - description: | - Indicates the number of successfully resolved records. - errors: - type: array - description: > - Specifies the objects that failed to resolve. - - - NOTE: One object can result in multiple errors, which - requires separate steps to resolve. For instance, a - `missing_references` error and a `conflict` error. - items: - type: object - successResults: - type: array - description: > - Indicates the objects that are successfully imported, with - any metadata if applicable. - - - NOTE: Objects are only created when all resolvable errors - are addressed, including conflict and missing references. - items: - type: object - examples: - resolveImportErrorsResponse: - $ref: >- - #/components/examples/Saved_objects_resolve_missing_reference_response - '400': - description: Bad request. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - /api/saved_objects/{type}: - post: - summary: Create a saved object - operationId: createSavedObject - description: Create a Kibana saved object with a randomly generated identifier. - deprecated: true + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: File Download schema tags: - - saved objects + - Security Solution Endpoint Management API + '/api/endpoint/action/{action_id}/file/{file_id}`': + get: + description: Get file info + operationId: EndpointFileInfo parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - - in: query - name: overwrite - description: If true, overwrites the document with the same identifier. + - in: path + name: action_id + required: true schema: - type: boolean - requestBody: - required: true - content: - application/json: - schema: - type: object - required: - - attributes - properties: - attributes: - $ref: '#/components/schemas/Saved_objects_attributes' - initialNamespaces: - $ref: '#/components/schemas/Saved_objects_initial_namespaces' - references: - $ref: '#/components/schemas/Saved_objects_references' + type: string + - in: path + name: file_id + required: true + schema: + type: string responses: '200': - description: Indicates a successful call. content: - application/json: - schema: - type: object - '409': - description: Indicates a conflict error. - content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - /api/saved_objects/{type}/{id}: - get: - summary: Get a saved object - operationId: getSavedObject - description: Retrieve a single Kibana saved object by identifier. - deprecated: true + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: File Info schema tags: - - saved objects - parameters: - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - Security Solution Endpoint Management API + /api/endpoint/action/execute: + post: + description: Execute a given command on an endpoint + operationId: EndpointExecuteAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ExecuteRouteRequestBody + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - '400': - description: Bad request. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Execute Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/get_file: + post: + description: Get a file from an endpoint + operationId: EndpointGetFileAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_GetFileRouteRequestBody + required: true + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get File Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/isolate: post: - summary: Create a saved object - operationId: createSavedObjectId - description: >- - Create a Kibana saved object and specify its identifier instead of using - a randomly generated ID. - deprecated: true + description: Isolate an endpoint + operationId: EndpointIsolateAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_IsolateRouteRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Isolate Action tags: - - saved objects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' - - in: query - name: overwrite - description: If true, overwrites the document with the same identifier. - schema: - type: boolean + - Security Solution Endpoint Management API + /api/endpoint/action/kill_process: + post: + description: Kill a running process on an endpoint + operationId: EndpointKillProcessAction requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_KillOrSuspendActionSchema required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Kill process Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/running_procs: + post: + description: Get list of running processes on an endpoint + operationId: EndpointGetProcessesAction + requestBody: content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - required: - - attributes - properties: - attributes: - $ref: '#/components/schemas/Saved_objects_attributes' - initialNamespaces: - $ref: '#/components/schemas/Saved_objects_initial_namespaces' - references: - $ref: '#/components/schemas/Saved_objects_initial_namespaces' + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_GetProcessesRouteRequestBody + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - '409': - description: Indicates a conflict error. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Running Processes Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/scan: + post: + description: Scan a file or directory + operationId: EndpointScanAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ScanRouteRequestBody + required: true + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - put: - summary: Update a saved object - operationId: updateSavedObject - description: Update the attributes for Kibana saved objects. - deprecated: true + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Scan Action tags: - - saved objects - parameters: - - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - Security Solution Endpoint Management API + /api/endpoint/action/state: + get: + operationId: EndpointGetActionsState + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ActionStateSuccessResponse + description: OK + summary: Get Action State schema + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/suspend_process: + post: + description: Suspend a running process on an endpoint + operationId: EndpointSuspendProcessAction requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_KillOrSuspendActionSchema required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Suspend process Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/unisolate: + post: + description: Release an endpoint + operationId: EndpointUnisolateAction + requestBody: content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_UnisolateRouteRequestBody + required: true responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - '404': - description: Indicates the object was not found. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Unisolate Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/action/upload: + post: + description: Upload a file to an endpoint + operationId: EndpointUploadAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_UploadRouteRequestBody + required: true + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - '409': - description: Indicates a conflict error. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Upload Action + tags: + - Security Solution Endpoint Management API + /api/endpoint/isolate: + post: + deprecated: true + operationId: EndpointIsolateRedirect + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + required: true + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - /api/saved_objects/resolve/{type}/{id}: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + '308': + description: Permanent Redirect + headers: + Location: + description: Permanently redirects to "/api/endpoint/action/isolate" + schema: + example: /api/endpoint/action/isolate + type: string + summary: Permanently redirects to a new location + tags: + - Security Solution Endpoint Management API + /api/endpoint/metadata: get: - summary: Resolve a saved object - operationId: resolveSavedObject - description: > - Retrieve a single Kibana saved object by identifier using any legacy URL - alias if it exists. Under certain circumstances, when Kibana is - upgraded, saved object migrations may necessitate regenerating some - object IDs to enable new features. When an object's ID is regenerated, a - legacy URL alias is created for that object, preserving its old ID. In - such a scenario, that object can be retrieved using either its new ID or - its old ID. - deprecated: true + operationId: GetEndpointMetadataList + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ListRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Metadata List schema tags: - - saved objects + - Security Solution Endpoint Management API + '/api/endpoint/metadata/{id}': + get: + operationId: GetEndpointMetadata parameters: - - $ref: '#/components/parameters/Saved_objects_saved_object_id' - - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - in: path + name: id + required: true + schema: + type: string responses: '200': - description: Indicates a successful call. content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - type: object - '400': - description: Bad request. + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Metadata schema + tags: + - Security Solution Endpoint Management API + /api/endpoint/metadata/transforms: + get: + operationId: GetEndpointMetadataTransform + responses: + '200': content: - application/json: + application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Saved_objects_400_response' - /api/status: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Metadata Transform schema + tags: + - Security Solution Endpoint Management API + /api/endpoint/policy_response: get: - operationId: /api/status#0 + operationId: GetPolicyResponse parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: Set to "true" to get the response in v7 format. - in: query - name: v7format - required: false - schema: - type: boolean - - description: Set to "true" to get the response in v8 format. - in: query - name: v8format - required: false + - in: query + name: query + required: true schema: - type: boolean + type: object + properties: + agentId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentId responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse - description: >- - Kibana's operational status. A minimal response is sent for - unauthorized users. - description: Overall status is OK and Kibana should be functioning normally. - '503': + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Policy Response schema + tags: + - Security Solution Endpoint Management API + /api/endpoint/policy/summaries: + get: + deprecated: true + operationId: GetAgentPolicySummary + parameters: + - in: query + name: query + required: true + schema: + type: object + properties: + package_name: + type: string + policy_id: + nullable: true + type: string + responses: + '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse - description: >- - Kibana's operational status. A minimal response is sent for - unauthorized users. - description: >- - Kibana or some of it's essential services are unavailable. Kibana - may be degraded or unavailable. - summary: Get Kibana's current status + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get Agent Policy Summary schema tags: - - system - security: - - Kibana_HTTP_APIs_basicAuth: [] -components: - parameters: - Alerting_kbn_xsrf: - schema: - type: string - in: header - name: kbn-xsrf - description: Cross-site request forgery protection - required: true - Alerting_rule_id: - in: path - name: ruleId - description: An identifier for the rule. - required: true - schema: - type: string - example: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 - Alerting_alert_id: - in: path - name: alertId - description: >- - An identifier for the alert. The identifier is generated by the rule and - might be any arbitrary string. - required: true - schema: - type: string - example: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 - Cases_kbn_xsrf: - schema: - type: string - in: header - name: kbn-xsrf - description: Cross-site request forgery protection - required: true - Cases_ids: - name: ids - description: > - The cases that you want to removed. All non-ASCII characters must be URL - encoded. - in: query - required: true - schema: - type: array - items: - type: string - minItems: 1 - maxItems: 100 - example: d4e7abb0-b462-11ec-9a8d-698504725a43 - Cases_assignees: - in: query - name: assignees - description: > - Filters the returned cases by assignees. Valid values are `none` or - unique identifiers for the user profiles. These identifiers can be found - by using the suggest user profile API. - schema: - oneOf: - - type: string - - type: array - items: - type: string - maxItems: 100 - Cases_category: - in: query - name: category - description: Filters the returned cases by category. - schema: - oneOf: - - type: string - example: my-category - - type: array - items: - type: string - maxItems: 100 - Cases_defaultSearchOperator: - in: query - name: defaultSearchOperator - description: he default operator to use for the simple_query_string. - schema: - type: string - default: OR - example: OR - Cases_from: - in: query - name: from - description: > - Returns only cases that were created after a specific date. The date - must be specified as a KQL data range or date match expression. - schema: - type: string - example: now-1d - Cases_owner: - in: query - name: owner - description: > - A filter to limit the response to a specific set of applications. If - this parameter is omitted, the response contains information about all - the cases that the user has access to read. - schema: - oneOf: - - $ref: '#/components/schemas/Cases_owners' - - type: array - items: - $ref: '#/components/schemas/Cases_owners' - example: cases - Cases_page_index: - in: query - name: page - description: The page number to return. - required: false - schema: - type: integer - default: 1 - Cases_page_size: - in: query - name: perPage - description: The number of items to return. Limited to 100 items. - required: false - schema: - type: integer - default: 20 - maximum: 100 - Cases_reporters: - in: query - name: reporters - description: Filters the returned cases by the user name of the reporter. - schema: - oneOf: - - type: string - - type: array - items: - type: string - maxItems: 100 - example: elastic - Cases_search: - in: query - name: search - description: >- - An Elasticsearch simple_query_string query that filters the objects in - the response. - schema: - type: string - Cases_searchFields: - in: query - name: searchFields - description: The fields to perform the simple_query_string parsed query against. - schema: - oneOf: - - $ref: '#/components/schemas/Cases_searchFieldsType' - - type: array - items: - $ref: '#/components/schemas/Cases_searchFieldsType' - Cases_severity: - in: query - name: severity - description: The severity of the case. - schema: - type: string - enum: - - critical - - high - - low - - medium - Cases_sortField: - in: query - name: sortField - description: Determines which field is used to sort the results. - schema: - type: string - enum: - - createdAt - - updatedAt - - closedAt - - title - - category - - status - - severity - default: createdAt - example: updatedAt - Cases_sort_order: - in: query - name: sortOrder - description: Determines the sort order. - required: false - schema: - type: string - enum: - - asc - - desc - default: desc - Cases_status: - in: query - name: status - description: Filters the returned cases by state. - schema: - type: string - enum: - - closed - - in-progress - - open - example: open - Cases_tags: - in: query - name: tags - description: Filters the returned cases by tags. - schema: - oneOf: - - type: string - - type: array - items: - type: string - maxItems: 100 - example: tag-1 - Cases_to: - in: query - name: to - description: > - Returns only cases that were created before a specific date. The date - must be specified as a KQL data range or date match expression. - schema: - type: string - example: now+1d - Cases_alert_id: - in: path - name: alertId - description: An identifier for the alert. - required: true - schema: - type: string - example: 09f0c261e39e36351d75995b78bb83673774d1bc2cca9df2d15f0e5c0a99a540 - Cases_configuration_id: - in: path - name: configurationId - description: An identifier for the configuration. - required: true - schema: - type: string - example: 3297a0f0-b5ec-11ec-b141-0fdb20a7f9a9 - Cases_case_id: - in: path - name: caseId - description: >- - The identifier for the case. To retrieve case IDs, use the find cases - API. All non-ASCII characters must be URL encoded. - required: true - schema: - type: string - example: 9c235210-6834-11ea-a78c-6ffb38a34414 - Cases_includeComments: - in: query - name: includeComments - description: >- - Deprecated in 8.1.0. This parameter is deprecated and will be removed in - a future release. It determines whether case comments are returned. + - Security Solution Endpoint Management API + '/api/endpoint/protection_updates_note/{package_policy_id}': + get: + operationId: GetProtectionUpdatesNote + parameters: + - in: path + name: package_policy_id + required: true + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ProtectionUpdatesNoteResponse + description: OK + summary: Get Protection Updates Note schema + tags: + - Security Solution Endpoint Management API + post: + operationId: CreateUpdateProtectionUpdatesNote + parameters: + - in: path + name: package_policy_id + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + note: + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_ProtectionUpdatesNoteResponse + description: OK + summary: Create Update Protection Updates Note schema + tags: + - Security Solution Endpoint Management API + '/api/endpoint/suggestions/{suggestion_type}': + post: + operationId: GetEndpointSuggestions + parameters: + - in: path + name: suggestion_type + required: true + schema: + enum: + - eventFilters + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + field: + type: string + fieldMeta: {} + filters: {} + query: + type: string + required: + - parameters + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + summary: Get suggestions + tags: + - Security Solution Endpoint Management API + /api/endpoint/unisolate: + post: deprecated: true - schema: - type: boolean - default: true - Cases_comment_id: - in: path - name: commentId - description: > - The identifier for the comment. To retrieve comment IDs, use the get - case or find cases APIs. - required: true - schema: - type: string - example: 71ec1870-725b-11ea-a0b2-c51ea50a58e2 - Cases_connector_id: - in: path - name: connectorId - description: >- - An identifier for the connector. To retrieve connector IDs, use the find - connectors API. - required: true - schema: - type: string - example: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 - Cases_user_action_types: - in: query - name: types - description: Determines the types of user actions to return. - schema: - type: array - items: - type: string - enum: - - action - - alert - - assignees - - attachment - - comment - - connector - - create_case - - description - - pushed - - settings - - severity - - status - - tags - - title - - user - example: create_case - Connectors_kbn_xsrf: - schema: - type: string - in: header - name: kbn-xsrf - description: Cross-site request forgery protection - required: true - Connectors_connector_id: - in: path - name: connectorId - description: An identifier for the connector. - required: true - schema: - type: string - example: df770e30-8b8b-11ed-a780-3b746c987a81 - Connectors_action_id: - in: path - name: actionId - description: An identifier for the action. - required: true - schema: - type: string - example: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad - Data_views_kbn_xsrf: - schema: - type: string - in: header - name: kbn-xsrf - description: Cross-site request forgery protection - required: true - Data_views_view_id: - in: path - name: viewId - description: An identifier for the data view. - required: true - schema: - type: string - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - Data_views_field_name: - in: path - name: fieldName - description: The name of the runtime field. - required: true - schema: - type: string - example: hour_of_day - Machine_learning_APIs_simulateParam: - in: query - name: simulate - description: >- - When true, simulates the synchronization by returning only the list of - actions that would be performed. - required: false - schema: - type: boolean - example: 'true' - Saved_objects_kbn_xsrf: - schema: - type: string - in: header - name: kbn-xsrf - description: Cross-site request forgery protection - required: true - Saved_objects_saved_object_type: - in: path - name: type - description: >- - Valid options include `visualization`, `dashboard`, `search`, - `index-pattern`, `config`. - required: true - schema: - type: string - Saved_objects_saved_object_id: - in: path - name: id - description: An identifier for the saved object. - required: true - schema: - type: string - schemas: - Alerting_create_anomaly_detection_alert_rule_request: - title: Create anomaly detection rule request - description: > - A rule that checks if the anomaly detection job results contain - anomalies that match the rule conditions. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for an anomaly detection rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - xpack.ml.anomaly_detection_alert - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_anomaly_detection_jobs_health_rule_request: - title: Create anomaly detection jobs health rule request - description: > - An rule that monitors job health and alerts if an operational issue - occurred that may prevent the job from detecting anomalies. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for an anomaly detection jobs health rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - xpack.ml.anomaly_detection_jobs_health - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_apm_anomaly_rule_request: - title: Create APM anomaly rule rule request - description: >- - A rule that detects when either the latency, throughput, or failed - transaction rate of a service is anomalous. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - $ref: '#/components/schemas/Alerting_params_property_apm_anomaly' - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - apm.anomaly - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_apm_error_count_rule_request: - title: Create APM error count rule request - description: >- - A rule that detects when the number of errors in a service exceeds a - defined threshold. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - $ref: '#/components/schemas/Alerting_params_property_apm_error_count' - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - apm.error_rate - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_apm_transaction_duration_rule_request: - title: Create latency threshold rule request - description: >- - A rule that detects when the latency of a specific transaction type in a - service exceeds a threshold. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - $ref: >- - #/components/schemas/Alerting_params_property_apm_transaction_duration - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - apm.transaction_duration - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_apm_transaction_error_rate_rule_request: - title: Create APM transaction error rate rule request - description: >- - A rule that sends notifications when the rate of transaction errors in a - service exceeds a threshold. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - $ref: >- - #/components/schemas/Alerting_params_property_apm_transaction_error_rate - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - apm.transaction_error_rate - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_es_query_rule_request: - title: Create Elasticsearch query rule request - description: > - A rule that runs a user-configured query, compares the number of matches - to a configured threshold, and schedules actions to run when the - threshold condition is met. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - $ref: '#/components/schemas/Alerting_params_es_query_rule' - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - .es-query - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_geo_containment_rule_request: - title: Create tracking containment rule request - description: > - A rule that runs an Elasticsearch query over indices to determine - whether any documents are currently contained within any boundaries from - the specified boundary index. In the event that an entity is contained - within a boundary, an alert may be generated. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for an tracking containment rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - .geo-containment - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_index_threshold_rule_request: - title: Create index threshold rule request - description: >- - A rule that runs an Elasticsearch query, aggregates field values from - documents, compares them to threshold values, and schedules actions to - run when the thresholds are met. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - $ref: '#/components/schemas/Alerting_params_index_threshold_rule' - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - .index-threshold - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_infra_inventory_rule_request: - title: Create infra inventory rule request - description: > - A rule that sends notifications when a metric has reached or exceeded a - value for a specific resource or a group of resources within your - infrastructure. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - $ref: '#/components/schemas/Alerting_params_property_infra_inventory' - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - metrics.alert.inventory.threshold - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_infra_metric_anomaly_rule_request: - title: Create infrastructure anomaly rule request - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for an infrastructure anomaly rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - metrics.alert.anomaly - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_infra_metric_threshold_rule_request: - title: Create infra metric threshold rule request - description: > - A rule that sends notifications when a metric has reached or exceeded a - value for a specific time period. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - $ref: '#/components/schemas/Alerting_params_property_infra_metric_threshold' - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - metrics.alert.threshold - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_jvm_memory_usage_rule_request: - title: Create JVM memory usage rule request - description: A rule that detects when a node reports high memory usage. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a JVM memory usage rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_alert_jvm_memory_usage - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_log_threshold_rule_request: - title: Create log threshold rule request - description: A rule that detects when a log aggregation exceeds a threshold. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - $ref: '#/components/schemas/Alerting_params_property_log_threshold' - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - logs.alert.document.count - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_ccr_exceptions_rule_request: - title: Create CCR read exceptions rule request - description: A rule that detects cross-cluster replication (CCR) read exceptions. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a CCR read exceptions rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_ccr_read_exceptions - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_cluster_health_rule_request: - title: Create cluster health rule request - description: A rule that detects when the health of the cluster changes. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a cluster health rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_alert_cluster_health - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_cpu_usage_rule_request: - title: Create CPU usage rule request - description: A rule that detects when the CPU load for a node is consistently high. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a CPU usage rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_alert_cpu_usage - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_disk_usage_rule_request: - title: Create disk usage rule request - description: A rule that detects when the disk usage for a node is consistently high. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a disk usage rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_alert_disk_usage - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_elasticsearch_version_mismatch_rule_request: - title: Create Elasticsearch version mismatch rule request - description: >- - A rule that detects when the cluster has multipe versions of - Elasticsearch. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a Elasticsearch version mismatch rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_alert_elasticsearch_version_mismatch - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_license_expiration_rule_request: - title: Create license expiration rule request - description: A rule that detects when the cluster license is about to expire. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a license expiration rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_alert_license_expiration - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_kibana_version_mismatch_rule_request: - title: Create Kibana version mismatch rule request - description: A rule that detects when the cluster has multiple versions of Kibana. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a Kibana version mismatch rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_alert_kibana_version_mismatch - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_logstash_version_mismatch_rule_request: - title: Create Logstash version mismatch rule request - description: A rule that detects when the cluster has multiple versions of Logstash. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a Logstash version mismatch rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_alert_logstash_version_mismatch - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_missing_data_rule_request: - title: Create missing monitoring data rule request - description: A rule that detects when monitoring data is missing. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a missing monitoring data rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_alert_missing_monitoring_data - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_nodes_changed_rule_request: - title: Create nodes changed rule request - description: A rule that detects when nodes are added, removed, or restarted. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a nodes changed rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_alert_nodes_changed - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_shard_size_rule_request: - title: Create shard size rule request - description: >- - A rule that detects when the average shard size is larger than a - threshold. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a shard size rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_shard_size - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_thread_pool_search_rejections_rule_request: - title: Create thread pool search rejections rule request - description: >- - A rule that detects when the number of rejections in the thread pool - exceeds a threshold. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a thread pool search rejections rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_alert_thread_pool_search_rejections - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_monitoring_thread_pool_write_rejections_rule_request: - title: Create thread pool write rejections rule request - description: >- - A rule that detects when the number of rejections in the write thread - pool exceeds a threshold. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a thread pool write rejections rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - monitoring_alert_thread_pool_write_rejections - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_siem_eql_rule_request: - title: Create event correlation rule request - description: > - A rule that uses Event Query Language (EQL) to match events, generate - sequences, and stack data. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for an event correlation rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - siem.eqlRule - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_siem_indicator_rule_request: - title: Create indicator match rule request - description: > - A rule that uses indicators from intelligence sources to detect matching - events and alerts. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for an indicator match rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - siem.indicatorRule - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_siem_ml_rule_request: - title: Create machine learning rule request - description: > - A rule that detects when a machine learning job discovers an anomaly - above the defined threshold. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a machine learning rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - siem.mlRule - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_siem_new_terms_rule_request: - title: Create new terms rule request - description: A rule that finds documents with values that appear for the first time. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a new terms rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - siem.newTermsRule - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_siem_notifications_rule_request: - title: Create security solution notification (legacy) rule request - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a notification rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - siem.notifications - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_siem_query_rule_request: - title: Create custom query rule request - description: | - A rule that uses KQL or Lucene to detect issues across indices. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a custom query rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - siem.queryRule - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_siem_saved_query_rule_request: - title: Create saved query rule request - description: > - A rule that searches the defined indices and creates an alert when a - document matches the saved search. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a saved query rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - siem.savedQueryRule - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_siem_threshold_rule_request: - title: Create threshold rule request - description: > - A rule that aggregates query results to detect when the number of - matches exceeds a threshold. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a threshold rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - siem.thresholdRule - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_slo_burn_rate_rule_request: - title: Create slo burn rate rule request - description: > - A rule that detects when the burn rate is above a defined threshold for - two different lookback periods. The two periods are a long period and a - short period that is 1/12th of the long period. For each lookback - period, the burn rate is computed as the error rate divided by the error - budget. When the burn rates for both periods surpass the threshold, an - alert occurs. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - $ref: '#/components/schemas/Alerting_params_property_slo_burn_rate' - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - slo.rules.burnRate - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_synthetics_monitor_status_rule_request: - title: Create synthetics monitor status rule request - description: >- - A rule that detects when a monitor is down or an availability threshold - is breached. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for the synthetics monitor status rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - xpack.synthetics.alerts.monitorStatus - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_synthetics_uptime_duration_anomaly_rule_request: - title: Create synthetics uptime duration anomaly rule request - description: > - A rule that detects response durations for all of the geographic - locations of each monitor. When a monitor runs for an unusual amount of - time, at a particular time, an anomaly is recorded. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for the uptime duration anomaly rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - xpack.uptime.alerts.durationAnomaly - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_synthetics_uptime_tls_rule_request: - title: Create synthetics uptime TLS rule request - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - $ref: '#/components/schemas/Alerting_params_property_synthetics_uptime_tls' - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - xpack.uptime.alerts.tls - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_synthetics_uptime_tls_certificate_rule_request: - title: Create TLS certificate rule request - description: > - A rule that detects when a monitor has a TLS certificate expiring or - when it exceeds an age limit. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a TLS certificate rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - xpack.uptime.alerts.tlsCertificate - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_transform_health_rule_request: - title: Create transform health rule request - description: > - A rule that monitors transforms health and alerts if an operational - issue occurred. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for a transform health rule. - additionalProperties: true - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - transform_health - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_create_uptime_monitor_status_rule_request: - title: Create uptime monitor status rule request - description: A rule that detects monitor errors and outages. - type: object - required: - - consumer - - name - - params - - rule_type_id - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - consumer: - $ref: '#/components/schemas/Alerting_consumer' - enabled: - $ref: '#/components/schemas/Alerting_enabled_rule' - name: - $ref: '#/components/schemas/Alerting_name_rule' - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - $ref: >- - #/components/schemas/Alerting_params_property_synthetics_monitor_status - rule_type_id: - type: string - description: >- - The ID of the rule type that you want to call when the rule is - scheduled to run. - enum: - - xpack.uptime.alerts.monitorStatus - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_filter: - type: object - description: >- - A filter written in Elasticsearch Query Domain Specific Language (DSL) - as defined in the `kbn-es-query` package. - properties: - meta: - type: object - properties: - alias: - type: string - nullable: true - controlledBy: - type: string - disabled: - type: boolean - field: - type: string - group: - type: string - index: - type: string - isMultiIndex: - type: boolean - key: - type: string - negate: - type: boolean - params: - type: object - type: - type: string - value: - type: string - query: - type: object - $state: - type: object - Alerting_notify_when_action: - type: string - description: > - Indicates how often alerts generate actions. Valid values include: - `onActionGroupChange`: Actions run when the alert status changes; - `onActiveAlert`: Actions run when the alert becomes active and at each - check interval while the rule conditions are met; `onThrottleInterval`: - Actions run when the alert becomes active and at the interval specified - in the throttle property while the rule conditions are met. NOTE: You - cannot specify `notify_when` at both the rule and action level. The - recommended method is to set it for each action. If you set it at the - rule level then update the rule in Kibana, it is automatically changed - to use action-specific values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - example: onActiveAlert - Alerting_throttle_action: - type: string - nullable: true - description: > - The throttle interval, which defines how often an alert generates - repeated actions. It is specified in seconds, minutes, hours, or days - and is applicable only if `notify_when` is set to `onThrottleInterval`. - NOTE: You cannot specify the throttle interval at both the rule and - action level. The recommended method is to set it for each action. If - you set it at the rule level then update the rule in Kibana, it is - automatically changed to use action-specific values. - default: null - example: 10m - Alerting_actions: - type: array - default: [] - nullable: true - items: - type: object - required: - - group - - id - - params - description: | - An action that runs under defined conditions. - properties: - alerts_filter: - type: object - description: > - Conditions that affect whether the action runs. If you specify - multiple conditions, all conditions must be met for the action to - run. For example, if an alert occurs within the specified time - frame and matches the query, the action runs. - properties: - query: - type: object - description: >- - Defines a query filter that determines whether the action - runs. - properties: - kql: - type: string - description: A filter written in Kibana Query Language (KQL). - filters: - type: array - items: - $ref: '#/components/schemas/Alerting_filter' - timeframe: - type: object - description: Defines a period that limits whether the action runs. - properties: - days: - type: array - description: >- - Defines the days of the week that the action can run, - represented as an array of numbers. For example, `1` - represents Monday. An empty array is equivalent to - specifying all the days of the week. - items: - type: integer - example: - - 1 - - 2 - - 3 - - 4 - - 5 - hours: - type: object - description: > - Defines the range of time in a day that the action can - run. If the `start` value is `00:00` and the `end` value - is `24:00`, actions be generated all day. - properties: - end: - type: string - description: >- - The end of the time frame in 24-hour notation - (`hh:mm`). - example: '17:00' - start: - type: string - description: >- - The start of the time frame in 24-hour notation - (`hh:mm`). - example: '08:00' - timezone: - type: string - description: > - The ISO time zone for the `hours` values. Values such as - `UTC` and `UTC+1` also work but lack built-in daylight - savings time support and are not recommended. - example: Europe/Madrid - connector_type_id: - type: string - description: >- - The type of connector. This property appears in responses but - cannot be set in requests. - example: .server-log - readOnly: true - frequency: - type: object - description: > - The properties that affect how often actions are generated. If the - rule type supports setting `summary` to `true`, the action can be - a summary of alerts at the specified notification interval. - Otherwise, an action runs for each alert at the specified - notification interval. NOTE: You cannot specify these parameters - when `notify_when` or `throttle` are defined at the rule level. - required: - - notify_when - - summary - properties: - notify_when: - $ref: '#/components/schemas/Alerting_notify_when_action' - summary: - type: boolean - description: Indicates whether the action is a summary. - throttle: - $ref: '#/components/schemas/Alerting_throttle_action' - group: - type: string - description: > - The group name, which affects when the action runs (for example, - when the threshold is met or when the alert is recovered). Each - rule type has a list of valid action group names. If you don't - need to group actions, set to `default`. - example: default - id: - type: string - description: The identifier for the connector saved object. - example: 9dca3e00-74f5-11ed-9801-35303b735aef - params: - type: object - description: >- - The parameters for the action, which are sent to the connector. - The `params` are handled as Mustache templates and passed a - default set of context. - additionalProperties: true - uuid: - type: string - description: A universally unique identifier (UUID) for the action. - example: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 - Alerting_alert_delay: - type: object - description: >- - Indicates that an alert occurs only when the specified number of - consecutive runs met the rule conditions. - required: - - active - properties: - active: - type: number - description: The number of consecutive runs that must meet the rule conditions. - example: 3 - Alerting_consumer: - type: string - description: > - The name of the application or feature that owns the rule. For example: - `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, - `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`. - Alerting_enabled_rule: - type: boolean - description: >- - Indicates whether you want to run the rule on an interval basis after it - is created. - Alerting_name_rule: - type: string - description: > - The name of the rule. While this name does not have to be unique, a - distinctive name can help you identify a rule. - Alerting_notify_when: - type: string - description: > - Deprecated in 8.13.0. Use the `notify_when` property in the action - `frequency` object instead. Indicates how often alerts generate actions. - NOTE: You cannot specify `notify_when` at both the rule and action - level. If you set it at the rule level then update the rule in Kibana, - it is automatically changed to use action-specific values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - deprecated: true - example: onActiveAlert - Alerting_schedule: - type: object - description: >- - The check interval, which specifies how frequently the rule conditions - are checked. The interval is specified in seconds, minutes, hours, or - days. - properties: - interval: - type: string - example: 1m - Alerting_tags: - type: array - description: The tags for the rule. - items: - type: string - default: [] - Alerting_throttle: - type: string - description: > - Deprecated in 8.13.0. Use the `throttle` property in the action - `frequency` object instead. The throttle interval, which defines how - often an alert generates repeated actions. NOTE: You cannot specify the - throttle interval at both the rule and action level. If you set it at - the rule level then update the rule in Kibana, it is automatically - changed to use action-specific values. - nullable: true - default: null - deprecated: true - example: 10m - Alerting_params_property_apm_anomaly: - required: - - windowSize - - windowUnit - - environment - - anomalySeverityType - properties: - serviceName: - type: string - description: The service name from APM - transactionType: - type: string - description: The transaction type from APM - windowSize: - type: number - example: 6 - description: The window size - windowUnit: - type: string - description: The window size unit - enum: - - m - - h - - d - environment: - type: string - description: The environment from APM - anomalySeverityType: - type: string - description: The anomaly threshold value - enum: - - critical - - major - - minor - - warning - Alerting_params_property_apm_error_count: - required: - - windowSize - - windowUnit - - threshold - - environment - properties: - serviceName: - type: string - description: The service name from APM - windowSize: - type: number - description: The window size - example: 6 - windowUnit: - type: string - description: The window size unit - enum: - - m - - h - - d - environment: - type: string - description: The environment from APM - threshold: - type: number - description: The error count threshold value - groupBy: - type: array - default: - - service.name - - service.environment - uniqueItems: true - items: - type: string - enum: - - service.name - - service.environment - - transaction.name - - error.grouping_key - errorGroupingKey: - type: string - Alerting_params_property_apm_transaction_duration: - required: - - windowSize - - windowUnit - - threshold - - environment - - aggregationType - properties: - serviceName: - type: string - description: The service name from APM - transactionType: - type: string - description: The transaction type from APM - transactionName: - type: string - description: The transaction name from APM - windowSize: - type: number - description: The window size - example: 6 - windowUnit: - type: string - description: ç - enum: - - m - - h - - d - environment: - type: string - threshold: - type: number - description: The latency threshold value - groupBy: - type: array - default: - - service.name - - service.environment - - transaction.type - uniqueItems: true - items: - type: string - enum: - - service.name - - service.environment - - transaction.type - - transaction.name - aggregationType: - type: string - enum: - - avg - - 95th - - 99th - Alerting_params_property_apm_transaction_error_rate: - required: - - windowSize - - windowUnit - - threshold - - environment - properties: - serviceName: - type: string - description: The service name from APM - transactionType: - type: string - description: The transaction type from APM - transactionName: - type: string - description: The transaction name from APM - windowSize: - type: number - description: The window size - example: 6 - windowUnit: - type: string - description: The window size unit - enum: - - m - - h - - d - environment: - type: string - description: The environment from APM - threshold: - type: number - description: The error rate threshold value - groupBy: - type: array - default: - - service.name - - service.environment - - transaction.type - uniqueItems: true - items: - type: string - enum: - - service.name - - service.environment - - transaction.type - - transaction.name - Alerting_aggfield: - description: > - The name of the numeric field that is used in the aggregation. This - property is required when `aggType` is `avg`, `max`, `min` or `sum`. - type: string - Alerting_aggtype: - description: The type of aggregation to perform. - type: string - enum: - - avg - - count - - max - - min - - sum - default: count - Alerting_excludehitsfrompreviousrun: - description: > - Indicates whether to exclude matches from previous runs. If `true`, you - can avoid alert duplication by excluding documents that have already - been detected by the previous rule run. This option is not available - when a grouping field is specified. - type: boolean - Alerting_groupby: - description: > - Indicates whether the aggregation is applied over all documents (`all`) - or split into groups (`top`) using a grouping field (`termField`). If - grouping is used, an alert will be created for each group when it - exceeds the threshold; only the top groups (up to `termSize` number of - groups) are checked. - type: string - enum: - - all - - top - default: all - Alerting_termsize: - description: > - This property is required when `groupBy` is `top`. It specifies the - number of groups to check against the threshold and therefore limits the - number of alerts on high cardinality fields. - type: integer - Alerting_timefield: - description: The field that is used to calculate the time window. - type: string - Alerting_timewindowsize: - description: > - The size of the time window (in `timeWindowUnit` units), which - determines how far back to search for documents. Generally it should be - a value higher than the rule check interval to avoid gaps in detection. - type: integer - example: 5 - Alerting_timewindowunit: - description: | - The type of units for the time window: seconds, minutes, hours, or days. - type: string - enum: - - s - - m - - h - - d - example: m - Alerting_size: - description: > - The number of documents to pass to the configured actions when the - threshold condition is met. - type: integer - Alerting_termfield: - description: > - The names of up to four fields that are used for grouping the - aggregation. This property is required when `groupBy` is `top`. - oneOf: - - type: string - - type: array - items: - type: string - maxItems: 4 - Alerting_threshold: - description: > - The threshold value that is used with the `thresholdComparator`. If the - `thresholdComparator` is `between` or `notBetween`, you must specify the - boundary values. - type: array - items: - type: integer - example: 4000 - Alerting_thresholdcomparator: - description: >- - The comparison function for the threshold. For example, "is above", "is - above or equals", "is below", "is below or equals", "is between", and - "is not between". - type: string - enum: - - '>' - - '>=' - - < - - <= - - between - - notBetween - example: '>' - Alerting_params_es_query_rule: - oneOf: - - type: object - x-technical-preview: true - description: > - The parameters for an Elasticsearch query rule that uses ES|QL to - define the query. This functionality is in technical pre view and - may be changed or removed in a future release. Elastic will work to - fix any issues, but features in technical preview are not subject to - the support SLA of official GA features. - required: - - esqlQuery - - searchType - - size - - threshold - - thresholdComparator - - timeWindowSize - - timeWindowUnit - properties: - aggField: - $ref: '#/components/schemas/Alerting_aggfield' - aggType: - $ref: '#/components/schemas/Alerting_aggtype' - esqlQuery: - type: object - required: - - esql - properties: - esql: - description: >- - The query definition, which uses Elasticsearch Query - Language. - type: string - excludeHitsFromPreviousRun: - $ref: '#/components/schemas/Alerting_excludehitsfrompreviousrun' - groupBy: - $ref: '#/components/schemas/Alerting_groupby' - searchType: - description: >- - The type of query, in this case a query that uses Elasticsearch - Query Language (ES|QL). - type: string - enum: - - esqlQuery - example: esqlQuery - size: - type: integer - description: > - When `searchType` is `esqlQuery`, this property is required but - it does not affect the rule behavior. - example: 0 - termSize: - $ref: '#/components/schemas/Alerting_termsize' - threshold: - type: array - items: - type: integer - minimum: 0 - maximum: 0 - description: > - The threshold value that is used with the `thresholdComparator`. - When `searchType` is `esqlQuery`, this property is required and - must be set to zero. - thresholdComparator: - type: string - description: > - The comparison function for the threshold. When `searchType` is - `esqlQuery`, this property is required and must be set to ">". - Since the `threshold` value must be `0`, the result is that an - alert occurs whenever the query returns results. - enum: - - '>' - example: '>' - timeField: - $ref: '#/components/schemas/Alerting_timefield' - timeWindowSize: - $ref: '#/components/schemas/Alerting_timewindowsize' - timeWindowUnit: - $ref: '#/components/schemas/Alerting_timewindowunit' - - type: object - description: >- - The parameters for an Elasticsearch query rule that uses KQL or - Lucene to define the query. - required: - - searchType - - size - - threshold - - thresholdComparator - - timeWindowSize - - timeWindowUnit - properties: - aggField: - $ref: '#/components/schemas/Alerting_aggfield' - aggType: - $ref: '#/components/schemas/Alerting_aggtype' - excludeHitsFromPreviousRun: - $ref: '#/components/schemas/Alerting_excludehitsfrompreviousrun' - groupBy: - $ref: '#/components/schemas/Alerting_groupby' - searchConfiguration: - description: >- - The query definition, which uses KQL or Lucene to fetch the - documents from Elasticsearch. - type: object - properties: - filter: - type: array - items: - $ref: '#/components/schemas/Alerting_filter' - index: - description: The indices to query. - oneOf: - - type: string - - type: array - items: - type: string - query: - type: object - properties: - language: - type: string - example: kuery - query: - type: string - searchType: - description: >- - The type of query, in this case a text-based query that uses KQL - or Lucene. - type: string - enum: - - searchSource - example: searchSource - size: - $ref: '#/components/schemas/Alerting_size' - termField: - $ref: '#/components/schemas/Alerting_termfield' - termSize: - $ref: '#/components/schemas/Alerting_termsize' - threshold: - $ref: '#/components/schemas/Alerting_threshold' - thresholdComparator: - $ref: '#/components/schemas/Alerting_thresholdcomparator' - timeField: - $ref: '#/components/schemas/Alerting_timefield' - timeWindowSize: - $ref: '#/components/schemas/Alerting_timewindowsize' - timeWindowUnit: - $ref: '#/components/schemas/Alerting_timewindowunit' - - type: object - description: >- - The parameters for an Elasticsearch query rule that uses - Elasticsearch Query DSL to define the query. - required: - - esQuery - - index - - threshold - - thresholdComparator - - timeField - - timeWindowSize - - timeWindowUnit - properties: - aggField: - $ref: '#/components/schemas/Alerting_aggfield' - aggType: - $ref: '#/components/schemas/Alerting_aggtype' - esQuery: - description: The query definition, which uses Elasticsearch Query DSL. - type: string - excludeHitsFromPreviousRun: - $ref: '#/components/schemas/Alerting_excludehitsfrompreviousrun' - groupBy: - $ref: '#/components/schemas/Alerting_groupby' - index: - description: The indices to query. - oneOf: - - type: array - items: - type: string - - type: string - searchType: - description: >- - The type of query, in this case a query that uses Elasticsearch - Query DSL. - type: string - enum: - - esQuery - default: esQuery - example: esQuery - size: - $ref: '#/components/schemas/Alerting_size' - termField: - $ref: '#/components/schemas/Alerting_termfield' - termSize: - $ref: '#/components/schemas/Alerting_termsize' - threshold: - $ref: '#/components/schemas/Alerting_threshold' - thresholdComparator: - $ref: '#/components/schemas/Alerting_thresholdcomparator' - timeField: - $ref: '#/components/schemas/Alerting_timefield' - timeWindowSize: - $ref: '#/components/schemas/Alerting_timewindowsize' - timeWindowUnit: - $ref: '#/components/schemas/Alerting_timewindowunit' - Alerting_params_index_threshold_rule: - type: object - description: The parameters for an index threshold rule. - required: - - index - - threshold - - thresholdComparator - - timeField - - timeWindowSize - - timeWindowUnit - properties: - aggField: - $ref: '#/components/schemas/Alerting_aggfield' - aggType: - $ref: '#/components/schemas/Alerting_aggtype' - filterKuery: - description: A KQL expression thats limits the scope of alerts. - type: string - groupBy: - $ref: '#/components/schemas/Alerting_groupby' - index: - description: The indices to query. - type: array - items: - type: string - termField: - $ref: '#/components/schemas/Alerting_termfield' - termSize: - $ref: '#/components/schemas/Alerting_termsize' - threshold: - $ref: '#/components/schemas/Alerting_threshold' - thresholdComparator: - $ref: '#/components/schemas/Alerting_thresholdcomparator' - timeField: - $ref: '#/components/schemas/Alerting_timefield' - timeWindowSize: - $ref: '#/components/schemas/Alerting_timewindowsize' - timeWindowUnit: - $ref: '#/components/schemas/Alerting_timewindowunit' - Alerting_params_property_infra_inventory: - properties: - criteria: - type: array - items: - type: object - properties: - metric: - type: string - enum: - - count - - cpu - - diskLatency - - load - - memory - - memoryTotal - - tx - - rx - - logRate - - diskIOReadBytes - - diskIOWriteBytes - - s3TotalRequests - - s3NumberOfObjects - - s3BucketSize - - s3DownloadBytes - - s3UploadBytes - - rdsConnections - - rdsQueriesExecuted - - rdsActiveTransactions - - rdsLatency - - sqsMessagesVisible - - sqsMessagesDelayed - - sqsMessagesSent - - sqsMessagesEmpty - - sqsOldestMessage - - custom - timeSize: - type: number - timeUnit: - type: string - enum: - - s - - m - - h - - d - sourceId: - type: string - threshold: - type: array - items: - type: number - comparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - customMetric: - type: object - properties: - type: - type: string - enum: - - custom - field: - type: string - aggregation: - type: string - enum: - - avg - - max - - min - - rate - id: - type: string - label: - type: string - warningThreshold: - type: array - items: - type: number - warningComparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - filterQuery: - type: string - filterQueryText: - type: string - nodeType: - type: string - enum: - - host - - pod - - container - - awsEC2 - - awsS3 - - awsSQS - - awsRDS - sourceId: - type: string - alertOnNoData: - type: boolean - Alerting_params_property_infra_metric_threshold: - properties: - criteria: - type: array - items: - oneOf: - - title: non count criterion - type: object - properties: - threshold: - type: array - items: - type: number - comparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - timeUnit: - type: string - timeSize: - type: number - warningThreshold: - type: array - items: - type: number - warningComparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - metric: - type: string - aggType: - type: string - enum: - - avg - - max - - min - - cardinality - - rate - - count - - sum - - p95 - - p99 - - custom - - title: count criterion - type: object - properties: - threshold: - type: array - items: - type: number - comparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - timeUnit: - type: string - timeSize: - type: number - warningThreshold: - type: array - items: - type: number - warningComparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - aggType: - type: string - enum: - - count - - title: custom criterion - type: object - properties: - threshold: - type: array - items: - type: number - comparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - timeUnit: - type: string - timeSize: - type: number - warningThreshold: - type: array - items: - type: number - warningComparator: - type: string - enum: - - < - - <= - - '>' - - '>=' - - between - - outside - aggType: - type: string - enum: - - custom - customMetric: - type: array - items: - oneOf: - - type: object - properties: - name: - type: string - aggType: - type: string - enum: - - avg - - sum - - max - - min - - cardinality - field: - type: string - - type: object - properties: - name: - type: string - aggType: - type: string - enum: - - count - filter: - type: string - equation: - type: string - label: - type: string - groupBy: - oneOf: - - type: string - - type: array - items: - type: string - filterQuery: - type: string - sourceId: - type: string - alertOnNoData: - type: boolean - alertOnGroupDisappear: - type: boolean - Alerting_params_property_log_threshold: - oneOf: - - title: Count - type: object - required: - - count - - timeSize - - timeUnit - - logView - properties: - criteria: - type: array - items: - type: object - properties: - field: - type: string - example: my.field - comparator: - type: string - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - value: - oneOf: - - type: number - example: 42 - - type: string - example: value - count: - type: object - properties: - comparator: - type: string - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - value: - type: number - example: 100 - timeSize: - type: number - example: 6 - timeUnit: - type: string - enum: - - s - - m - - h - - d - logView: - type: object - properties: - logViewId: - type: string - type: - type: string - enum: - - log-view-reference - example: log-view-reference - groupBy: - type: array - items: - type: string - - title: Ratio - type: object - required: - - count - - timeSize - - timeUnit - - logView - properties: - criteria: - type: array - items: - minItems: 2 - maxItems: 2 - type: array - items: - type: object - properties: - field: - type: string - example: my.field - comparator: - type: string - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - value: - oneOf: - - type: number - example: 42 - - type: string - example: value - count: - type: object - properties: - comparator: - type: string - enum: - - more than - - more than or equals - - less than - - less than or equals - - equals - - does not equal - - matches - - does not match - - matches phrase - - does not match phrase - value: - type: number - example: 100 - timeSize: - type: number - example: 6 - timeUnit: - type: string - enum: - - s - - m - - h - - d - logView: - type: object - properties: - logViewId: - type: string - type: - type: string - enum: - - log-view-reference - example: log-view-reference - groupBy: - type: array - items: - type: string - Alerting_params_property_slo_burn_rate: - properties: - sloId: - description: The SLO identifier used by the rule - type: string - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - burnRateThreshold: - description: The burn rate threshold used to trigger the alert - type: number - example: 14.4 - maxBurnRateThreshold: - description: >- - The maximum burn rate threshold value defined by the SLO error - budget - type: number - example: 168 - longWindow: - description: The duration of the long window used to compute the burn rate - type: object - properties: - value: - description: The duration value - type: number - example: 6 - unit: - description: The duration unit - type: string - example: h - shortWindow: - description: The duration of the short window used to compute the burn rate - type: object - properties: - value: - description: The duration value - type: number - example: 30 - unit: - description: The duration unit - type: string - example: m - Alerting_params_property_synthetics_uptime_tls: - properties: - search: - type: string - certExpirationThreshold: - type: number - certAgeThreshold: - type: number - Alerting_params_property_synthetics_monitor_status: - required: - - numTimes - - shouldCheckStatus - - shouldCheckAvailability - properties: - availability: - type: object - properties: - range: - type: number - rangeUnit: - type: string - threshold: - type: string - filters: - oneOf: - - type: string - - type: object - deprecated: true - properties: - monitor.type: - type: array - items: - type: string - observer.geo.name: - type: array - items: - type: string - tags: - type: array - items: - type: string - url.port: - type: array - items: - type: string - locations: - deprecated: true - type: array - items: - type: string - numTimes: - type: number - search: - type: string - shouldCheckStatus: - type: boolean - shouldCheckAvailability: - type: boolean - timerangeCount: - type: number - timerangeUnit: - type: string - timerange: - deprecated: true - type: object - properties: - from: - type: string - to: - type: string - version: - type: number - isAutoGenerated: - type: boolean - Alerting_create_rule_request: - title: Create rule request body properties - description: The properties vary depending on the rule type. - oneOf: - - $ref: >- - #/components/schemas/Alerting_create_anomaly_detection_alert_rule_request - - $ref: >- - #/components/schemas/Alerting_create_anomaly_detection_jobs_health_rule_request - - $ref: '#/components/schemas/Alerting_create_apm_anomaly_rule_request' - - $ref: '#/components/schemas/Alerting_create_apm_error_count_rule_request' - - $ref: >- - #/components/schemas/Alerting_create_apm_transaction_duration_rule_request - - $ref: >- - #/components/schemas/Alerting_create_apm_transaction_error_rate_rule_request - - $ref: '#/components/schemas/Alerting_create_es_query_rule_request' - - $ref: '#/components/schemas/Alerting_create_geo_containment_rule_request' - - $ref: '#/components/schemas/Alerting_create_index_threshold_rule_request' - - $ref: '#/components/schemas/Alerting_create_infra_inventory_rule_request' - - $ref: >- - #/components/schemas/Alerting_create_infra_metric_anomaly_rule_request - - $ref: >- - #/components/schemas/Alerting_create_infra_metric_threshold_rule_request - - $ref: >- - #/components/schemas/Alerting_create_monitoring_jvm_memory_usage_rule_request - - $ref: '#/components/schemas/Alerting_create_log_threshold_rule_request' - - $ref: >- - #/components/schemas/Alerting_create_monitoring_ccr_exceptions_rule_request - - $ref: >- - #/components/schemas/Alerting_create_monitoring_cluster_health_rule_request - - $ref: >- - #/components/schemas/Alerting_create_monitoring_cpu_usage_rule_request - - $ref: >- - #/components/schemas/Alerting_create_monitoring_disk_usage_rule_request - - $ref: >- - #/components/schemas/Alerting_create_monitoring_elasticsearch_version_mismatch_rule_request - - $ref: >- - #/components/schemas/Alerting_create_monitoring_license_expiration_rule_request - - $ref: >- - #/components/schemas/Alerting_create_monitoring_kibana_version_mismatch_rule_request - - $ref: >- - #/components/schemas/Alerting_create_monitoring_logstash_version_mismatch_rule_request - - $ref: >- - #/components/schemas/Alerting_create_monitoring_missing_data_rule_request - - $ref: >- - #/components/schemas/Alerting_create_monitoring_nodes_changed_rule_request - - $ref: >- - #/components/schemas/Alerting_create_monitoring_shard_size_rule_request - - $ref: >- - #/components/schemas/Alerting_create_monitoring_thread_pool_search_rejections_rule_request - - $ref: >- - #/components/schemas/Alerting_create_monitoring_thread_pool_write_rejections_rule_request - - $ref: '#/components/schemas/Alerting_create_siem_eql_rule_request' - - $ref: '#/components/schemas/Alerting_create_siem_indicator_rule_request' - - $ref: '#/components/schemas/Alerting_create_siem_ml_rule_request' - - $ref: '#/components/schemas/Alerting_create_siem_new_terms_rule_request' - - $ref: '#/components/schemas/Alerting_create_siem_notifications_rule_request' - - $ref: '#/components/schemas/Alerting_create_siem_query_rule_request' - - $ref: '#/components/schemas/Alerting_create_siem_saved_query_rule_request' - - $ref: '#/components/schemas/Alerting_create_siem_threshold_rule_request' - - $ref: '#/components/schemas/Alerting_create_slo_burn_rate_rule_request' - - $ref: >- - #/components/schemas/Alerting_create_synthetics_monitor_status_rule_request - - $ref: >- - #/components/schemas/Alerting_create_synthetics_uptime_duration_anomaly_rule_request - - $ref: >- - #/components/schemas/Alerting_create_synthetics_uptime_tls_rule_request - - $ref: >- - #/components/schemas/Alerting_create_synthetics_uptime_tls_certificate_rule_request - - $ref: '#/components/schemas/Alerting_create_transform_health_rule_request' - - $ref: >- - #/components/schemas/Alerting_create_uptime_monitor_status_rule_request - discriminator: - propertyName: rule_type_id - mapping: - xpack.ml.anomaly_detection_alert: >- - #/components/schemas/Alerting_create_anomaly_detection_alert_rule_request - xpack.ml.anomaly_detection_jobs_health: >- - #/components/schemas/Alerting_create_anomaly_detection_jobs_health_rule_request - apm.anomaly: '#/components/schemas/Alerting_create_apm_anomaly_rule_request' - apm.error_rate: '#/components/schemas/Alerting_create_apm_error_count_rule_request' - apm.transaction_duration: >- - #/components/schemas/Alerting_create_apm_transaction_duration_rule_request - apm.transaction_error_rate: >- - #/components/schemas/Alerting_create_apm_transaction_error_rate_rule_request - .es-query: '#/components/schemas/Alerting_create_es_query_rule_request' - .geo-containment: '#/components/schemas/Alerting_create_geo_containment_rule_request' - .index-threshold: '#/components/schemas/Alerting_create_index_threshold_rule_request' - metrics.alert.inventory.threshold: '#/components/schemas/Alerting_create_infra_inventory_rule_request' - metrics.alert.anomaly: >- - #/components/schemas/Alerting_create_infra_metric_anomaly_rule_request - metrics.alert.threshold: >- - #/components/schemas/Alerting_create_infra_metric_threshold_rule_request - monitoring_alert_jvm_memory_usage: >- - #/components/schemas/Alerting_create_monitoring_jvm_memory_usage_rule_request - logs.alert.document.count: '#/components/schemas/Alerting_create_log_threshold_rule_request' - monitoring_ccr_read_exceptions: >- - #/components/schemas/Alerting_create_monitoring_ccr_exceptions_rule_request - monitoring_alert_cluster_health: >- - #/components/schemas/Alerting_create_monitoring_cluster_health_rule_request - monitoring_alert_cpu_usage: >- - #/components/schemas/Alerting_create_monitoring_cpu_usage_rule_request - monitoring_alert_disk_usage: >- - #/components/schemas/Alerting_create_monitoring_disk_usage_rule_request - monitoring_alert_elasticsearch_version_mismatch: >- - #/components/schemas/Alerting_create_monitoring_elasticsearch_version_mismatch_rule_request - monitoring_alert_license_expiration: >- - #/components/schemas/Alerting_create_monitoring_license_expiration_rule_request - monitoring_alert_kibana_version_mismatch: >- - #/components/schemas/Alerting_create_monitoring_kibana_version_mismatch_rule_request - monitoring_alert_logstash_version_mismatch: >- - #/components/schemas/Alerting_create_monitoring_logstash_version_mismatch_rule_request - monitoring_alert_missing_monitoring_data: >- - #/components/schemas/Alerting_create_monitoring_missing_data_rule_request - monitoring_alert_nodes_changed: >- - #/components/schemas/Alerting_create_monitoring_nodes_changed_rule_request - monitoring_shard_size: >- - #/components/schemas/Alerting_create_monitoring_shard_size_rule_request - monitoring_alert_thread_pool_search_rejections: >- - #/components/schemas/Alerting_create_monitoring_thread_pool_search_rejections_rule_request - monitoring_alert_thread_pool_write_rejections: >- - #/components/schemas/Alerting_create_monitoring_thread_pool_write_rejections_rule_request - siem.eqlRule: '#/components/schemas/Alerting_create_siem_eql_rule_request' - siem.indicatorRule: '#/components/schemas/Alerting_create_siem_indicator_rule_request' - siem.mlRule: '#/components/schemas/Alerting_create_siem_ml_rule_request' - siem.newTermsRule: '#/components/schemas/Alerting_create_siem_new_terms_rule_request' - siem.notifications: '#/components/schemas/Alerting_create_siem_notifications_rule_request' - siem.queryRule: '#/components/schemas/Alerting_create_siem_query_rule_request' - siem.savedQueryRule: '#/components/schemas/Alerting_create_siem_saved_query_rule_request' - siem.thresholdRule: '#/components/schemas/Alerting_create_siem_threshold_rule_request' - slo.rules.burnRate: '#/components/schemas/Alerting_create_slo_burn_rate_rule_request' - xpack.synthetics.alerts.monitorStatus: >- - #/components/schemas/Alerting_create_synthetics_monitor_status_rule_request - xpack.uptime.alerts.durationAnomaly: >- - #/components/schemas/Alerting_create_synthetics_uptime_duration_anomaly_rule_request - xpack.uptime.alerts.tls: >- - #/components/schemas/Alerting_create_synthetics_uptime_tls_rule_request - xpack.uptime.alerts.tlsCertificate: >- - #/components/schemas/Alerting_create_synthetics_uptime_tls_certificate_rule_request - transform_health: '#/components/schemas/Alerting_create_transform_health_rule_request' - xpack.uptime.alerts.monitorStatus: >- - #/components/schemas/Alerting_create_uptime_monitor_status_rule_request - Alerting_rule_response_properties: - title: Rule response properties - type: object - required: - - actions - - api_key_owner - - consumer - - created_at - - created_by - - enabled - - execution_status - - id - - mute_all - - muted_alert_ids - - name - - params - - rule_type_id - - schedule - - tags - - throttle - - updated_at - - updated_by - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - api_key_created_by_user: - type: boolean - description: >- - Indicates whether the API key that is associated with the rule was - created by the user. - example: false - api_key_owner: - type: string - description: > - The owner of the API key that is associated with the rule and used - to run background tasks. - nullable: true - example: elastic - consumer: - type: string - description: >- - The application or feature that owns the rule. For example, - `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, - `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or - `uptime`. - example: alerts - created_at: - type: string - description: The date and time that the rule was created. - format: date-time - example: '2022-12-05T23:36:58.284Z' - created_by: - type: string - description: The identifier for the user that created the rule. - nullable: true - example: elastic - enabled: - type: boolean - description: Indicates whether the rule is currently enabled. - example: true - execution_status: - type: object - properties: - last_duration: - type: integer - example: 55 - last_execution_date: - type: string - format: date-time - example: '2022-12-06T00:13:43.890Z' - status: - type: string - example: ok - id: - type: string - description: The identifier for the rule. - example: b530fed0-74f5-11ed-9801-35303b735aef - last_run: - type: object - properties: - alerts_count: - type: object - properties: - active: - type: integer - ignored: - type: integer - new: - type: integer - recovered: - type: integer - outcome: - type: string - example: succeeded - outcome_msg: - type: array - items: - type: string - nullable: true - outcome_order: - type: integer - warning: - type: string - nullable: true - example: null - muted_alert_ids: - type: array - nullable: true - items: - type: string - mute_all: - type: boolean - example: false - name: - type: string - description: The name of the rule. - example: cluster_health_rule - next_run: - type: string - format: date-time - nullable: true - example: '2022-12-06T00:14:43.818Z' - notify_when: - type: string - description: Indicates how often alerts generate actions. - nullable: true - params: - type: object - description: The parameters for the rule. - additionalProperties: true - revision: - type: integer - description: The rule revision number. - rule_type_id: - type: string - description: > - The identifier for the type of rule. For example, `.es-query`, - `.index-threshold`, `logs.alert.document.count`, - `monitoring_alert_cluster_health`, `siem.thresholdRule`, or - `xpack.ml.anomaly_detection_alert`. - example: monitoring_alert_cluster_health - running: - type: boolean - description: Indicates whether the rule is running. - schedule: - $ref: '#/components/schemas/Alerting_schedule' - scheduled_task_id: - type: string - example: b530fed0-74f5-11ed-9801-35303b735aef - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - updated_at: - type: string - description: The date and time that the rule was updated most recently. - example: '2022-12-05T23:36:58.284Z' - updated_by: - type: string - description: The identifier for the user that updated this rule most recently. - nullable: true - example: elastic - Alerting_401_response: - type: object - title: Unsuccessful rule API response - properties: - error: - type: string - example: Unauthorized - enum: - - Unauthorized - message: - type: string - statusCode: - type: integer - example: 401 - enum: - - 401 - Alerting_404_response: - type: object - properties: - error: - type: string - example: Not Found - enum: - - Not Found - message: - type: string - example: Saved object [alert/caaad6d0-920c-11ed-b36a-874bd1548a00] not found - statusCode: - type: integer - example: 404 - enum: - - 404 - Alerting_update_rule_request: - title: Update rule request - description: > - The update rule API request body varies depending on the type of rule - and actions. - type: object - required: - - name - - params - - schedule - properties: - actions: - $ref: '#/components/schemas/Alerting_actions' - alert_delay: - $ref: '#/components/schemas/Alerting_alert_delay' - name: - type: string - description: The name of the rule. - example: cluster_health_rule - notify_when: - $ref: '#/components/schemas/Alerting_notify_when' - params: - type: object - description: The parameters for the rule. - additionalProperties: true - schedule: - $ref: '#/components/schemas/Alerting_schedule' - tags: - $ref: '#/components/schemas/Alerting_tags' - throttle: - $ref: '#/components/schemas/Alerting_throttle' - Alerting_fieldmap_properties: - title: Field map objects in the get rule types response - type: object - properties: - array: - type: boolean - description: Indicates whether the field is an array. - dynamic: - type: boolean - description: Indicates whether it is a dynamic field mapping. - format: - type: string - description: > - Indicates the format of the field. For example, if the `type` is - `date_range`, the `format` can be - `epoch_millis||strict_date_optional_time`. - ignore_above: - type: integer - description: >- - Specifies the maximum length of a string field. Longer strings are - not indexed or stored. - index: - type: boolean - description: Indicates whether field values are indexed. - path: - type: string - description: TBD - properties: - type: object - description: > - Details about the object properties. This property is applicable - when `type` is `object`. - additionalProperties: - type: object - properties: - type: - type: string - description: The data type for each object property. - required: - type: boolean - description: Indicates whether the field is required. - scaling_factor: - type: integer - description: > - The scaling factor to use when encoding values. This property is - applicable when `type` is `scaled_float`. Values will be multiplied - by this factor at index time and rounded to the closest long value. - type: - type: string - description: Specifies the data type for the field. - example: scaled_float - Alerting_400_response: - title: Bad request - type: object - required: - - error - - message - - statusCode - properties: - error: - type: string - enum: - - Bad Request - message: - type: string - statusCode: - type: integer - enum: - - 400 - Alerting_alert_response_properties: - title: Legacy alert response properties - type: object - properties: - actions: - type: array - items: - type: object - alertTypeId: - type: string - example: .index-threshold - apiKeyOwner: - type: string - nullable: true - example: elastic - createdAt: - type: string - description: The date and time that the alert was created. - format: date-time - example: '2022-12-05T23:36:58.284Z' - createdBy: - type: string - description: The identifier for the user that created the alert. - example: elastic - enabled: - type: boolean - description: Indicates whether the alert is currently enabled. - example: true - executionStatus: - type: object - properties: - lastExecutionDate: - type: string - format: date-time - example: '2022-12-06T00:13:43.890Z' - status: - type: string - example: ok - id: - type: string - description: The identifier for the alert. - example: b530fed0-74f5-11ed-9801-35303b735aef - muteAll: - type: boolean - example: false - mutedInstanceIds: - type: array - nullable: true - items: - type: string - name: - type: string - description: The name of the alert. - example: my alert - notifyWhen: - type: string - example: onActionGroupChange - params: - type: object - additionalProperties: true - schedule: - type: object - properties: - interval: - type: string - scheduledTaskId: - type: string - example: b530fed0-74f5-11ed-9801-35303b735aef - tags: - type: array - items: - type: string - throttle: - type: string - nullable: true - updatedAt: - type: string - example: '2022-12-05T23:36:58.284Z' - updatedBy: - type: string - description: The identifier for the user that updated this alert most recently. - nullable: true - example: elastic - Cases_assignees: - type: array - description: An array containing users that are assigned to the case. - maxItems: 10 - nullable: true - items: - type: object - required: - - uid - properties: - uid: - type: string - description: >- - A unique identifier for the user profile. These identifiers can be - found by using the suggest user profile API. - example: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 - Cases_connector_properties_none: - title: Create or update case request properties for no connector - required: - - fields - - id - - name - - type - description: Defines properties for connectors when type is `.none`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. To create a case without - a connector, specify null. To update a case to remove the connector, - specify null. - nullable: true - type: string - example: null - id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. To update a case to remove the connector, - specify `none`. - type: string - example: none - name: - description: >- - The name of the connector. To create a case without a connector, use - `none`. To update a case to remove the connector, specify `none`. - type: string - example: none - type: - description: >- - The type of connector. To create a case without a connector, use - `.none`. To update a case to remove the connector, specify `.none`. - type: string - example: .none - enum: - - .none - Cases_connector_properties_cases_webhook: - title: Create or upate case request properties for Cases Webhook connector - required: - - fields - - id - - name - - type - description: Defines properties for connectors when type is `.cases-webhook`. - type: object - properties: - fields: - type: string - nullable: true - example: null - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - type: string - example: .cases-webhook - enum: - - .cases-webhook - Cases_connector_properties_jira: - title: Create or update case request properties for a Jira connector - required: - - fields - - id - - name - - type - description: Defines properties for connectors when type is `.jira`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - type: object - required: - - issueType - - parent - - priority - properties: - issueType: - description: The type of issue. - type: string - nullable: true - parent: - description: The key of the parent issue, when the issue type is sub-task. - type: string - nullable: true - priority: - description: The priority of the issue. - type: string - nullable: true - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - type: string - example: .jira - enum: - - .jira - Cases_connector_properties_resilient: - title: Create case request properties for a IBM Resilient connector - required: - - fields - - id - - name - - type - description: Defines properties for connectors when type is `.resilient`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - type: object - nullable: true - required: - - issueTypes - - severityCode - properties: - issueTypes: - description: The type of incident. - type: array - items: - type: string - severityCode: - description: The severity code of the incident. - type: string - id: - description: The identifier for the connector. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - type: string - example: .resilient - enum: - - .resilient - Cases_connector_properties_servicenow: - title: Create case request properties for a ServiceNow ITSM connector - required: - - fields - - id - - name - - type - description: Defines properties for connectors when type is `.servicenow`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - type: object - required: - - category - - impact - - severity - - subcategory - - urgency - properties: - category: - description: The category of the incident. - type: string - nullable: true - impact: - description: The effect an incident had on business. - type: string - nullable: true - severity: - description: The severity of the incident. - type: string - nullable: true - subcategory: - description: The subcategory of the incident. - type: string - nullable: true - urgency: - description: The extent to which the incident resolution can be delayed. - type: string - nullable: true - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - type: string - example: .servicenow - enum: - - .servicenow - Cases_connector_properties_servicenow_sir: - title: Create case request properties for a ServiceNow SecOps connector - required: - - fields - - id - - name - - type - description: Defines properties for connectors when type is `.servicenow-sir`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - type: object - required: - - category - - destIp - - malwareHash - - malwareUrl - - priority - - sourceIp - - subcategory - properties: - category: - description: The category of the incident. - type: string - nullable: true - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs. - type: boolean - nullable: true - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes. - type: boolean - nullable: true - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs. - type: boolean - nullable: true - priority: - description: The priority of the issue. - type: string - nullable: true - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs. - type: boolean - nullable: true - subcategory: - description: The subcategory of the incident. - type: string - nullable: true - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - type: string - example: .servicenow-sir - enum: - - .servicenow-sir - Cases_connector_properties_swimlane: - title: Create case request properties for a Swimlane connector - required: - - fields - - id - - name - - type - description: Defines properties for connectors when type is `.swimlane`. - type: object - properties: - fields: - description: >- - An object containing the connector fields. If you want to omit any - individual field, specify null as its value. - type: object - required: - - caseId - properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - nullable: true - id: - description: >- - The identifier for the connector. To retrieve connector IDs, use the - find connectors API. - type: string - name: - description: The name of the connector. - type: string - type: - description: The type of connector. - type: string - example: .swimlane - enum: - - .swimlane - Cases_case_description: - description: The description for the case. - type: string - maxLength: 30000 - Cases_owners: - type: string - description: > - The application that owns the cases: Stack Management, Observability, or - Elastic Security. - enum: - - cases - - observability - - securitySolution - example: cases - Cases_settings: - type: object - description: An object that contains the case settings. - required: - - syncAlerts - properties: - syncAlerts: - description: Turns alert syncing on or off. - type: boolean - example: true - Cases_case_severity: - type: string - description: The severity of the case. - enum: - - critical - - high - - low - - medium - default: low - Cases_case_tags: - description: > - The words and phrases that help categorize cases. It can be an empty - array. - type: array - maxItems: 200 - items: - type: string - maxLength: 256 - Cases_case_category: - description: A word or phrase that categorizes the case. - type: string - maxLength: 50 - Cases_case_title: - description: A title for the case. - type: string - maxLength: 160 - Cases_create_case_request: - title: Create case request - description: >- - The create case API request body varies depending on the type of - connector. - type: object - required: - - connector - - description - - owner - - settings - - tags - - title - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - connector: - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - description: - $ref: '#/components/schemas/Cases_case_description' - owner: - $ref: '#/components/schemas/Cases_owners' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - tags: - $ref: '#/components/schemas/Cases_case_tags' - category: - $ref: '#/components/schemas/Cases_case_category' - title: - $ref: '#/components/schemas/Cases_case_title' - customFields: - type: array - description: > - Custom field values for a case. Any optional custom fields that are - not specified in the request are set to null. - minItems: 0 - maxItems: 10 - items: - type: object - required: - - key - - type - - value - properties: - key: - description: > - The unique identifier for the custom field. The key value must - exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified in the - case configuration settings. - type: string - enum: - - text - - toggle - value: - description: > - The custom field value. If the custom field is required, it - cannot be explicitly set to null. However, for cases that - existed when the required custom field was added, the default - value stored in Elasticsearch is `undefined`. The value - returned in the API and user interface in this case is `null`. - oneOf: - - type: string - minLength: 1 - maxLength: 160 - nullable: true - - type: boolean - Cases_case_response_closed_by_properties: - title: Case response properties for closed_by - type: object - nullable: true - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - required: - - email - - full_name - - username - Cases_alert_comment_response_properties: - title: Add case comment response properties for alerts - type: object - required: - - type - properties: - alertId: - type: array - items: - type: string - example: a6e12ac4-7bce-457b-84f6-d7ce8deb8446 - created_at: - type: string - format: date-time - example: '2023-11-06T19:29:38.424Z' - created_by: - type: object - required: - - email - - full_name - - username - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - id: - type: string - example: 73362370-ab1a-11ec-985f-97e55adae8b9 - index: - type: array - items: - type: string - example: .internal.alerts-security.alerts-default-000001 - owner: - $ref: '#/components/schemas/Cases_owners' - pushed_at: - type: string - format: date-time - example: null - nullable: true - pushed_by: - type: object - required: - - email - - full_name - - username - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - nullable: true - rule: - type: object - properties: - id: - description: The rule identifier. - type: string - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - name: - description: The rule name. - type: string - example: security_rule - type: - type: string - example: alert - enum: - - alert - updated_at: - type: string - format: date-time - nullable: true - updated_by: - type: object - nullable: true - required: - - email - - full_name - - username - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - version: - type: string - example: WzMwNDgsMV0= - Cases_user_comment_response_properties: - title: Case response properties for user comments - type: object - required: - - type - properties: - comment: - type: string - example: A new comment. - created_at: - type: string - format: date-time - example: '2022-05-13T09:16:17.416Z' - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - id: - type: string - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - owner: - $ref: '#/components/schemas/Cases_owners' - pushed_at: - type: string - format: date-time - nullable: true - example: null - pushed_by: - $ref: '#/components/schemas/Cases_case_response_pushed_by_properties' - type: - type: string - example: user - enum: - - user - updated_at: - type: string - format: date-time - nullable: true - example: null - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - type: string - example: WzIwNDMxLDFd - Cases_case_response_created_by_properties: - title: Case response properties for created_by - type: object - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - required: - - email - - full_name - - username - Cases_case_response_pushed_by_properties: - title: Case response properties for pushed_by - type: object - nullable: true - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - required: - - email - - full_name - - username - Cases_case_response_updated_by_properties: - title: Case response properties for updated_by - type: object - nullable: true - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - required: - - email - - full_name - - username - Cases_external_service: - type: object - nullable: true - properties: - connector_id: - type: string - connector_name: - type: string - external_id: - type: string - external_title: - type: string - external_url: - type: string - pushed_at: - type: string - format: date-time - pushed_by: - type: object - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - nullable: true - Cases_case_status: - type: string - description: The status of the case. - enum: - - closed - - in-progress - - open - Cases_case_response_properties: - title: Case response properties - type: object - required: - - closed_at - - closed_by - - comments - - connector - - created_at - - created_by - - description - - duration - - external_service - - id - - owner - - settings - - severity - - status - - tags - - title - - totalAlerts - - totalComment - - updated_at - - updated_by - - version - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - type: string - description: The case category. - nullable: true - closed_at: - type: string - format: date-time - nullable: true - closed_by: - $ref: '#/components/schemas/Cases_case_response_closed_by_properties' - comments: - title: Case response properties for comments - description: An array of comment objects for the case. - type: array - maxItems: 10000 - items: - oneOf: - - $ref: '#/components/schemas/Cases_alert_comment_response_properties' - - $ref: '#/components/schemas/Cases_user_comment_response_properties' - discriminator: - propertyName: type - mapping: - alert: '#/components/schemas/Cases_alert_comment_response_properties' - user: '#/components/schemas/Cases_user_comment_response_properties' - connector: - title: Case response properties for connectors - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: '#/components/schemas/Cases_connector_properties_cases_webhook' - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow_sir' - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - discriminator: - propertyName: type - mapping: - .none: '#/components/schemas/Cases_connector_properties_none' - .cases-webhook: '#/components/schemas/Cases_connector_properties_cases_webhook' - .jira: '#/components/schemas/Cases_connector_properties_jira' - .resilient: '#/components/schemas/Cases_connector_properties_resilient' - .servicenow: '#/components/schemas/Cases_connector_properties_servicenow' - .servicenow-sir: '#/components/schemas/Cases_connector_properties_servicenow_sir' - .swimlane: '#/components/schemas/Cases_connector_properties_swimlane' - created_at: - type: string - format: date-time - example: '2022-05-13T09:16:17.416Z' - created_by: - $ref: '#/components/schemas/Cases_case_response_created_by_properties' - customFields: - type: array - description: Custom field values for the case. - items: - type: object - properties: - key: - description: > - The unique identifier for the custom field. The key value must - exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified in the - case configuration settings. - type: string - enum: - - text - - toggle - value: - description: > - The custom field value. If the custom field is required, it - cannot be explicitly set to null. However, for cases that - existed when the required custom field was added, the default - value stored in Elasticsearch is `undefined`. The value - returned in the API and user interface in this case is `null`. - oneOf: - - type: string - minLength: 1 - maxLength: 160 - nullable: true - - type: boolean - description: - type: string - example: A case description. - duration: - type: integer - description: > - The elapsed time from the creation of the case to its closure (in - seconds). If the case has not been closed, the duration is set to - null. If the case was closed after less than half a second, the - duration is rounded down to zero. - nullable: true - example: 120 - external_service: - $ref: '#/components/schemas/Cases_external_service' - id: - type: string - example: 66b9aa00-94fa-11ea-9f74-e7e108796192 - owner: - $ref: '#/components/schemas/Cases_owners' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - type: array - items: - type: string - example: - - tag-1 - title: - type: string - example: Case title 1 - totalAlerts: - type: integer - example: 0 - totalComment: - type: integer - example: 0 - updated_at: - type: string - format: date-time - nullable: true - updated_by: - $ref: '#/components/schemas/Cases_case_response_updated_by_properties' - version: - type: string - example: WzUzMiwxXQ== - Cases_4xx_response: - type: object - title: Unsuccessful cases API response - properties: - error: - type: string - example: Unauthorized - message: - type: string - statusCode: - type: integer - example: 401 - Cases_update_case_request: - title: Update case request - description: >- - The update case API request body varies depending on the type of - connector. - type: object - required: - - cases - properties: - cases: - type: array - description: An array containing one or more case objects. - maxItems: 100 - minItems: 1 - items: - type: object - required: - - id - - version - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - connector: - oneOf: - - $ref: '#/components/schemas/Cases_connector_properties_none' - - $ref: >- - #/components/schemas/Cases_connector_properties_cases_webhook - - $ref: '#/components/schemas/Cases_connector_properties_jira' - - $ref: '#/components/schemas/Cases_connector_properties_resilient' - - $ref: '#/components/schemas/Cases_connector_properties_servicenow' - - $ref: >- - #/components/schemas/Cases_connector_properties_servicenow_sir - - $ref: '#/components/schemas/Cases_connector_properties_swimlane' - customFields: - type: array - description: > - Custom field values for a case. Any optional custom fields - that are not specified in the request are set to null. - minItems: 0 - maxItems: 10 - items: - type: object - required: - - key - - type - - value - properties: - key: - description: > - The unique identifier for the custom field. The key - value must exist in the case configuration settings. - type: string - type: - description: > - The custom field type. It must match the type specified - in the case configuration settings. - type: string - enum: - - text - - toggle - value: - description: > - The custom field value. If the custom field is required, - it cannot be explicitly set to null. However, for cases - that existed when the required custom field was added, - the default value stored in Elasticsearch is - `undefined`. The value returned in the API and user - interface in this case is `null`. - oneOf: - - type: string - minLength: 1 - maxLength: 160 - nullable: true - - type: boolean - description: - $ref: '#/components/schemas/Cases_case_description' - id: - description: The identifier for the case. - type: string - maxLength: 30000 - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - version: - description: >- - The current version of the case. To determine this value, use - the get case or find cases APIs. - type: string - Cases_searchFieldsType: - type: string - description: The fields to perform the `simple_query_string` parsed query against. - enum: - - description - - title - Cases_closure_types: - type: string - description: >- - Indicates whether a case is automatically closed when it is pushed to - external systems (`close-by-pushing`) or not automatically closed - (`close-by-user`). - enum: - - close-by-pushing - - close-by-user - example: close-by-user - Cases_connector_types: - type: string - description: The type of connector. - enum: - - .cases-webhook - - .jira - - .none - - .resilient - - .servicenow - - .servicenow-sir - - .swimlane - example: .none - Cases_template_tags: - description: > - The words and phrases that help categorize templates. It can be an empty - array. - type: array - maxItems: 200 - items: - type: string - maxLength: 256 - Cases_templates: - type: array - x-technical-preview: true - items: - type: object - properties: - caseFields: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - category: - $ref: '#/components/schemas/Cases_case_category' - connector: - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are not - used and are not propagated to individual cases, therefore - it is recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a - default connector, use `none`. To retrieve connector IDs, - use the find connectors API. - type: string - example: none - name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use - the find connectors API. - type: string - example: none - type: - $ref: '#/components/schemas/Cases_connector_types' - customFields: - type: array - x-technical-preview: true - description: Custom field values in the template. - items: - type: object - properties: - key: - type: string - description: The unique key for the custom field. - type: - type: string - enum: - - text - - toggle - description: The type of the custom field. - value: - oneOf: - - type: string - - type: boolean - description: > - The default value for the custom field when a case uses - the template. If the `type` is `text`, the default value - must be a string. If the `type` is `toggle`, the default - value must be boolean. - description: - $ref: '#/components/schemas/Cases_case_description' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - tags: - $ref: '#/components/schemas/Cases_case_tags' - title: - $ref: '#/components/schemas/Cases_case_title' - description: - type: string - description: A description for the template. - key: - type: string - description: > - A unique key for the template. Must be lower case and composed - only of a-z, 0-9, '_', and '-' characters. It is used in API calls - to refer to a specific template. - name: - type: string - description: The name of the template. - tags: - $ref: '#/components/schemas/Cases_template_tags' - Cases_set_case_configuration_request: - title: Set case configuration request - description: >- - External connection details, such as the closure type and default - connector for cases. - type: object - required: - - closure_type - - connector - - owner - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - description: An object that contains the connector configuration. - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are not used and - are not propagated to individual cases, therefore it is - recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a default - connector, use `none`. To retrieve connector IDs, use the find - connectors API. - type: string - example: none - name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use the find - connectors API. - type: string - example: none - type: - $ref: '#/components/schemas/Cases_connector_types' - required: - - fields - - id - - name - - type - customFields: - type: array - description: Custom fields case configuration. - minItems: 0 - maxItems: 10 - items: - type: object - required: - - key - - label - - required - - type - properties: - defaultValue: - oneOf: - - type: string - - type: boolean - description: > - A default value for the custom field. If the `type` is `text`, - the default value must be a string. If the `type` is `toggle`, - the default value must be boolean. - key: - description: > - A unique key for the custom field. Must be lower case and - composed only of a-z, 0-9, '_', and '-' characters. It is used - in API calls to refer to a specific custom field. - type: string - minLength: 1 - maxLength: 36 - label: - description: The custom field label that is displayed in the case. - type: string - minLength: 1 - maxLength: 50 - required: - description: > - Indicates whether the field is required. If `false`, the - custom field can be set to null or omitted when a case is - created or updated. - type: boolean - type: - description: The type of the custom field. - type: string - enum: - - text - - toggle - owner: - $ref: '#/components/schemas/Cases_owners' - templates: - $ref: '#/components/schemas/Cases_templates' - Cases_update_case_configuration_request: - title: Update case configuration request - description: > - You can update settings such as the closure type, custom fields, - templates, and the default connector for cases. - type: object - required: - - version - properties: - closure_type: - $ref: '#/components/schemas/Cases_closure_types' - connector: - description: An object that contains the connector configuration. - type: object - properties: - fields: - description: >- - The fields specified in the case configuration are not used and - are not propagated to individual cases, therefore it is - recommended to set it to `null`. - nullable: true - type: object - id: - description: >- - The identifier for the connector. If you do not want a default - connector, use `none`. To retrieve connector IDs, use the find - connectors API. - type: string - example: none - name: - description: >- - The name of the connector. If you do not want a default - connector, use `none`. To retrieve connector names, use the find - connectors API. - type: string - example: none - type: - $ref: '#/components/schemas/Cases_connector_types' - required: - - fields - - id - - name - - type - customFields: - type: array - description: Custom fields case configuration. - items: - type: object - required: - - key - - label - - required - - type - properties: - defaultValue: - oneOf: - - type: string - - type: boolean - description: > - A default value for the custom field. If the `type` is `text`, - the default value must be a string. If the `type` is `toggle`, - the default value must be boolean. - key: - description: > - A unique key for the custom field. Must be lower case and - composed only of a-z, 0-9, '_', and '-' characters. It is used - in API calls to refer to a specific custom field. - type: string - minLength: 1 - maxLength: 36 - label: - description: The custom field label that is displayed in the case. - type: string - minLength: 1 - maxLength: 50 - required: - description: > - Indicates whether the field is required. If `false`, the - custom field can be set to null or omitted when a case is - created or updated. - type: boolean - type: - description: The type of the custom field. - type: string - enum: - - text - - toggle - templates: - $ref: '#/components/schemas/Cases_templates' - version: - description: > - The version of the connector. To retrieve the version value, use the - get configuration API. - type: string - example: WzIwMiwxXQ== - Cases_alert_response_properties: - type: object - properties: - attached_at: - type: string - format: date-time - id: - description: The alert identifier. - type: string - index: - description: The alert index. - type: string - Cases_add_alert_comment_request_properties: - title: Add case comment request properties for alerts - required: - - alertId - - index - - owner - - rule - - type - description: Defines properties for case comment requests when type is alert. - type: object - properties: - alertId: - $ref: '#/components/schemas/Cases_alert_identifiers' - index: - $ref: '#/components/schemas/Cases_alert_indices' - owner: - $ref: '#/components/schemas/Cases_owners' - rule: - $ref: '#/components/schemas/Cases_rule' - type: - description: The type of comment. - type: string - example: alert - enum: - - alert - Cases_add_user_comment_request_properties: - title: Add case comment request properties for user comments - description: Defines properties for case comment requests when type is user. - type: object - properties: - comment: - description: The new comment. It is required only when `type` is `user`. - type: string - maxLength: 30000 - example: A new comment. - owner: - $ref: '#/components/schemas/Cases_owners' - type: - type: string - description: The type of comment. - example: user - enum: - - user - required: - - comment - - owner - - type - Cases_alert_identifiers: - title: Alert identifiers - description: > - The alert identifiers. It is required only when `type` is `alert`. You - can use an array of strings to add multiple alerts to a case, provided - that they all relate to the same rule; `index` must also be an array - with the same length or number of elements. Adding multiple alerts in - this manner is recommended rather than calling the API multiple times. - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - oneOf: - - type: string - - type: array - items: - type: string - maxItems: 1000 - x-technical-preview: true - example: 6b24c4dc44bc720cfc92797f3d61fff952f2b2627db1fb4f8cc49f4530c4ff42 - Cases_alert_indices: - title: Alert indices - description: > - The alert indices. It is required only when `type` is `alert`. If you - are adding multiple alerts to a case, use an array of strings; the - position of each index name in the array must match the position of the - corresponding alert identifier in the `alertId` array. This - functionality is in technical preview and may be changed or removed in a - future release. Elastic will work to fix any issues, but features in - technical preview are not subject to the support SLA of official GA - features. - oneOf: - - type: string - - type: array - items: - type: string - maxItems: 1000 - x-technical-preview: true - Cases_rule: - title: Alerting rule - description: > - The rule that is associated with the alerts. It is required only when - `type` is `alert`. This functionality is in technical preview and may be - changed or removed in a future release. Elastic will work to fix any - issues, but features in technical preview are not subject to the support - SLA of official GA features. - type: object - x-technical-preview: true - properties: - id: - description: The rule identifier. - type: string - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - name: - description: The rule name. - type: string - example: security_rule - Cases_add_case_comment_request: - title: Add case comment request - description: >- - The add comment to case API request body varies depending on whether you - are adding an alert or a comment. - oneOf: - - $ref: '#/components/schemas/Cases_add_alert_comment_request_properties' - - $ref: '#/components/schemas/Cases_add_user_comment_request_properties' - discriminator: - propertyName: type - mapping: - alert: '#/components/schemas/Cases_add_alert_comment_request_properties' - user: '#/components/schemas/Cases_add_user_comment_request_properties' - Cases_update_alert_comment_request_properties: - title: Update case comment request properties for alerts - description: Defines properties for case comment requests when type is alert. - required: - - alertId - - id - - index - - owner - - rule - - type - - version - type: object - properties: - alertId: - $ref: '#/components/schemas/Cases_alert_identifiers' - id: - type: string - description: > - The identifier for the comment. To retrieve comment IDs, use the get - comments API. - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - index: - $ref: '#/components/schemas/Cases_alert_indices' - owner: - $ref: '#/components/schemas/Cases_owners' - rule: - $ref: '#/components/schemas/Cases_rule' - type: - description: The type of comment. - type: string - enum: - - alert - example: alert - version: - description: > - The current comment version. To retrieve version values, use the get - comments API. - type: string - example: Wzk1LDFd - Cases_update_user_comment_request_properties: - title: Update case comment request properties for user comments - description: Defines properties for case comment requests when type is user. - type: object - properties: - comment: - description: The new comment. It is required only when `type` is `user`. - type: string - maxLength: 30000 - example: A new comment. - id: - type: string - description: > - The identifier for the comment. To retrieve comment IDs, use the get - comments API. - example: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - owner: - $ref: '#/components/schemas/Cases_owners' - type: - type: string - description: The type of comment. - enum: - - user - example: user - version: - description: > - The current comment version. To retrieve version values, use the get - comments API. - type: string - example: Wzk1LDFd - required: - - comment - - id - - owner - - type - - version - Cases_update_case_comment_request: - title: Update case comment request - description: >- - The update case comment API request body varies depending on whether you - are updating an alert or a comment. - oneOf: - - $ref: '#/components/schemas/Cases_update_alert_comment_request_properties' - - $ref: '#/components/schemas/Cases_update_user_comment_request_properties' - discriminator: - propertyName: type - mapping: - alert: '#/components/schemas/Cases_update_alert_comment_request_properties' - user: '#/components/schemas/Cases_update_user_comment_request_properties' - Cases_actions: - type: string - enum: - - add - - create - - delete - - push_to_service - - update - example: create - Cases_payload_alert_comment: - type: object - properties: - comment: - type: object - properties: - alertId: - oneOf: - - type: string - example: 1c0b056b-cc9f-4b61-b5c9-cb801abd5e1d - - type: array - items: - type: string - index: - oneOf: - - type: string - example: .alerts-observability.logs.alerts-default - - type: array - items: - type: string - owner: - $ref: '#/components/schemas/Cases_owners' - rule: - type: object - properties: - id: - description: The rule identifier. - type: string - example: 94d80550-aaf4-11ec-985f-97e55adae8b9 - name: - description: The rule name. - type: string - example: security_rule - type: - type: string - enum: - - alert - Cases_payload_assignees: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - Cases_payload_connector: - type: object - properties: - connector: - type: object - properties: - fields: - description: >- - An object containing the connector fields. To create a case - without a connector, specify null. If you want to omit any - individual field, specify null as its value. - nullable: true - type: object - properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - category: - description: >- - The category of the incident for ServiceNow ITSM and - ServiceNow SecOps connectors. - type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs for ServiceNow SecOps connectors. - type: boolean - nullable: true - impact: - description: >- - The effect an incident had on business for ServiceNow ITSM - connectors. - type: string - issueType: - description: The type of issue for Jira connectors. - type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. - type: array - items: - type: string - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes for ServiceNow SecOps connectors. - type: boolean - nullable: true - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs for ServiceNow SecOps connectors. - type: boolean - nullable: true - parent: - description: >- - The key of the parent issue, when the issue type is sub-task - for Jira connectors. - type: string - priority: - description: >- - The priority of the issue for Jira and ServiceNow SecOps - connectors. - type: string - severity: - description: The severity of the incident for ServiceNow ITSM connectors. - type: string - severityCode: - description: >- - The severity code of the incident for IBM Resilient - connectors. - type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs for ServiceNow SecOps connectors. - type: boolean - nullable: true - subcategory: - description: >- - The subcategory of the incident for ServiceNow ITSM - connectors. - type: string - urgency: - description: >- - The extent to which the incident resolution can be delayed - for ServiceNow ITSM connectors. - type: string - example: null - id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. - type: string - example: none - name: - description: >- - The name of the connector. To create a case without a connector, - use `none`. - type: string - example: none - type: - $ref: '#/components/schemas/Cases_connector_types' - Cases_payload_create_case: - type: object - properties: - assignees: - $ref: '#/components/schemas/Cases_assignees' - connector: - type: object - properties: - fields: - description: >- - An object containing the connector fields. To create a case - without a connector, specify null. If you want to omit any - individual field, specify null as its value. - nullable: true - type: object - properties: - caseId: - description: The case identifier for Swimlane connectors. - type: string - category: - description: >- - The category of the incident for ServiceNow ITSM and - ServiceNow SecOps connectors. - type: string - destIp: - description: >- - Indicates whether cases will send a comma-separated list of - destination IPs for ServiceNow SecOps connectors. - type: boolean - nullable: true - impact: - description: >- - The effect an incident had on business for ServiceNow ITSM - connectors. - type: string - issueType: - description: The type of issue for Jira connectors. - type: string - issueTypes: - description: The type of incident for IBM Resilient connectors. - type: array - items: - type: string - malwareHash: - description: >- - Indicates whether cases will send a comma-separated list of - malware hashes for ServiceNow SecOps connectors. - type: boolean - nullable: true - malwareUrl: - description: >- - Indicates whether cases will send a comma-separated list of - malware URLs for ServiceNow SecOps connectors. - type: boolean - nullable: true - parent: - description: >- - The key of the parent issue, when the issue type is sub-task - for Jira connectors. - type: string - priority: - description: >- - The priority of the issue for Jira and ServiceNow SecOps - connectors. - type: string - severity: - description: The severity of the incident for ServiceNow ITSM connectors. - type: string - severityCode: - description: >- - The severity code of the incident for IBM Resilient - connectors. - type: string - sourceIp: - description: >- - Indicates whether cases will send a comma-separated list of - source IPs for ServiceNow SecOps connectors. - type: boolean - nullable: true - subcategory: - description: >- - The subcategory of the incident for ServiceNow ITSM - connectors. - type: string - urgency: - description: >- - The extent to which the incident resolution can be delayed - for ServiceNow ITSM connectors. - type: string - example: null - id: - description: >- - The identifier for the connector. To create a case without a - connector, use `none`. - type: string - example: none - name: - description: >- - The name of the connector. To create a case without a connector, - use `none`. - type: string - example: none - type: - $ref: '#/components/schemas/Cases_connector_types' - description: - type: string - owner: - $ref: '#/components/schemas/Cases_owners' - settings: - $ref: '#/components/schemas/Cases_settings' - severity: - $ref: '#/components/schemas/Cases_case_severity' - status: - $ref: '#/components/schemas/Cases_case_status' - tags: - type: array - items: - type: string - example: - - tag-1 - title: - type: string - Cases_payload_delete: - type: object - description: >- - If the `action` is `delete` and the `type` is `delete_case`, the payload - is nullable. - nullable: true - Cases_payload_description: - type: object - properties: - description: - type: string - Cases_payload_pushed: - type: object - properties: - externalService: - $ref: '#/components/schemas/Cases_external_service' - Cases_payload_settings: - type: object - properties: - settings: - $ref: '#/components/schemas/Cases_settings' - Cases_payload_severity: - type: object - properties: - severity: - $ref: '#/components/schemas/Cases_case_severity' - Cases_payload_status: - type: object - properties: - status: - $ref: '#/components/schemas/Cases_case_status' - Cases_payload_tags: - type: object - properties: - tags: - type: array - items: - type: string - example: - - tag-1 - Cases_payload_title: - type: object - properties: - title: - type: string - Cases_payload_user_comment: - type: object - properties: - comment: - type: object - properties: - comment: - type: string - owner: - $ref: '#/components/schemas/Cases_owners' - type: - type: string - enum: - - user - Cases_action_types: - type: string - description: The type of action. - enum: - - assignees - - create_case - - comment - - connector - - delete_case - - description - - pushed - - tags - - title - - status - - settings - - severity - example: create_case - Cases_user_actions_response_properties: - type: object - required: - - action - - action_id - - case_id - - comment_id - - created_at - - created_by - - owner - - payload - - type - properties: - action: - $ref: '#/components/schemas/Cases_actions' - action_id: - type: string - example: 22fd3e30-03b1-11ed-920c-974bfa104448 - case_id: - type: string - example: 22df07d0-03b1-11ed-920c-974bfa104448 - comment_id: - type: string - nullable: true - example: 578608d0-03b1-11ed-920c-974bfa104448 - created_at: - type: string - format: date-time - example: '2022-05-13T09:16:17.416Z' - created_by: - type: object - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - required: - - email - - full_name - - username - owner: - $ref: '#/components/schemas/Cases_owners' - payload: - oneOf: - - $ref: '#/components/schemas/Cases_payload_alert_comment' - - $ref: '#/components/schemas/Cases_payload_assignees' - - $ref: '#/components/schemas/Cases_payload_connector' - - $ref: '#/components/schemas/Cases_payload_create_case' - - $ref: '#/components/schemas/Cases_payload_delete' - - $ref: '#/components/schemas/Cases_payload_description' - - $ref: '#/components/schemas/Cases_payload_pushed' - - $ref: '#/components/schemas/Cases_payload_settings' - - $ref: '#/components/schemas/Cases_payload_severity' - - $ref: '#/components/schemas/Cases_payload_status' - - $ref: '#/components/schemas/Cases_payload_tags' - - $ref: '#/components/schemas/Cases_payload_title' - - $ref: '#/components/schemas/Cases_payload_user_comment' - type: - $ref: '#/components/schemas/Cases_action_types' - Cases_user_actions_find_response_properties: - type: object - required: - - action - - comment_id - - created_at - - created_by - - id - - owner - - payload - - type - - version - properties: - action: - $ref: '#/components/schemas/Cases_actions' - comment_id: - type: string - nullable: true - example: 578608d0-03b1-11ed-920c-974bfa104448 - created_at: - type: string - format: date-time - example: '2022-05-13T09:16:17.416Z' - created_by: - type: object - properties: - email: - type: string - example: null - nullable: true - full_name: - type: string - example: null - nullable: true - username: - type: string - example: elastic - nullable: true - profile_uid: - type: string - example: u_J41Oh6L9ki-Vo2tOogS8WRTENzhHurGtRc87NgEAlkc_0 - required: - - email - - full_name - - username - id: - type: string - example: 22fd3e30-03b1-11ed-920c-974bfa104448 - owner: - $ref: '#/components/schemas/Cases_owners' - payload: - oneOf: - - $ref: '#/components/schemas/Cases_payload_alert_comment' - - $ref: '#/components/schemas/Cases_payload_assignees' - - $ref: '#/components/schemas/Cases_payload_connector' - - $ref: '#/components/schemas/Cases_payload_create_case' - - $ref: '#/components/schemas/Cases_payload_delete' - - $ref: '#/components/schemas/Cases_payload_description' - - $ref: '#/components/schemas/Cases_payload_pushed' - - $ref: '#/components/schemas/Cases_payload_settings' - - $ref: '#/components/schemas/Cases_payload_severity' - - $ref: '#/components/schemas/Cases_payload_status' - - $ref: '#/components/schemas/Cases_payload_tags' - - $ref: '#/components/schemas/Cases_payload_title' - - $ref: '#/components/schemas/Cases_payload_user_comment' - version: - type: string - example: WzM1ODg4LDFd - type: - type: string - description: The type of action. - enum: - - assignees - - create_case - - comment - - connector - - description - - pushed - - tags - - title - - status - - settings - - severity - example: create_case - Connectors_create_connector_request_bedrock: - title: Create Amazon Bedrock connector request - description: >- - The Amazon Bedrock connector uses axios to send a POST request to Amazon - Bedrock. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_bedrock' - connector_type_id: - type: string - description: The type of connector. - enum: - - .bedrock - example: .bedrock - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_bedrock' - Connectors_create_connector_request_gemini: - title: Create Google Gemini connector request - description: >- - The Google Gemini connector uses axios to send a POST request to Google - Gemini. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_gemini' - connector_type_id: - type: string - description: The type of connector. - enum: - - .gemini - example: .gemini - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_gemini' - Connectors_create_connector_request_cases_webhook: - title: Create Webhook - Case Managment connector request - description: > - The Webhook - Case Management connector uses axios to send POST, PUT, - and GET requests to a case management RESTful API web service. - type: object - required: - - config - - connector_type_id - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_cases_webhook' - connector_type_id: - type: string - description: The type of connector. - enum: - - .cases-webhook - example: .cases-webhook - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_cases_webhook' - Connectors_create_connector_request_d3security: - title: Create D3 Security connector request - description: > - The connector uses axios to send a POST request to a D3 Security - endpoint. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_d3security' - connector_type_id: - type: string - description: The type of connector. - enum: - - .d3security - example: .d3security - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_d3security' - Connectors_create_connector_request_email: - title: Create email connector request - description: > - The email connector uses the SMTP protocol to send mail messages, using - an integration of Nodemailer. An exception is Microsoft Exchange, which - uses HTTP protocol for sending emails, Send mail. Email message text is - sent as both plain text and html text. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_email' - connector_type_id: - type: string - description: The type of connector. - enum: - - .email - example: .email - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_email' - Connectors_create_connector_request_genai: - title: Create OpenAI connector request - description: > - The OpenAI connector uses axios to send a POST request to either OpenAI - or Azure OpenAPI. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_genai' - connector_type_id: - type: string - description: The type of connector. - enum: - - .gen-ai - example: .gen-ai - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_genai' - Connectors_create_connector_request_index: - title: Create index connector request - description: The index connector indexes a document into Elasticsearch. - type: object - required: - - config - - connector_type_id - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_index' - connector_type_id: - type: string - description: The type of connector. - enum: - - .index - example: .index - name: - type: string - description: The display name for the connector. - example: my-connector - Connectors_create_connector_request_jira: - title: Create Jira connector request - description: The Jira connector uses the REST API v2 to create Jira issues. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_jira' - connector_type_id: - type: string - description: The type of connector. - enum: - - .jira - example: .jira - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_jira' - Connectors_create_connector_request_opsgenie: - title: Create Opsgenie connector request - description: The Opsgenie connector uses the Opsgenie alert API. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_opsgenie' - connector_type_id: - type: string - description: The type of connector. - enum: - - .opsgenie - example: .opsgenie - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_opsgenie' - Connectors_create_connector_request_pagerduty: - title: Create PagerDuty connector request - description: > - The PagerDuty connector uses the v2 Events API to trigger, acknowledge, - and resolve PagerDuty alerts. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_pagerduty' - connector_type_id: - type: string - description: The type of connector. - enum: - - .pagerduty - example: .pagerduty - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_pagerduty' - Connectors_create_connector_request_resilient: - title: Create IBM Resilient connector request - description: >- - The IBM Resilient connector uses the RESILIENT REST v2 to create IBM - Resilient incidents. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_resilient' - connector_type_id: - description: The type of connector. - type: string - example: .resilient - enum: - - .resilient - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_resilient' - Connectors_create_connector_request_sentinelone: - title: Create SentinelOne connector request - description: > - The SentinelOne connector communicates with SentinelOne Management - Console via REST API. This functionality is in technical preview and may - be changed or removed in a future release. Elastic will work to fix any - issues, but features in technical preview are not subject to the support - SLA of official GA features. - x-technical-preview: true - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_sentinelone' - connector_type_id: - type: string - description: The type of connector. - enum: - - .sentinelone - example: .sentinelone - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_sentinelone' - Connectors_create_connector_request_serverlog: - title: Create server log connector request - description: This connector writes an entry to the Kibana server log. - type: object - required: - - connector_type_id - - name - properties: - connector_type_id: - type: string - description: The type of connector. - enum: - - .server-log - example: .server-log - name: - type: string - description: The display name for the connector. - example: my-connector - Connectors_create_connector_request_servicenow: - title: Create ServiceNow ITSM connector request - description: > - The ServiceNow ITSM connector uses the import set API to create - ServiceNow incidents. You can use the connector for rule actions and - cases. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow' - connector_type_id: - type: string - description: The type of connector. - enum: - - .servicenow - example: .servicenow - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' - Connectors_create_connector_request_servicenow_itom: - title: Create ServiceNow ITOM connector request - description: > - The ServiceNow ITOM connector uses the event API to create ServiceNow - events. You can use the connector for rule actions. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow_itom' - connector_type_id: - type: string - description: The type of connector. - enum: - - .servicenow-itom - example: .servicenow-itom - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' - Connectors_create_connector_request_servicenow_sir: - title: Create ServiceNow SecOps connector request - description: > - The ServiceNow SecOps connector uses the import set API to create - ServiceNow security incidents. You can use the connector for rule - actions and cases. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow' - connector_type_id: - type: string - description: The type of connector. - enum: - - .servicenow-sir - example: .servicenow-sir - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' - Connectors_create_connector_request_slack_api: - title: Create Slack connector request - description: The Slack connector uses an API method to send Slack messages. - type: object - required: - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_slack_api' - connector_type_id: - type: string - description: The type of connector. - enum: - - .slack_api - example: .slack_api - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_slack_api' - Connectors_create_connector_request_slack_webhook: - title: Create Slack connector request - description: The Slack connector uses Slack Incoming Webhooks. - type: object - required: - - connector_type_id - - name - - secrets - properties: - connector_type_id: - type: string - description: The type of connector. - enum: - - .slack - example: .slack - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_slack_webhook' - Connectors_create_connector_request_swimlane: - title: Create Swimlane connector request - description: >- - The Swimlane connector uses the Swimlane REST API to create Swimlane - records. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_swimlane' - connector_type_id: - type: string - description: The type of connector. - enum: - - .swimlane - example: .swimlane - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_swimlane' - Connectors_create_connector_request_teams: - title: Create Microsoft Teams connector request - description: The Microsoft Teams connector uses Incoming Webhooks. - type: object - required: - - connector_type_id - - name - - secrets - properties: - connector_type_id: - type: string - description: The type of connector. - enum: - - .teams - example: .teams - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_teams' - Connectors_create_connector_request_tines: - title: Create Tines connector request - description: > - The Tines connector uses Tines Webhook actions to send events via POST - request. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_tines' - connector_type_id: - type: string - description: The type of connector. - enum: - - .tines - example: .tines - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_tines' - Connectors_create_connector_request_torq: - title: Create Torq connector request - description: > - The Torq connector uses a Torq webhook to trigger workflows with Kibana - actions. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_torq' - connector_type_id: - type: string - description: The type of connector. - enum: - - .torq - example: .torq - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_torq' - Connectors_create_connector_request_webhook: - title: Create Webhook connector request - description: > - The Webhook connector uses axios to send a POST or PUT request to a web - service. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_webhook' - connector_type_id: - type: string - description: The type of connector. - enum: - - .webhook - example: .webhook - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_webhook' - Connectors_create_connector_request_xmatters: - title: Create xMatters connector request - description: > - The xMatters connector uses the xMatters Workflow for Elastic to send - actionable alerts to on-call xMatters resources. - type: object - required: - - config - - connector_type_id - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_xmatters' - connector_type_id: - type: string - description: The type of connector. - enum: - - .xmatters - example: .xmatters - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_xmatters' - Connectors_config_properties_bedrock: - title: Connector request properties for an Amazon Bedrock connector - description: Defines properties for connectors when type is `.bedrock`. - type: object - required: - - apiUrl - properties: - apiUrl: - type: string - description: The Amazon Bedrock request URL. - defaultModel: - type: string - description: > - The generative artificial intelligence model for Amazon Bedrock to - use. Current support is for the Anthropic Claude models. - default: anthropic.claude-3-5-sonnet-20240620-v1:0 - Connectors_secrets_properties_bedrock: - title: Connector secrets properties for an Amazon Bedrock connector - description: Defines secrets for connectors when type is `.bedrock`. - type: object - required: - - accessKey - - secret - properties: - accessKey: - type: string - description: The AWS access key for authentication. - secret: - type: string - description: The AWS secret for authentication. - Connectors_config_properties_gemini: - title: Connector request properties for an Google Gemini connector - description: Defines properties for connectors when type is `.gemini`. - type: object - required: - - apiUrl - - gcpRegion - - gcpProjectID - properties: - apiUrl: - type: string - description: The Google Gemini request URL. - defaultModel: - type: string - description: >- - The generative artificial intelligence model for Google Gemini to - use. - default: gemini-1.5-pro-001 - gcpRegion: - type: string - description: The GCP region where the Vertex AI endpoint enabled. - gcpProjectID: - type: string - description: The Google ProjectID that has Vertex AI endpoint enabled. - Connectors_secrets_properties_gemini: - title: Connector secrets properties for a Google Gemini connector - description: Defines secrets for connectors when type is `.gemini`. - type: object - required: - - credentialsJSON - properties: - credentialsJSON: - type: string - description: >- - The service account credentials JSON file. The service account - should have Vertex AI user IAM role assigned to it. - Connectors_config_properties_cases_webhook: - title: Connector request properties for Webhook - Case Management connector - required: - - createIncidentJson - - createIncidentResponseKey - - createIncidentUrl - - getIncidentResponseExternalTitleKey - - getIncidentUrl - - updateIncidentJson - - updateIncidentUrl - - viewIncidentUrl - description: Defines properties for connectors when type is `.cases-webhook`. - type: object - properties: - createCommentJson: - type: string - description: > - A JSON payload sent to the create comment URL to create a case - comment. You can use variables to add Kibana Cases data to the - payload. The required variable is `case.comment`. Due to Mustache - template variables (the text enclosed in triple braces, for example, - `{{{case.title}}}`), the JSON is not validated when you create the - connector. The JSON is validated once the Mustache variables have - been placed when the REST method runs. Manually ensure that the JSON - is valid, disregarding the Mustache variables, so the later - validation will pass. - example: '{"body": {{{case.comment}}}}' - createCommentMethod: - type: string - description: > - The REST API HTTP request method to create a case comment in the - third-party system. Valid values are `patch`, `post`, and `put`. - default: put - enum: - - patch - - post - - put - createCommentUrl: - type: string - description: > - The REST API URL to create a case comment by ID in the third-party - system. You can use a variable to add the external system ID to the - URL. If you are using the `xpack.actions.allowedHosts setting`, add - the hostname to the allowed hosts. - example: https://example.com/issue/{{{external.system.id}}}/comment - createIncidentJson: - type: string - description: > - A JSON payload sent to the create case URL to create a case. You can - use variables to add case data to the payload. Required variables - are `case.title` and `case.description`. Due to Mustache template - variables (which is the text enclosed in triple braces, for example, - `{{{case.title}}}`), the JSON is not validated when you create the - connector. The JSON is validated after the Mustache variables have - been placed when REST method runs. Manually ensure that the JSON is - valid to avoid future validation errors; disregard Mustache - variables during your review. - example: >- - {"fields": {"summary": {{{case.title}}},"description": - {{{case.description}}},"labels": {{{case.tags}}}}} - createIncidentMethod: - type: string - description: > - The REST API HTTP request method to create a case in the third-party - system. Valid values are `patch`, `post`, and `put`. - enum: - - patch - - post - - put - default: post - createIncidentResponseKey: - type: string - description: >- - The JSON key in the create external case response that contains the - case ID. - createIncidentUrl: - type: string - description: > - The REST API URL to create a case in the third-party system. If you - are using the `xpack.actions.allowedHosts` setting, add the hostname - to the allowed hosts. - getIncidentResponseExternalTitleKey: - type: string - description: >- - The JSON key in get external case response that contains the case - title. - getIncidentUrl: - type: string - description: > - The REST API URL to get the case by ID from the third-party system. - If you are using the `xpack.actions.allowedHosts` setting, add the - hostname to the allowed hosts. You can use a variable to add the - external system ID to the URL. Due to Mustache template variables - (the text enclosed in triple braces, for example, - `{{{case.title}}}`), the JSON is not validated when you create the - connector. The JSON is validated after the Mustache variables have - been placed when REST method runs. Manually ensure that the JSON is - valid, disregarding the Mustache variables, so the later validation - will pass. - example: https://example.com/issue/{{{external.system.id}}} - hasAuth: - type: boolean - description: >- - If true, a username and password for login type authentication must - be provided. - default: true - headers: - type: string - description: > - A set of key-value pairs sent as headers with the request URLs for - the create case, update case, get case, and create comment methods. - updateIncidentJson: - type: string - description: > - The JSON payload sent to the update case URL to update the case. You - can use variables to add Kibana Cases data to the payload. Required - variables are `case.title` and `case.description`. Due to Mustache - template variables (which is the text enclosed in triple braces, for - example, `{{{case.title}}}`), the JSON is not validated when you - create the connector. The JSON is validated after the Mustache - variables have been placed when REST method runs. Manually ensure - that the JSON is valid to avoid future validation errors; disregard - Mustache variables during your review. - example: >- - {"fields": {"summary": {{{case.title}}},"description": - {{{case.description}}},"labels": {{{case.tags}}}}} - updateIncidentMethod: - type: string - description: > - The REST API HTTP request method to update the case in the - third-party system. Valid values are `patch`, `post`, and `put`. - default: put - enum: - - patch - - post - - put - updateIncidentUrl: - type: string - description: > - The REST API URL to update the case by ID in the third-party system. - You can use a variable to add the external system ID to the URL. If - you are using the `xpack.actions.allowedHosts` setting, add the - hostname to the allowed hosts. - example: https://example.com/issue/{{{external.system.ID}}} - viewIncidentUrl: - type: string - description: > - The URL to view the case in the external system. You can use - variables to add the external system ID or external system title to - the URL. - example: >- - https://testing-jira.atlassian.net/browse/{{{external.system.title}}} - Connectors_secrets_properties_cases_webhook: - title: Connector secrets properties for Webhook - Case Management connector - type: object - properties: - password: - type: string - description: >- - The password for HTTP basic authentication. If `hasAuth` is set to - `true`, this property is required. - user: - type: string - description: >- - The username for HTTP basic authentication. If `hasAuth` is set to - `true`, this property is required. - Connectors_config_properties_d3security: - title: Connector request properties for a D3 Security connector - description: Defines properties for connectors when type is `.d3security`. - type: object - required: - - url - properties: - url: - type: string - description: > - The D3 Security API request URL. If you are using the - `xpack.actions.allowedHosts` setting, add the hostname to the - allowed hosts. - Connectors_secrets_properties_d3security: - title: Connector secrets properties for a D3 Security connector - description: Defines secrets for connectors when type is `.d3security`. - required: - - token - type: object - properties: - token: - type: string - description: The D3 Security token. - Connectors_config_properties_email: - title: Connector request properties for an email connector - description: Defines properties for connectors when type is `.email`. - required: - - from - type: object - properties: - clientId: - description: > - The client identifier, which is a part of OAuth 2.0 client - credentials authentication, in GUID format. If `service` is - `exchange_server`, this property is required. - type: string - nullable: true - from: - description: > - The from address for all emails sent by the connector. It must be - specified in `user@host-name` format. - type: string - hasAuth: - description: > - Specifies whether a user and password are required inside the - secrets configuration. - default: true - type: boolean - host: - description: > - The host name of the service provider. If the `service` is - `elastic_cloud` (for Elastic Cloud notifications) or one of - Nodemailer's well-known email service providers, this property is - ignored. If `service` is `other`, this property must be defined. - type: string - oauthTokenUrl: - type: string - nullable: true - port: - description: > - The port to connect to on the service provider. If the `service` is - `elastic_cloud` (for Elastic Cloud notifications) or one of - Nodemailer's well-known email service providers, this property is - ignored. If `service` is `other`, this property must be defined. - type: integer - secure: - description: > - Specifies whether the connection to the service provider will use - TLS. If the `service` is `elastic_cloud` (for Elastic Cloud - notifications) or one of Nodemailer's well-known email service - providers, this property is ignored. - type: boolean - service: - description: | - The name of the email service. - type: string - enum: - - elastic_cloud - - exchange_server - - gmail - - other - - outlook365 - - ses - tenantId: - description: > - The tenant identifier, which is part of OAuth 2.0 client credentials - authentication, in GUID format. If `service` is `exchange_server`, - this property is required. - type: string - nullable: true - Connectors_secrets_properties_email: - title: Connector secrets properties for an email connector - description: Defines secrets for connectors when type is `.email`. - type: object - properties: - clientSecret: - type: string - description: > - The Microsoft Exchange Client secret for OAuth 2.0 client - credentials authentication. It must be URL-encoded. If `service` is - `exchange_server`, this property is required. - password: - type: string - description: > - The password for HTTP basic authentication. If `hasAuth` is set to - `true`, this property is required. - user: - type: string - description: > - The username for HTTP basic authentication. If `hasAuth` is set to - `true`, this property is required. - Connectors_config_properties_genai_azure: - title: >- - Connector request properties for an OpenAI connector that uses Azure - OpenAI - description: > - Defines properties for connectors when type is `.gen-ai` and the API - provider is `Azure OpenAI'. - type: object - required: - - apiProvider - - apiUrl - properties: - apiProvider: - type: string - description: The OpenAI API provider. - enum: - - Azure OpenAI - apiUrl: - type: string - description: The OpenAI API endpoint. - Connectors_config_properties_genai_openai: - title: Connector request properties for an OpenAI connector - description: > - Defines properties for connectors when type is `.gen-ai` and the API - provider is `OpenAI'. - type: object - required: - - apiProvider - - apiUrl - properties: - apiProvider: - type: string - description: The OpenAI API provider. - enum: - - OpenAI - apiUrl: - type: string - description: The OpenAI API endpoint. - defaultModel: - type: string - description: The default model to use for requests. - Connectors_config_properties_genai: - title: Connector request properties for an OpenAI connector - description: Defines properties for connectors when type is `.gen-ai`. - oneOf: - - $ref: '#/components/schemas/Connectors_config_properties_genai_azure' - - $ref: '#/components/schemas/Connectors_config_properties_genai_openai' - discriminator: - propertyName: apiProvider - mapping: - Azure OpenAI: '#/components/schemas/Connectors_config_properties_genai_azure' - OpenAI: '#/components/schemas/Connectors_config_properties_genai_openai' - Connectors_secrets_properties_genai: - title: Connector secrets properties for an OpenAI connector - description: Defines secrets for connectors when type is `.gen-ai`. - type: object - properties: - apiKey: - type: string - description: The OpenAI API key. - Connectors_config_properties_index: - title: Connector request properties for an index connector - required: - - index - description: Defines properties for connectors when type is `.index`. - type: object - properties: - executionTimeField: - description: A field that indicates when the document was indexed. - default: null - type: string - nullable: true - index: - description: The Elasticsearch index to be written to. - type: string - refresh: - description: > - The refresh policy for the write request, which affects when changes - are made visible to search. Refer to the refresh setting for - Elasticsearch document APIs. - default: false - type: boolean - Connectors_config_properties_jira: - title: Connector request properties for a Jira connector - required: - - apiUrl - - projectKey - description: Defines properties for connectors when type is `.jira`. - type: object - properties: - apiUrl: - description: The Jira instance URL. - type: string - projectKey: - description: The Jira project key. - type: string - Connectors_secrets_properties_jira: - title: Connector secrets properties for a Jira connector - required: - - apiToken - - email - description: Defines secrets for connectors when type is `.jira`. - type: object - properties: - apiToken: - description: The Jira API authentication token for HTTP basic authentication. - type: string - email: - description: The account email for HTTP Basic authentication. - type: string - Connectors_config_properties_opsgenie: - title: Connector request properties for an Opsgenie connector - required: - - apiUrl - description: Defines properties for connectors when type is `.opsgenie`. - type: object - properties: - apiUrl: - description: > - The Opsgenie URL. For example, `https://api.opsgenie.com` or - `https://api.eu.opsgenie.com`. If you are using the - `xpack.actions.allowedHosts` setting, add the hostname to the - allowed hosts. - type: string - Connectors_secrets_properties_opsgenie: - title: Connector secrets properties for an Opsgenie connector - required: - - apiKey - description: Defines secrets for connectors when type is `.opsgenie`. - type: object - properties: - apiKey: - description: The Opsgenie API authentication key for HTTP Basic authentication. - type: string - Connectors_config_properties_pagerduty: - title: Connector request properties for a PagerDuty connector - description: Defines properties for connectors when type is `.pagerduty`. - type: object - properties: - apiUrl: - description: The PagerDuty event URL. - type: string - nullable: true - example: https://events.pagerduty.com/v2/enqueue - Connectors_secrets_properties_pagerduty: - title: Connector secrets properties for a PagerDuty connector - description: Defines secrets for connectors when type is `.pagerduty`. - type: object - required: - - routingKey - properties: - routingKey: - description: > - A 32 character PagerDuty Integration Key for an integration on a - service. - type: string - Connectors_config_properties_resilient: - title: Connector request properties for a IBM Resilient connector - required: - - apiUrl - - orgId - description: Defines properties for connectors when type is `.resilient`. - type: object - properties: - apiUrl: - description: The IBM Resilient instance URL. - type: string - orgId: - description: The IBM Resilient organization ID. - type: string - Connectors_secrets_properties_resilient: - title: Connector secrets properties for IBM Resilient connector - required: - - apiKeyId - - apiKeySecret - description: Defines secrets for connectors when type is `.resilient`. - type: object - properties: - apiKeyId: - type: string - description: The authentication key ID for HTTP Basic authentication. - apiKeySecret: - type: string - description: The authentication key secret for HTTP Basic authentication. - Connectors_config_properties_sentinelone: - title: Connector request properties for a SentinelOne connector - required: - - url - description: Defines properties for connectors when type is `.sentinelone`. - type: object - properties: - url: - description: > - The SentinelOne tenant URL. If you are using the - `xpack.actions.allowedHosts` setting, add the hostname to the - allowed hosts. - type: string - Connectors_secrets_properties_sentinelone: - title: Connector secrets properties for a SentinelOne connector - description: Defines secrets for connectors when type is `.sentinelone`. - type: object - required: - - token - properties: - token: - description: The A SentinelOne API token. - type: string - Connectors_config_properties_servicenow: - title: Connector request properties for a ServiceNow ITSM connector - required: - - apiUrl - description: Defines properties for connectors when type is `.servicenow`. - type: object - properties: - apiUrl: - type: string - description: The ServiceNow instance URL. - clientId: - description: > - The client ID assigned to your OAuth application. This property is - required when `isOAuth` is `true`. - type: string - isOAuth: - description: > - The type of authentication to use. The default value is false, which - means basic authentication is used instead of open authorization - (OAuth). - default: false - type: boolean - jwtKeyId: - description: > - The key identifier assigned to the JWT verifier map of your OAuth - application. This property is required when `isOAuth` is `true`. - type: string - userIdentifierValue: - description: > - The identifier to use for OAuth authentication. This identifier - should be the user field you selected when you created an OAuth JWT - API endpoint for external clients in your ServiceNow instance. For - example, if the selected user field is `Email`, the user identifier - should be the user's email address. This property is required when - `isOAuth` is `true`. - type: string - usesTableApi: - description: > - Determines whether the connector uses the Table API or the Import - Set API. This property is supported only for ServiceNow ITSM and - ServiceNow SecOps connectors. NOTE: If this property is set to - `false`, the Elastic application should be installed in ServiceNow. - default: true - type: boolean - Connectors_secrets_properties_servicenow: - title: >- - Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and - ServiceNow SecOps connectors - description: >- - Defines secrets for connectors when type is `.servicenow`, - `.servicenow-sir`, or `.servicenow-itom`. - type: object - properties: - clientSecret: - type: string - description: >- - The client secret assigned to your OAuth application. This property - is required when `isOAuth` is `true`. - password: - type: string - description: >- - The password for HTTP basic authentication. This property is - required when `isOAuth` is `false`. - privateKey: - type: string - description: >- - The RSA private key that you created for use in ServiceNow. This - property is required when `isOAuth` is `true`. - privateKeyPassword: - type: string - description: >- - The password for the RSA private key. This property is required when - `isOAuth` is `true` and you set a password on your private key. - username: - type: string - description: >- - The username for HTTP basic authentication. This property is - required when `isOAuth` is `false`. - Connectors_config_properties_servicenow_itom: - title: Connector request properties for a ServiceNow ITSM connector - required: - - apiUrl - description: Defines properties for connectors when type is `.servicenow`. - type: object - properties: - apiUrl: - type: string - description: The ServiceNow instance URL. - clientId: - description: > - The client ID assigned to your OAuth application. This property is - required when `isOAuth` is `true`. - type: string - isOAuth: - description: > - The type of authentication to use. The default value is false, which - means basic authentication is used instead of open authorization - (OAuth). - default: false - type: boolean - jwtKeyId: - description: > - The key identifier assigned to the JWT verifier map of your OAuth - application. This property is required when `isOAuth` is `true`. - type: string - userIdentifierValue: - description: > - The identifier to use for OAuth authentication. This identifier - should be the user field you selected when you created an OAuth JWT - API endpoint for external clients in your ServiceNow instance. For - example, if the selected user field is `Email`, the user identifier - should be the user's email address. This property is required when - `isOAuth` is `true`. - type: string - Connectors_config_properties_slack_api: - title: Connector request properties for a Slack connector - description: Defines properties for connectors when type is `.slack_api`. - type: object - properties: - allowedChannels: - type: array - description: A list of valid Slack channels. - items: - type: object - required: - - id - - name - maxItems: 25 - properties: - id: - type: string - description: The Slack channel ID. - example: C123ABC456 - minLength: 1 - name: - type: string - description: The Slack channel name. - minLength: 1 - Connectors_secrets_properties_slack_api: - title: Connector secrets properties for a Web API Slack connector - description: Defines secrets for connectors when type is `.slack`. - required: - - token - type: object - properties: - token: - type: string - description: Slack bot user OAuth token. - Connectors_secrets_properties_slack_webhook: - title: Connector secrets properties for a Webhook Slack connector - description: Defines secrets for connectors when type is `.slack`. - required: - - webhookUrl - type: object - properties: - webhookUrl: - type: string - description: Slack webhook url. - Connectors_config_properties_swimlane: - title: Connector request properties for a Swimlane connector - required: - - apiUrl - - appId - - connectorType - description: Defines properties for connectors when type is `.swimlane`. - type: object - properties: - apiUrl: - description: The Swimlane instance URL. - type: string - appId: - description: The Swimlane application ID. - type: string - connectorType: - description: >- - The type of connector. Valid values are `all`, `alerts`, and - `cases`. - type: string - enum: - - all - - alerts - - cases - mappings: - title: Connector mappings properties for a Swimlane connector - description: The field mapping. - type: object - properties: - alertIdConfig: - title: Alert identifier mapping - description: Mapping for the alert ID. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - caseIdConfig: - title: Case identifier mapping - description: Mapping for the case ID. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - caseNameConfig: - title: Case name mapping - description: Mapping for the case name. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - commentsConfig: - title: Case comment mapping - description: Mapping for the case comments. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - descriptionConfig: - title: Case description mapping - description: Mapping for the case description. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - ruleNameConfig: - title: Rule name mapping - description: Mapping for the name of the alert's rule. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - severityConfig: - title: Severity mapping - description: Mapping for the severity. - type: object - required: - - fieldType - - id - - key - - name - properties: - fieldType: - type: string - description: The type of field in Swimlane. - id: - type: string - description: The identifier for the field in Swimlane. - key: - type: string - description: The key for the field in Swimlane. - name: - type: string - description: The name of the field in Swimlane. - Connectors_secrets_properties_swimlane: - title: Connector secrets properties for a Swimlane connector - description: Defines secrets for connectors when type is `.swimlane`. - type: object - properties: - apiToken: - description: Swimlane API authentication token. - type: string - Connectors_secrets_properties_teams: - title: Connector secrets properties for a Microsoft Teams connector - description: Defines secrets for connectors when type is `.teams`. - type: object - required: - - webhookUrl - properties: - webhookUrl: - type: string - description: > - The URL of the incoming webhook. If you are using the - `xpack.actions.allowedHosts` setting, add the hostname to the - allowed hosts. - Connectors_config_properties_tines: - title: Connector request properties for a Tines connector - description: Defines properties for connectors when type is `.tines`. - type: object - required: - - url - properties: - url: - description: > - The Tines tenant URL. If you are using the - `xpack.actions.allowedHosts` setting, make sure this hostname is - added to the allowed hosts. - type: string - Connectors_secrets_properties_tines: - title: Connector secrets properties for a Tines connector - description: Defines secrets for connectors when type is `.tines`. - type: object - required: - - email - - token - properties: - email: - description: The email used to sign in to Tines. - type: string - token: - description: The Tines API token. - type: string - Connectors_config_properties_torq: - title: Connector request properties for a Torq connector - description: Defines properties for connectors when type is `.torq`. - type: object - required: - - webhookIntegrationUrl - properties: - webhookIntegrationUrl: - description: The endpoint URL of the Elastic Security integration in Torq. - type: string - Connectors_secrets_properties_torq: - title: Connector secrets properties for a Torq connector - description: Defines secrets for connectors when type is `.torq`. - type: object - required: - - token - properties: - token: - description: The secret of the webhook authentication header. - type: string - Connectors_config_properties_webhook: - title: Connector request properties for a Webhook connector - description: Defines properties for connectors when type is `.webhook`. - type: object - properties: - authType: - type: string - nullable: true - enum: - - webhook-authentication-basic - - webhook-authentication-ssl - description: | - The type of authentication to use: basic, SSL, or none. - ca: - type: string - description: > - A base64 encoded version of the certificate authority file that the - connector can trust to sign and validate certificates. This option - is available for all authentication types. - certType: - type: string - description: > - If the `authType` is `webhook-authentication-ssl`, specifies whether - the certificate authentication data is in a CRT and key file format - or a PFX file format. - enum: - - ssl-crt-key - - ssl-pfx - hasAuth: - type: boolean - description: > - If `true`, a user name and password must be provided for login type - authentication. - headers: - type: object - nullable: true - description: A set of key-value pairs sent as headers with the request. - method: - type: string - default: post - enum: - - post - - put - description: | - The HTTP request method, either `post` or `put`. - url: - type: string - description: > - The request URL. If you are using the `xpack.actions.allowedHosts` - setting, add the hostname to the allowed hosts. - verificationMode: - type: string - enum: - - certificate - - full - - none - default: full - description: > - Controls the verification of certificates. Use `full` to validate - that the certificate has an issue date within the `not_before` and - `not_after` dates, chains to a trusted certificate authority (CA), - and has a hostname or IP address that matches the names within the - certificate. Use `certificate` to validate the certificate and - verify that it is signed by a trusted authority; this option does - not check the certificate hostname. Use `none` to skip certificate - validation. - Connectors_secrets_properties_webhook: - title: Connector secrets properties for a Webhook connector - description: Defines secrets for connectors when type is `.webhook`. - type: object - properties: - crt: - type: string - description: >- - If `authType` is `webhook-authentication-ssl` and `certType` is - `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT - file. - key: - type: string - description: >- - If `authType` is `webhook-authentication-ssl` and `certType` is - `ssl-crt-key`, it is a base64 encoded version of the KEY file. - pfx: - type: string - description: >- - If `authType` is `webhook-authentication-ssl` and `certType` is - `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. - password: - type: string - description: > - The password for HTTP basic authentication or the passphrase for the - SSL certificate files. If `hasAuth` is set to `true` and `authType` - is `webhook-authentication-basic`, this property is required. - user: - type: string - description: > - The username for HTTP basic authentication. If `hasAuth` is set to - `true` and `authType` is `webhook-authentication-basic`, this - property is required. - Connectors_config_properties_xmatters: - title: Connector request properties for an xMatters connector - description: Defines properties for connectors when type is `.xmatters`. - type: object - properties: - configUrl: - description: > - The request URL for the Elastic Alerts trigger in xMatters. It is - applicable only when `usesBasic` is `true`. - type: string - nullable: true - usesBasic: - description: >- - Specifies whether the connector uses HTTP basic authentication - (`true`) or URL authentication (`false`). - type: boolean - default: true - Connectors_secrets_properties_xmatters: - title: Connector secrets properties for an xMatters connector - description: Defines secrets for connectors when type is `.xmatters`. - type: object - properties: - password: - description: > - A user name for HTTP basic authentication. It is applicable only - when `usesBasic` is `true`. - type: string - secretsUrl: - description: > - The request URL for the Elastic Alerts trigger in xMatters with the - API key included in the URL. It is applicable only when `usesBasic` - is `false`. - type: string - user: - description: > - A password for HTTP basic authentication. It is applicable only when - `usesBasic` is `true`. - type: string - Connectors_create_connector_request: - title: Create connector request body properties - description: The properties vary depending on the connector type. - oneOf: - - $ref: '#/components/schemas/Connectors_create_connector_request_bedrock' - - $ref: '#/components/schemas/Connectors_create_connector_request_gemini' - - $ref: >- - #/components/schemas/Connectors_create_connector_request_cases_webhook - - $ref: '#/components/schemas/Connectors_create_connector_request_d3security' - - $ref: '#/components/schemas/Connectors_create_connector_request_email' - - $ref: '#/components/schemas/Connectors_create_connector_request_genai' - - $ref: '#/components/schemas/Connectors_create_connector_request_index' - - $ref: '#/components/schemas/Connectors_create_connector_request_jira' - - $ref: '#/components/schemas/Connectors_create_connector_request_opsgenie' - - $ref: '#/components/schemas/Connectors_create_connector_request_pagerduty' - - $ref: '#/components/schemas/Connectors_create_connector_request_resilient' - - $ref: '#/components/schemas/Connectors_create_connector_request_sentinelone' - - $ref: '#/components/schemas/Connectors_create_connector_request_serverlog' - - $ref: '#/components/schemas/Connectors_create_connector_request_servicenow' - - $ref: >- - #/components/schemas/Connectors_create_connector_request_servicenow_itom - - $ref: >- - #/components/schemas/Connectors_create_connector_request_servicenow_sir - - $ref: '#/components/schemas/Connectors_create_connector_request_slack_api' - - $ref: >- - #/components/schemas/Connectors_create_connector_request_slack_webhook - - $ref: '#/components/schemas/Connectors_create_connector_request_swimlane' - - $ref: '#/components/schemas/Connectors_create_connector_request_teams' - - $ref: '#/components/schemas/Connectors_create_connector_request_tines' - - $ref: '#/components/schemas/Connectors_create_connector_request_torq' - - $ref: '#/components/schemas/Connectors_create_connector_request_webhook' - - $ref: '#/components/schemas/Connectors_create_connector_request_xmatters' - discriminator: - propertyName: connector_type_id - mapping: - .bedrock: '#/components/schemas/Connectors_create_connector_request_bedrock' - .gemini: '#/components/schemas/Connectors_create_connector_request_gemini' - .cases-webhook: >- - #/components/schemas/Connectors_create_connector_request_cases_webhook - .d3security: '#/components/schemas/Connectors_create_connector_request_d3security' - .email: '#/components/schemas/Connectors_create_connector_request_email' - .gen-ai: '#/components/schemas/Connectors_create_connector_request_genai' - .index: '#/components/schemas/Connectors_create_connector_request_index' - .jira: '#/components/schemas/Connectors_create_connector_request_jira' - .opsgenie: '#/components/schemas/Connectors_create_connector_request_opsgenie' - .pagerduty: '#/components/schemas/Connectors_create_connector_request_pagerduty' - .resilient: '#/components/schemas/Connectors_create_connector_request_resilient' - .sentinelone: '#/components/schemas/Connectors_create_connector_request_sentinelone' - .server-log: '#/components/schemas/Connectors_create_connector_request_serverlog' - .servicenow: '#/components/schemas/Connectors_create_connector_request_servicenow' - .servicenow-itom: >- - #/components/schemas/Connectors_create_connector_request_servicenow_itom - .servicenow-sir: >- - #/components/schemas/Connectors_create_connector_request_servicenow_sir - .slack_api: '#/components/schemas/Connectors_create_connector_request_slack_api' - .slack: >- - #/components/schemas/Connectors_create_connector_request_slack_webhook - .swimlane: '#/components/schemas/Connectors_create_connector_request_swimlane' - .teams: '#/components/schemas/Connectors_create_connector_request_teams' - .tines: '#/components/schemas/Connectors_create_connector_request_tines' - .torq: '#/components/schemas/Connectors_create_connector_request_torq' - .webhook: '#/components/schemas/Connectors_create_connector_request_webhook' - .xmatters: '#/components/schemas/Connectors_create_connector_request_xmatters' - Connectors_connector_response_properties_bedrock: - title: Connector response properties for an Amazon Bedrock connector - type: object - required: - - config - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_bedrock' - connector_type_id: - type: string - description: The type of connector. - enum: - - .bedrock - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - Connectors_connector_response_properties_gemini: - title: Connector response properties for a Google Gemini connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_gemini' - connector_type_id: - type: string - description: The type of connector. - enum: - - .gemini - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_cases_webhook: - title: Connector request properties for a Webhook - Case Management connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_cases_webhook' - connector_type_id: - description: The type of connector. - type: string - enum: - - .cases-webhook - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_d3security: - title: Connector response properties for a D3 Security connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_d3security' - connector_type_id: - type: string - description: The type of connector. - enum: - - .d3security - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_email: - title: Connector response properties for an email connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_email' - connector_type_id: - type: string - description: The type of connector. - enum: - - .email - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_genai: - title: Connector response properties for an OpenAI connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_genai' - connector_type_id: - type: string - description: The type of connector. - enum: - - .gen-ai - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_index: - title: Connector response properties for an index connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_index' - connector_type_id: - type: string - description: The type of connector. - enum: - - .index - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_jira: - title: Connector response properties for a Jira connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_jira' - connector_type_id: - type: string - description: The type of connector. - enum: - - .jira - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_opsgenie: - title: Connector response properties for an Opsgenie connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_opsgenie' - connector_type_id: - type: string - description: The type of connector. - enum: - - .opsgenie - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_pagerduty: - title: Connector response properties for a PagerDuty connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_pagerduty' - connector_type_id: - type: string - description: The type of connector. - enum: - - .pagerduty - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_resilient: - title: Connector response properties for a IBM Resilient connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_resilient' - connector_type_id: - type: string - description: The type of connector. - enum: - - .resilient - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_sentinelone: - title: Connector response properties for a SentinelOne connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_sentinelone' - connector_type_id: - type: string - description: The type of connector. - enum: - - .sentinelone - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_serverlog: - title: Connector response properties for a server log connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - type: object - nullable: true - connector_type_id: - type: string - description: The type of connector. - enum: - - .server-log - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_servicenow: - title: Connector response properties for a ServiceNow ITSM connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow' - connector_type_id: - type: string - description: The type of connector. - enum: - - .servicenow - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_servicenow_itom: - title: Connector response properties for a ServiceNow ITOM connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow_itom' - connector_type_id: - type: string - description: The type of connector. - enum: - - .servicenow-itom - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_servicenow_sir: - title: Connector response properties for a ServiceNow SecOps connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow' - connector_type_id: - type: string - description: The type of connector. - enum: - - .servicenow-sir - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_slack_api: - title: Connector response properties for a Slack connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_slack_api' - connector_type_id: - type: string - description: The type of connector. - enum: - - .slack_api - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_slack_webhook: - title: Connector response properties for a Slack connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - connector_type_id: - type: string - description: The type of connector. - enum: - - .slack - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_swimlane: - title: Connector response properties for a Swimlane connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_swimlane' - connector_type_id: - type: string - description: The type of connector. - enum: - - .swimlane - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_teams: - title: Connector response properties for a Microsoft Teams connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - type: object - connector_type_id: - type: string - description: The type of connector. - enum: - - .teams - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_tines: - title: Connector response properties for a Tines connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_tines' - connector_type_id: - type: string - description: The type of connector. - enum: - - .tines - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_torq: - title: Connector response properties for a Torq connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_torq' - connector_type_id: - type: string - description: The type of connector. - enum: - - .torq - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_webhook: - title: Connector response properties for a Webhook connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_webhook' - connector_type_id: - type: string - description: The type of connector. - enum: - - .webhook - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_connector_response_properties_xmatters: - title: Connector response properties for an xMatters connector - type: object - required: - - connector_type_id - - id - - is_deprecated - - is_preconfigured - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_xmatters' - connector_type_id: - type: string - description: The type of connector. - enum: - - .xmatters - id: - type: string - description: The identifier for the connector. - is_deprecated: - $ref: '#/components/schemas/Connectors_is_deprecated' - is_missing_secrets: - $ref: '#/components/schemas/Connectors_is_missing_secrets' - is_preconfigured: - $ref: '#/components/schemas/Connectors_is_preconfigured' - is_system_action: - $ref: '#/components/schemas/Connectors_is_system_action' - name: - type: string - description: The display name for the connector. - referenced_by_count: - $ref: '#/components/schemas/Connectors_referenced_by_count' - Connectors_is_deprecated: - type: boolean - description: Indicates whether the connector type is deprecated. - example: false - Connectors_is_missing_secrets: - type: boolean - description: >- - Indicates whether secrets are missing for the connector. Secrets - configuration properties vary depending on the connector type. - example: false - Connectors_is_preconfigured: - type: boolean - description: > - Indicates whether it is a preconfigured connector. If true, the `config` - and `is_missing_secrets` properties are omitted from the response. - example: false - Connectors_is_system_action: - type: boolean - description: Indicates whether the connector is used for system actions. - example: false - Connectors_referenced_by_count: - type: integer - description: > - Indicates the number of saved objects that reference the connector. If - `is_preconfigured` is true, this value is not calculated. This property - is returned only by the get all connectors API. - example: 2 - Connectors_connector_response_properties: - title: Connector response properties - description: The properties vary depending on the connector type. - oneOf: - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_bedrock - - $ref: '#/components/schemas/Connectors_connector_response_properties_gemini' - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_cases_webhook - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_d3security - - $ref: '#/components/schemas/Connectors_connector_response_properties_email' - - $ref: '#/components/schemas/Connectors_connector_response_properties_genai' - - $ref: '#/components/schemas/Connectors_connector_response_properties_index' - - $ref: '#/components/schemas/Connectors_connector_response_properties_jira' - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_opsgenie - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_pagerduty - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_resilient - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_sentinelone - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_serverlog - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_servicenow - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_servicenow_itom - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_servicenow_sir - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_slack_api - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_slack_webhook - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_swimlane - - $ref: '#/components/schemas/Connectors_connector_response_properties_teams' - - $ref: '#/components/schemas/Connectors_connector_response_properties_tines' - - $ref: '#/components/schemas/Connectors_connector_response_properties_torq' - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_webhook - - $ref: >- - #/components/schemas/Connectors_connector_response_properties_xmatters - discriminator: - propertyName: connector_type_id - mapping: - .bedrock: >- - #/components/schemas/Connectors_connector_response_properties_bedrock - .gemini: '#/components/schemas/Connectors_connector_response_properties_gemini' - .cases-webhook: >- - #/components/schemas/Connectors_connector_response_properties_cases_webhook - .d3security: >- - #/components/schemas/Connectors_connector_response_properties_d3security - .email: '#/components/schemas/Connectors_connector_response_properties_email' - .gen-ai: '#/components/schemas/Connectors_connector_response_properties_genai' - .index: '#/components/schemas/Connectors_connector_response_properties_index' - .jira: '#/components/schemas/Connectors_connector_response_properties_jira' - .opsgenie: >- - #/components/schemas/Connectors_connector_response_properties_opsgenie - .pagerduty: >- - #/components/schemas/Connectors_connector_response_properties_pagerduty - .resilient: >- - #/components/schemas/Connectors_connector_response_properties_resilient - .sentinelone: >- - #/components/schemas/Connectors_connector_response_properties_sentinelone - .server-log: >- - #/components/schemas/Connectors_connector_response_properties_serverlog - .servicenow: >- - #/components/schemas/Connectors_connector_response_properties_servicenow - .servicenow-itom: >- - #/components/schemas/Connectors_connector_response_properties_servicenow_itom - .servicenow-sir: >- - #/components/schemas/Connectors_connector_response_properties_servicenow_sir - .slack_api: >- - #/components/schemas/Connectors_connector_response_properties_slack_api - .slack: >- - #/components/schemas/Connectors_connector_response_properties_slack_webhook - .swimlane: >- - #/components/schemas/Connectors_connector_response_properties_swimlane - .teams: '#/components/schemas/Connectors_connector_response_properties_teams' - .tines: '#/components/schemas/Connectors_connector_response_properties_tines' - .torq: '#/components/schemas/Connectors_connector_response_properties_torq' - .webhook: >- - #/components/schemas/Connectors_connector_response_properties_webhook - .xmatters: >- - #/components/schemas/Connectors_connector_response_properties_xmatters - Connectors_update_connector_request_bedrock: - title: Update Amazon Bedrock connector request - type: object - required: - - config - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_bedrock' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_bedrock' - Connectors_update_connector_request_gemini: - title: Update Google Gemini connector request - type: object - required: - - config - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_gemini' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_gemini' - Connectors_update_connector_request_cases_webhook: - title: Update Webhook - Case Managment connector request - type: object - required: - - config - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_cases_webhook' - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_cases_webhook' - Connectors_update_connector_request_d3security: - title: Update D3 Security connector request - type: object - required: - - config - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_d3security' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_d3security' - Connectors_update_connector_request_email: - title: Update email connector request - type: object - required: - - config - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_email' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_email' - Connectors_update_connector_request_index: - title: Update index connector request - type: object - required: - - config - - name - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_index' - name: - type: string - description: The display name for the connector. - Connectors_update_connector_request_jira: - title: Update Jira connector request - type: object - required: - - config - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_jira' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_jira' - Connectors_update_connector_request_opsgenie: - title: Update Opsgenie connector request - type: object - required: - - config - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_opsgenie' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_opsgenie' - Connectors_update_connector_request_pagerduty: - title: Update PagerDuty connector request - type: object - required: - - config - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_pagerduty' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_pagerduty' - Connectors_update_connector_request_resilient: - title: Update IBM Resilient connector request - type: object - required: - - config - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_resilient' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_resilient' - Connectors_update_connector_request_sentinelone: - title: Update SentinelOne connector request - type: object - required: - - config - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_sentinelone' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_sentinelone' - Connectors_update_connector_request_serverlog: - title: Update server log connector request - type: object - required: - - name - properties: - name: - type: string - description: The display name for the connector. - Connectors_update_connector_request_servicenow: - title: Update ServiceNow ITSM connector or ServiceNow SecOps request - type: object - required: - - config - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' - Connectors_update_connector_request_servicenow_itom: - title: Create ServiceNow ITOM connector request - type: object - required: - - config - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_servicenow_itom' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' - Connectors_update_connector_request_slack_api: - title: Update Slack connector request - type: object - required: - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_slack_api' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_slack_api' - Connectors_update_connector_request_slack_webhook: - title: Update Slack connector request - type: object - required: - - name - - secrets - properties: - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_slack_webhook' - Connectors_update_connector_request_swimlane: - title: Update Swimlane connector request - type: object - required: - - config - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_swimlane' - name: - type: string - description: The display name for the connector. - example: my-connector - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_swimlane' - Connectors_update_connector_request_teams: - title: Update Microsoft Teams connector request - type: object - required: - - name - - secrets - properties: - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_teams' - Connectors_update_connector_request_tines: - title: Update Tines connector request - type: object - required: - - config - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_tines' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_tines' - Connectors_update_connector_request_torq: - title: Update Torq connector request - type: object - required: - - config - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_torq' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_torq' - Connectors_update_connector_request_webhook: - title: Update Webhook connector request - type: object - required: - - config - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_webhook' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_webhook' - Connectors_update_connector_request_xmatters: - title: Update xMatters connector request - type: object - required: - - config - - name - - secrets - properties: - config: - $ref: '#/components/schemas/Connectors_config_properties_xmatters' - name: - type: string - description: The display name for the connector. - secrets: - $ref: '#/components/schemas/Connectors_secrets_properties_xmatters' - Connectors_update_connector_request: - title: Update connector request body properties - description: The properties vary depending on the connector type. - oneOf: - - $ref: '#/components/schemas/Connectors_update_connector_request_bedrock' - - $ref: '#/components/schemas/Connectors_update_connector_request_gemini' - - $ref: >- - #/components/schemas/Connectors_update_connector_request_cases_webhook - - $ref: '#/components/schemas/Connectors_update_connector_request_d3security' - - $ref: '#/components/schemas/Connectors_update_connector_request_email' - - $ref: '#/components/schemas/Connectors_create_connector_request_genai' - - $ref: '#/components/schemas/Connectors_update_connector_request_index' - - $ref: '#/components/schemas/Connectors_update_connector_request_jira' - - $ref: '#/components/schemas/Connectors_update_connector_request_opsgenie' - - $ref: '#/components/schemas/Connectors_update_connector_request_pagerduty' - - $ref: '#/components/schemas/Connectors_update_connector_request_resilient' - - $ref: '#/components/schemas/Connectors_update_connector_request_sentinelone' - - $ref: '#/components/schemas/Connectors_update_connector_request_serverlog' - - $ref: '#/components/schemas/Connectors_update_connector_request_servicenow' - - $ref: >- - #/components/schemas/Connectors_update_connector_request_servicenow_itom - - $ref: '#/components/schemas/Connectors_update_connector_request_slack_api' - - $ref: >- - #/components/schemas/Connectors_update_connector_request_slack_webhook - - $ref: '#/components/schemas/Connectors_update_connector_request_swimlane' - - $ref: '#/components/schemas/Connectors_update_connector_request_teams' - - $ref: '#/components/schemas/Connectors_update_connector_request_tines' - - $ref: '#/components/schemas/Connectors_update_connector_request_torq' - - $ref: '#/components/schemas/Connectors_update_connector_request_webhook' - - $ref: '#/components/schemas/Connectors_update_connector_request_xmatters' - Connectors_run_connector_params_acknowledge_resolve_pagerduty: - title: PagerDuty connector parameters - description: Test an action that acknowledges or resolves a PagerDuty alert. - type: object - required: - - dedupKey - - eventAction - properties: - dedupKey: - description: The deduplication key for the PagerDuty alert. - type: string - maxLength: 255 - eventAction: - description: The type of event. - type: string - enum: - - acknowledge - - resolve - Connectors_run_connector_params_documents: - title: Index connector parameters - description: Test an action that indexes a document into Elasticsearch. - type: object - required: - - documents - properties: - documents: - type: array - description: The documents in JSON format for index connectors. - items: - type: object - additionalProperties: true - Connectors_run_connector_params_message_email: - title: Email connector parameters - description: > - Test an action that sends an email message. There must be at least one - recipient in `to`, `cc`, or `bcc`. - type: object - anyOf: - - required: - - bcc - - message - - subject - - required: - - cc - - message - - subject - - required: - - to - - message - - subject - properties: - bcc: - type: array - items: + operationId: EndpointUnisolateRedirect + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_SuccessResponse + description: OK + '308': + description: Permanent Redirect + headers: + Location: + description: Permanently redirects to "/api/endpoint/action/unisolate" + schema: + example: /api/endpoint/action/unisolate + type: string + summary: Permanently redirects to a new location + tags: + - Security Solution Endpoint Management API + /api/exception_lists: + delete: + operationId: DeleteExceptionList + parameters: + - description: Either `id` or `list_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Either `id` or `list_id` must be specified + in: query + name: list_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Deletes an exception list + tags: + - Security Solution Exceptions API + get: + operationId: ReadExceptionList + parameters: + - description: Either `id` or `list_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Either `id` or `list_id` must be specified + in: query + name: list_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Retrieves an exception list using its `id` or `list_id` field + tags: + - Security Solution Exceptions API + post: + operationId: CreateExceptionList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListVersion + default: 1 + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Creates an exception list + tags: + - Security Solution Exceptions API + put: + operationId: UpdateExceptionList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListTags + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListType + version: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListVersion + required: + - name + - description + - type + description: Exception list's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Updates an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/_duplicate: + post: + operationId: DuplicateExceptionList + parameters: + - description: Exception list's human identifier + in: query + name: list_id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' type: string - description: > - A list of "blind carbon copy" email addresses. Addresses can be - specified in `user@host-name` format or in name `` - format - cc: - type: array - items: + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list to duplicate not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Duplicates an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/_export: + post: + description: Exports an exception list and its associated items to an .ndjson file + operationId: ExportExceptionList + parameters: + - description: Exception list's identifier + in: query + name: id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Exception list's human identifier + in: query + name: list_id + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + - description: >- + Determines whether to include expired exceptions in the exported + list + in: query + name: include_expired_exceptions + required: true + schema: + default: 'true' + enum: + - 'true' + - 'false' type: string - description: > - A list of "carbon copy" email addresses. Addresses can be specified - in `user@host-name` format or in name `` format - message: - type: string - description: The email message text. Markdown format is supported. - subject: - type: string - description: The subject line of the email. - to: - type: array - description: > - A list of email addresses. Addresses can be specified in - `user@host-name` format or in name `` format. - items: + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: >- + A `.ndjson` file containing specified exception list and its + items + format: binary + type: string + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Exports an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/_find: + get: + operationId: FindExceptionLists + parameters: + - description: > + Filters the returned results according to the value of the specified + field. + + + Uses the `so type.field name:field` value syntax, where `so type` + can be: + + + - `exception-list`: Specify a space-aware exception list. + + - `exception-list-agnostic`: Specify an exception list that is + shared across spaces. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_FindExceptionListsFilter + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + type: array + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - description: The number of exception lists to return per page + in: query + name: per_page + required: false + schema: + minimum: 1 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + type: string + - description: 'Determines the sort order, which can be `desc` or `asc`' + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Finds exception lists + tags: + - Security Solution Exceptions API + /api/exception_lists/_import: + post: + description: Imports an exception list and associated items + operationId: ImportExceptionList + parameters: + - description: > + Determines whether existing exception lists with the same `list_id` + are overwritten. + + If any exception items have the same `item_id`, those are also + overwritten. + in: query + name: overwrite + required: false + schema: + default: false + type: boolean + - in: query + name: overwrite_exceptions + required: false + schema: + default: false + type: boolean + - in: query + name: overwrite_action_connectors + required: false + schema: + default: false + type: boolean + - description: > + Determines whether the list being imported will have a new `list_id` + generated. + + Additional `item_id`'s are generated for each exception item. Both + the exception + + list and its items are overwritten. + in: query + name: as_new_list + required: false + schema: + default: false + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: A `.ndjson` file containing the exception list + format: binary + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + errors: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListsImportBulkErrorArray + success: + type: boolean + success_count: + minimum: 0 + type: integer + success_count_exception_list_items: + minimum: 0 + type: integer + success_count_exception_lists: + minimum: 0 + type: integer + success_exception_list_items: + type: boolean + success_exception_lists: + type: boolean + required: + - errors + - success + - success_count + - success_exception_lists + - success_count_exception_lists + - success_exception_list_items + - success_count_exception_list_items + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Imports an exception list + tags: + - Security Solution Exceptions API + /api/exception_lists/items: + delete: + operationId: DeleteExceptionListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Deletes an exception list item + tags: + - Security Solution Exceptions API + get: + operationId: ReadExceptionListItem + parameters: + - description: Either `id` or `item_id` must be specified + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + - description: Either `id` or `item_id` must be specified + in: query + name: item_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Gets an exception list item + tags: + - Security Solution Exceptions API + post: + operationId: CreateExceptionListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + required: + - list_id + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Creates an exception list item + tags: + - Security Solution Exceptions API + put: + operationId: UpdateExceptionListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_UpdateExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + description: Either `id` or `item_id` must be specified + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + description: Either `id` or `item_id` must be specified + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + description: Exception list item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Updates an exception list item + tags: + - Security Solution Exceptions API + /api/exception_lists/items/_find: + get: + operationId: FindExceptionListItems + parameters: + - description: List's id + in: query + name: list_id + required: true + schema: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + type: array + - description: > + Filters the returned results according to the value of the specified + field, + + using the `:` syntax. + in: query + name: filter + required: false + schema: + default: [] + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_FindExceptionListItemsFilter + type: array + - description: > + Determines whether the returned containers are Kibana associated + with a Kibana space + + or available in all spaces (`agnostic` or `single`) + in: query + name: namespace_type + required: false + schema: + default: + - single + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + type: array + - in: query + name: search + required: false + schema: type: string - Connectors_run_connector_params_message_serverlog: - title: Server log connector parameters - description: Test an action that writes an entry to the Kibana server log. - type: object - required: - - message - properties: - level: - type: string - description: The log level of the message for server log connectors. - enum: - - debug - - error - - fatal - - info - - trace - - warn - default: info - message: - type: string - description: The message for server log connectors. - Connectors_run_connector_params_message_slack: - title: Slack connector parameters - description: > - Test an action that sends a message to Slack. It is applicable only when - the connector type is `.slack`. - type: object - required: - - message - properties: - message: - type: string - description: >- - The Slack message text, which cannot contain Markdown, images, or - other advanced formatting. - Connectors_run_connector_params_trigger_pagerduty: - title: PagerDuty connector parameters - description: Test an action that triggers a PagerDuty alert. - type: object - required: - - eventAction - properties: - class: - description: The class or type of the event. - type: string - example: cpu load - component: - description: >- - The component of the source machine that is responsible for the - event. - type: string - example: eth0 - customDetails: - description: Additional details to add to the event. - type: object - dedupKey: - description: > - All actions sharing this key will be associated with the same - PagerDuty alert. This value is used to correlate trigger and - resolution. - type: string - maxLength: 255 - eventAction: - description: The type of event. - type: string - enum: - - trigger - group: - description: The logical grouping of components of a service. - type: string - example: app-stack - links: - description: A list of links to add to the event. - type: array - items: - type: object - properties: - href: - description: The URL for the link. - type: string - text: - description: A plain text description of the purpose of the link. - type: string - severity: - description: The severity of the event on the affected system. - type: string - enum: - - critical - - error - - info - - warning - default: info - source: - description: > - The affected system, such as a hostname or fully qualified domain - name. Defaults to the Kibana saved object id of the action. - type: string - summary: - description: A summery of the event. - type: string - maxLength: 1024 - timestamp: - description: >- - An ISO-8601 timestamp that indicates when the event was detected or - generated. - type: string - format: date-time - Connectors_run_connector_subaction_addevent: - title: The addEvent subaction - type: object - required: - - subAction - description: The `addEvent` subaction for ServiceNow ITOM connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - addEvent - subActionParams: - type: object - description: The set of configuration properties for the action. - properties: - additional_info: - type: string - description: Additional information about the event. - description: - type: string - description: The details about the event. - event_class: - type: string - description: A specific instance of the source. - message_key: - type: string - description: >- - All actions sharing this key are associated with the same - ServiceNow alert. The default value is `:`. - metric_name: - type: string - description: The name of the metric. - node: - type: string - description: The host that the event was triggered for. - resource: - type: string - description: The name of the resource. - severity: - type: string - description: The severity of the event. - source: - type: string - description: The name of the event source type. - time_of_event: - type: string - description: The time of the event. - type: - type: string - description: The type of event. - Connectors_run_connector_subaction_closealert: - title: The closeAlert subaction - type: object - required: - - subAction - - subActionParams - description: The `closeAlert` subaction for Opsgenie connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - closeAlert - subActionParams: - type: object - required: - - alias - properties: - alias: - type: string - description: >- - The unique identifier used for alert deduplication in Opsgenie. - The alias must match the value used when creating the alert. - note: - type: string - description: Additional information for the alert. - source: - type: string - description: The display name for the source of the alert. - user: - type: string - description: The display name for the owner. - Connectors_run_connector_subaction_closeincident: - title: The closeIncident subaction - type: object - required: - - subAction - - subActionParams - description: The `closeIncident` subaction for ServiceNow ITSM connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - closeIncident - subActionParams: - type: object - required: - - incident - properties: - incident: + - description: The page number to return + in: query + name: page + required: false + schema: + minimum: 0 + type: integer + - description: The number of exception list items to return per page + in: query + name: per_page + required: false + schema: + minimum: 0 + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_NonEmptyString + - description: 'Determines the sort order, which can be `desc` or `asc`' + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItem + type: array + page: + minimum: 1 + type: integer + per_page: + minimum: 1 + type: integer + pit: + type: string + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Finds exception list items + tags: + - Security Solution Exceptions API + /api/exception_lists/summary: + get: + operationId: ReadExceptionListSummary + parameters: + - description: Exception list's identifier generated upon creation + in: query + name: id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + - description: Exception list's human readable identifier + in: query + name: list_id + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + - in: query + name: namespace_type + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + - description: Search filter clause + in: query + name: filter + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + linux: + minimum: 0 + type: integer + macos: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + windows: + minimum: 0 + type: integer + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Retrieves an exception list summary + tags: + - Security Solution Exceptions API + /api/exceptions/shared: + post: + operationId: CreateSharedExceptionList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + required: + - name + - description + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionList + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Exception list already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_SiemErrorResponse + description: Internal server error response + summary: Creates a shared exception list + tags: + - Security Solution Exceptions API + /api/lists: + delete: + operationId: DeleteList + parameters: + - description: List's `id` value + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - in: query + name: deleteReferences + required: false + schema: + default: false + type: boolean + - in: query + name: ignoreReferences + required: false + schema: + default: false + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Deletes a list + tags: + - Security Solution Lists API + get: + operationId: ReadList + parameters: + - description: List's `id` value + in: query + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Retrieves a list using its id field + tags: + - Security Solution Lists API + patch: + operationId: PatchList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListDescription + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListMetadata + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + version: + minimum: 1 + type: integer + required: + - id + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Patches a list + tags: + - Security Solution Lists API + post: + operationId: CreateList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - anyOf: - - required: - - correlation_id - - required: - - externalId properties: - correlation_id: + description: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListDescription + deserializer: type: string - nullable: true - description: > - An identifier that is assigned to the incident when it is - created by the connector. NOTE: If you use the default value - and the rule generates multiple alerts that use the same - alert IDs, the latest open incident for this correlation ID - is closed unless you specify the external ID. - maxLength: 100 - default: '{{rule.id}}:{{alert.id}}' - externalId: + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListMetadata + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + serializer: type: string - nullable: true - description: >- - The unique identifier (`incidentId`) for the incident in - ServiceNow. - Connectors_run_connector_subaction_createalert: - title: The createAlert subaction - type: object - required: - - subAction - - subActionParams - description: The `createAlert` subaction for Opsgenie connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - createAlert - subActionParams: - type: object - required: - - message - properties: - actions: - type: array - description: The custom actions available to the alert. - items: - type: string - alias: - type: string - description: The unique identifier used for alert deduplication in Opsgenie. - description: - type: string - description: >- - A description that provides detailed information about the - alert. - details: + type: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + version: + default: 1 + minimum: 1 + type: integer + required: + - name + - description + - type + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Creates a list + tags: + - Security Solution Lists API + put: + operationId: UpdateList + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - description: The custom properties of the alert. - additionalProperties: true - example: - key1: value1 - key2: value2 - entity: - type: string - description: >- - The domain of the alert. For example, the application or server - name. - message: - type: string - description: The alert message. - note: - type: string - description: Additional information for the alert. - priority: - type: string - description: The priority level for the alert. - enum: - - P1 - - P2 - - P3 - - P4 - - P5 - responders: - type: array - description: > - The entities to receive notifications about the alert. If `type` - is `user`, either `id` or `username` is required. If `type` is - `team`, either `id` or `name` is required. - items: - type: object - properties: - id: - type: string - description: The identifier for the entity. - name: - type: string - description: The name of the entity. - type: - type: string - description: The type of responders, in this case `escalation`. - enum: - - escalation - - schedule - - team - - user - username: - type: string - description: A valid email address for the user. - source: - type: string - description: The display name for the source of the alert. - tags: - type: array - description: The tags for the alert. - items: - type: string - user: - type: string - description: The display name for the owner. - visibleTo: - type: array - description: >- - The teams and users that the alert will be visible to without - sending a notification. Only one of `id`, `name`, or `username` - is required. - items: + properties: + _version: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListDescription + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListMetadata + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + version: + minimum: 1 + type: integer + required: + - id + - name + - description + description: List's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Updates a list + tags: + - Security Solution Lists API + /api/lists/_find: + get: + operationId: FindLists + parameters: + - description: The page number to return + in: query + name: page + required: false + schema: + type: integer + - description: The number of lists to return per page + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + - description: 'Determines the sort order, which can be `desc` or `asc`' + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. + in: query + name: cursor + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_FindListsCursor' + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_FindListsFilter' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object + properties: + cursor: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListsCursor + data: + items: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer required: - - type + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Finds lists + tags: + - Security Solution Lists API + /api/lists/index: + delete: + operationId: DeleteListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object properties: - id: - type: string - description: The identifier for the entity. - name: - type: string - description: The name of the entity. - type: - type: string - description: Valid values are `team` and `user`. - enum: - - team - - user - username: - type: string - description: >- - The user name. This property is required only when the - `type` is `user`. - Connectors_run_connector_subaction_fieldsbyissuetype: - title: The fieldsByIssueType subaction - type: object - required: - - subAction - - subActionParams - description: The `fieldsByIssueType` subaction for Jira connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - fieldsByIssueType - subActionParams: - type: object - required: - - id - properties: - id: - type: string - description: The Jira issue type identifier. - example: 10024 - Connectors_run_connector_subaction_getchoices: - title: The getChoices subaction - type: object - required: - - subAction - - subActionParams - description: >- - The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and - ServiceNow SecOps connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - getChoices - subActionParams: - type: object - description: The set of configuration properties for the action. - required: - - fields - properties: - fields: - type: array - description: An array of fields. - items: - type: string - Connectors_run_connector_subaction_getfields: - title: The getFields subaction - type: object - required: - - subAction - description: >- - The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow - SecOps connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - getFields - Connectors_run_connector_subaction_getincident: - title: The getIncident subaction - type: object - description: >- - The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow - SecOps connectors. - required: - - subAction - - subActionParams - properties: - subAction: - type: string - description: The action to test. - enum: - - getIncident - subActionParams: - type: object - required: - - externalId - properties: - externalId: - type: string - description: >- - The Jira, ServiceNow ITSM, or ServiceNow SecOps issue - identifier. - example: 71778 - Connectors_run_connector_subaction_issue: - title: The issue subaction - type: object - required: - - subAction - description: The `issue` subaction for Jira connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - issue - subActionParams: - type: object - required: - - id - properties: - id: - type: string - description: The Jira issue identifier. - example: 71778 - Connectors_run_connector_subaction_issues: - title: The issues subaction - type: object - required: - - subAction - - subActionParams - description: The `issues` subaction for Jira connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - issues - subActionParams: - type: object - required: - - title - properties: - title: - type: string - description: The title of the Jira issue. - Connectors_run_connector_subaction_issuetypes: - title: The issueTypes subaction - type: object - required: - - subAction - description: The `issueTypes` subaction for Jira connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - issueTypes - Connectors_run_connector_subaction_pushtoservice: - title: The pushToService subaction - type: object - required: - - subAction - - subActionParams - description: >- - The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow - SecOps, Swimlane, and Webhook - Case Management connectors. - properties: - subAction: - type: string - description: The action to test. - enum: - - pushToService - subActionParams: - type: object - description: The set of configuration properties for the action. - properties: - comments: - type: array - description: >- - Additional information that is sent to Jira, ServiceNow ITSM, - ServiceNow SecOps, or Swimlane. - items: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List data stream not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Deletes list data streams + tags: + - Security Solution Lists API + get: + operationId: ReadListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object properties: - comment: - type: string - description: >- - A comment related to the incident. For example, describe - how to troubleshoot the issue. - commentId: - type: integer - description: A unique identifier for the comment. - incident: - type: object - description: >- - Information necessary to create or update a Jira, ServiceNow - ITSM, ServiveNow SecOps, or Swimlane incident. - properties: - alertId: - type: string - description: The alert identifier for Swimlane connectors. - caseId: - type: string - description: >- - The case identifier for the incident for Swimlane - connectors. - caseName: - type: string - description: The case name for the incident for Swimlane connectors. - category: - type: string - description: >- - The category of the incident for ServiceNow ITSM and - ServiceNow SecOps connectors. - correlation_display: - type: string - description: >- - A descriptive label of the alert for correlation purposes - for ServiceNow ITSM and ServiceNow SecOps connectors. - correlation_id: - type: string - description: > - The correlation identifier for the security incident for - ServiceNow ITSM and ServiveNow SecOps connectors. Connectors - using the same correlation ID are associated with the same - ServiceNow incident. This value determines whether a new - ServiceNow incident is created or an existing one is - updated. Modifying this value is optional; if not modified, - the rule ID and alert ID are combined as `{{ruleID}}:{{alert - ID}}` to form the correlation ID value in ServiceNow. The - maximum character length for this value is 100 characters. - NOTE: Using the default configuration of `{{ruleID}}:{{alert - ID}}` ensures that ServiceNow creates a separate incident - record for every generated alert that uses a unique alert - ID. If the rule generates multiple alerts that use the same - alert IDs, ServiceNow creates and continually updates a - single incident record for the alert. - description: - type: string - description: >- - The description of the incident for Jira, ServiceNow ITSM, - ServiceNow SecOps, Swimlane, and Webhook - Case Management - connectors. - dest_ip: - description: > - A list of destination IP addresses related to the security - incident for ServiceNow SecOps connectors. The IPs are added - as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - externalId: - type: string - description: > - The Jira, ServiceNow ITSM, or ServiceNow SecOps issue - identifier. If present, the incident is updated. Otherwise, - a new incident is created. - id: - type: string - description: >- - The external case identifier for Webhook - Case Management - connectors. - impact: - type: string - description: The impact of the incident for ServiceNow ITSM connectors. - issueType: - type: integer - description: >- - The type of incident for Jira connectors. For example, - 10006. To obtain the list of valid values, set `subAction` - to `issueTypes`. - labels: - type: array - items: - type: string - description: > - The labels for the incident for Jira connectors. NOTE: - Labels cannot contain spaces. - malware_hash: - description: >- - A list of malware hashes related to the security incident - for ServiceNow SecOps connectors. The hashes are added as - observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - malware_url: - type: string - description: >- - A list of malware URLs related to the security incident for - ServiceNow SecOps connectors. The URLs are added as - observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - otherFields: - type: object - additionalProperties: true - maxProperties: 20 - description: > - Custom field identifiers and their values for Jira - connectors. - parent: - type: string - description: >- - The ID or key of the parent issue for Jira connectors. - Applies only to `Sub-task` types of issues. - priority: - type: string - description: >- - The priority of the incident in Jira and ServiceNow SecOps - connectors. - ruleName: - type: string - description: The rule name for Swimlane connectors. - severity: - type: string - description: >- - The severity of the incident for ServiceNow ITSM and - Swimlane connectors. - short_description: - type: string - description: > - A short description of the incident for ServiceNow ITSM and - ServiceNow SecOps connectors. It is used for searching the - contents of the knowledge base. - source_ip: - description: >- - A list of source IP addresses related to the security - incident for ServiceNow SecOps connectors. The IPs are added - as observables to the security incident. - oneOf: - - type: string - - type: array - items: - type: string - status: + list_index: + type: boolean + list_item_index: + type: boolean + required: + - list_index + - list_item_index + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List data stream(s) not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Get list data stream existence status + tags: + - Security Solution Lists API + post: + operationId: CreateListIndex + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + acknowledged: + type: boolean + required: + - acknowledged + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List data stream exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Creates necessary list data streams + tags: + - Security Solution Lists API + /api/lists/items: + delete: + operationId: DeleteListItem + parameters: + - description: Required if `list_id` and `value` are not specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: value + required: false + schema: + type: string + - description: >- + Determines when changes made by the request are made visible to + search + in: query + name: refresh + required: false + schema: + default: 'false' + enum: + - 'true' + - 'false' + - wait_for + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + - items: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Deletes a list item + tags: + - Security Solution Lists API + get: + operationId: ReadListItem + parameters: + - description: Required if `list_id` and `value` are not specified + in: query + name: id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: Required if `id` is not specified + in: query + name: value + required: false + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + - items: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItem + type: array + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Gets a list item + tags: + - Security Solution Lists API + patch: + operationId: PatchListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemMetadata + refresh: description: >- - The status of the incident for Webhook - Case Management - connectors. - subcategory: + Determines when changes made by the request are made visible + to search + enum: + - 'true' + - 'false' + - wait_for type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemValue + required: + - id + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Patches a list item + tags: + - Security Solution Lists API + post: + operationId: CreateListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemMetadata + refresh: description: >- - The subcategory of the incident for ServiceNow ITSM and - ServiceNow SecOps connectors. - summary: - type: string - description: A summary of the incident for Jira connectors. - tags: - type: array - items: - type: string - description: A list of tags for Webhook - Case Management connectors. - title: + Determines when changes made by the request are made visible + to search + enum: + - 'true' + - 'false' + - wait_for type: string - description: > - A title for the incident for Jira and Webhook - Case - Management connectors. It is used for searching the contents - of the knowledge base. - urgency: + value: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemValue + required: + - list_id + - value + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item already exists response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Creates a list item + tags: + - Security Solution Lists API + put: + operationId: UpdateListItem + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + _version: type: string - description: The urgency of the incident for ServiceNow ITSM connectors. - Connectors_run_connector_subaction_postmessage: - title: The postMessage subaction - type: object - description: > - Test an action that sends a message to Slack. It is applicable only when - the connector type is `.slack_api`. - required: - - subAction - - subActionParams - properties: - subAction: - type: string - description: The action to test. - enum: - - postMessage - subActionParams: - type: object - description: The set of configuration properties for the action. - properties: - channelIds: - type: array - maxItems: 1 - description: > - The Slack channel identifier, which must be one of the - `allowedChannels` in the connector configuration. - items: - type: string - channels: - type: array - deprecated: true - description: | - The name of a channel that your Slack app has access to. - maxItems: 1 - items: + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + meta: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemMetadata + value: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemValue + required: + - id + - value + description: List item's properties + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItem' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List item not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Updates a list item + tags: + - Security Solution Lists API + /api/lists/items/_export: + post: + description: Exports list item values from the specified list + operationId: ExportListItems + parameters: + - description: List's id to export + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: A `.txt` file containing list items from the specified list + format: binary type: string - text: - type: string - description: > - The Slack message text. If it is a Slack webhook connector, the - text cannot contain Markdown, images, or other advanced - formatting. If it is a Slack web API connector, it can contain - either plain text or block kit messages. - minLength: 1 - Connectors_run_connector_subaction_validchannelid: - title: The validChannelId subaction - type: object + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List not found response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Exports list items + tags: + - Security Solution Lists API + /api/lists/items/_find: + get: + operationId: FindListItems + parameters: + - description: List's id + in: query + name: list_id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: The page number to return + in: query + name: page + required: false + schema: + type: integer + - description: The number of list items to return per page + in: query + name: per_page + required: false + schema: + type: integer + - description: Determines which field is used to sort the results + in: query + name: sort_field + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + - description: 'Determines the sort order, which can be `desc` or `asc`' + in: query + name: sort_order + required: false + schema: + enum: + - desc + - asc + type: string + - description: > + Returns the list that come after the last list returned in the + previous call + + (use the cursor value returned in the previous call). This parameter + uses + + the `tie_breaker_id` field to ensure all lists are sorted and + returned correctly. + in: query + name: cursor + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListItemsCursor + - description: > + Filters the returned results according to the value of the specified + field, + + using the : syntax. + in: query + name: filter + required: false + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListItemsFilter + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + cursor: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_FindListItemsCursor + data: + items: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItem + type: array + page: + minimum: 0 + type: integer + per_page: + minimum: 0 + type: integer + total: + minimum: 0 + type: integer + required: + - data + - page + - per_page + - total + - cursor + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Finds list items + tags: + - Security Solution Lists API + /api/lists/items/_import: + post: description: > - Retrieves information about a valid Slack channel identifier. It is - applicable only when the connector type is `.slack_api`. - required: - - subAction - - subActionParams - properties: - subAction: - type: string - description: The action to test. - enum: - - validChannelId - subActionParams: - type: object - required: - - channelId - properties: - channelId: - type: string - description: The Slack channel identifier. - example: C123ABC456 - Connectors_run_connector_request: - title: Run connector request body properties - description: The properties vary depending on the connector type. - type: object - required: - - params - properties: - params: - oneOf: - - $ref: >- - #/components/schemas/Connectors_run_connector_params_acknowledge_resolve_pagerduty - - $ref: '#/components/schemas/Connectors_run_connector_params_documents' - - $ref: >- - #/components/schemas/Connectors_run_connector_params_message_email - - $ref: >- - #/components/schemas/Connectors_run_connector_params_message_serverlog - - $ref: >- - #/components/schemas/Connectors_run_connector_params_message_slack - - $ref: >- - #/components/schemas/Connectors_run_connector_params_trigger_pagerduty - - title: Subaction parameters - description: Test an action that involves a subaction. + Imports a list of items from a `.txt` or `.csv` file. The maximum file + size is 9 million bytes. + + + You can import items to a new or existing list. + operationId: ImportListItems + parameters: + - description: | + List's id. + + Required when importing to an existing list. + in: query + name: list_id + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + - description: > + Type of the importing list. + + + Required when importing a new list that is `list_id` is not + specified. + in: query + name: type + required: false + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + - in: query + name: serializer + required: false + schema: + type: string + - in: query + name: deserializer + required: false + schema: + type: string + - description: >- + Determines when changes made by the request are made visible to + search + in: query + name: refresh + required: false + schema: + enum: + - 'true' + - 'false' + - wait_for + type: string + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + file: + description: >- + A `.txt` or `.csv` file containing newline separated list + items + format: binary + type: string + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_Solution_Lists_API_List' + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: List with specified list_id does not exist response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Imports list items + tags: + - Security Solution Lists API + /api/lists/privileges: + get: + operationId: ReadListPrivileges + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + is_authenticated: + type: boolean + listItems: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListItemPrivileges + lists: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_ListPrivileges + required: + - lists + - listItems + - is_authenticated + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + - $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Invalid input data response + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Unsuccessful authentication response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_PlatformErrorResponse + description: Not enough privileges response + '500': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Lists_API_SiemErrorResponse + description: Internal server error response + summary: Gets list privileges + tags: + - Security Solution Lists API + /api/ml/saved_objects/sync: + get: + description: > + Synchronizes Kibana saved objects for machine learning jobs and trained + models in the default space. You must have `all` privileges for the + **Machine Learning** feature in the **Analytics** section of the Kibana + feature privileges. This API runs automatically when you start Kibana + and periodically thereafter. + operationId: mlSync + parameters: + - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + syncExample: + $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' + description: Indicates a successful call + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' + description: Authorization information is missing or invalid. + summary: Sync saved objects in the default space + tags: + - ml + /api/note: + delete: + operationId: DeleteNote + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: oneOf: - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_addevent - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_closealert - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_closeincident - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_createalert - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_fieldsbyissuetype - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_getchoices - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_getfields - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_getincident - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_issue - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_issues - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_issuetypes - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_postmessage - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_pushtoservice - - $ref: >- - #/components/schemas/Connectors_run_connector_subaction_validchannelid - discriminator: - propertyName: subAction - mapping: - addEvent: >- - #/components/schemas/Connectors_run_connector_subaction_addevent - closeAlert: >- - #/components/schemas/Connectors_run_connector_subaction_closealert - closeIncident: >- - #/components/schemas/Connectors_run_connector_subaction_closeincident - createAlert: >- - #/components/schemas/Connectors_run_connector_subaction_createalert - fieldsByIssueType: >- - #/components/schemas/Connectors_run_connector_subaction_fieldsbyissuetype - getChoices: >- - #/components/schemas/Connectors_run_connector_subaction_getchoices - getFields: >- - #/components/schemas/Connectors_run_connector_subaction_getfields - getIncident: >- - #/components/schemas/Connectors_run_connector_subaction_getincident - issue: >- - #/components/schemas/Connectors_run_connector_subaction_issue - issues: >- - #/components/schemas/Connectors_run_connector_subaction_issues - issueTypes: >- - #/components/schemas/Connectors_run_connector_subaction_issuetypes - pushToService: >- - #/components/schemas/Connectors_run_connector_subaction_pushtoservice - Connectors_features: - type: string - description: | - The feature that uses the connector. - enum: - - alerting - - cases - - generativeAIForSecurity - - generativeAIForObservability - - generativeAIForSearchPlayground - - siem - - uptime - Connectors_connector_types: - title: Connector types - type: string - description: >- - The type of connector. For example, `.email`, `.index`, `.jira`, - `.opsgenie`, or `.server-log`. - enum: - - .bedrock - - .gemini - - .cases-webhook - - .d3security - - .email - - .gen-ai - - .index - - .jira - - .opsgenie - - .pagerduty - - .resilient - - .sentinelone - - .servicenow - - .servicenow-itom - - .servicenow-sir - - .server-log - - .slack - - .slack_api - - .swimlane - - .teams - - .tines - - .torq - - .webhook - - .xmatters - example: .server-log - Connectors_action_response_properties: - title: Action response properties - description: The properties vary depending on the action type. - type: object - properties: - actionTypeId: - type: string - config: - type: object - id: - type: string - isDeprecated: - type: boolean - description: Indicates whether the action type is deprecated. - isMissingSecrets: - type: boolean - description: Indicates whether secrets are missing for the action. - isPreconfigured: - type: boolean - description: Indicates whether it is a preconfigured action. - name: - type: string - Data_views_400_response: - title: Bad request - type: object - required: - - statusCode - - error - - message - properties: - statusCode: - type: number - example: 400 - error: - type: string - example: Bad Request - message: - type: string - Data_views_allownoindex: - type: boolean - description: Allows the data view saved object to exist before the data is available. - Data_views_fieldattrs: - type: object - description: A map of field attributes by field name. - properties: - count: - type: integer - description: Popularity count for the field. - customDescription: - type: string - description: Custom description for the field. - maxLength: 300 - customLabel: - type: string - description: Custom label for the field. - Data_views_fieldformats: - type: object - description: A map of field formats by field name. - Data_views_namespaces: - type: array - description: >- - An array of space identifiers for sharing the data view between multiple - spaces. - items: - type: string - default: default - Data_views_runtimefieldmap: - type: object - description: A map of runtime field definitions by field name. - required: - - script - - type - properties: - script: - type: object - properties: - source: - type: string - description: Script for the runtime field. - type: - type: string - description: Mapping type of the runtime field. - Data_views_sourcefilters: - type: array - description: The array of field names you want to filter out in Discover. - items: - type: object - required: - - value - properties: - value: + - nullable: true + type: object + properties: + noteId: + type: string + required: + - noteId + - type: object + properties: + noteIds: + items: + type: string + nullable: true + type: array + required: + - noteIds + description: The id of the note to delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + description: Indicates the note was successfully deleted. + summary: Deletes a note from a timeline. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + get: + description: Gets notes + operationId: GetNotes + parameters: + - in: query + name: documentIds + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_DocumentIds' + - in: query + name: page + schema: + nullable: true + type: number + - in: query + name: perPage + schema: + nullable: true + type: number + - in: query + name: search + schema: + nullable: true type: string - Data_views_timefieldname: - type: string - description: The timestamp field name, which you use for time-based data views. - Data_views_title: - type: string - description: >- - Comma-separated list of data streams, indices, and aliases that you want - to search. Supports wildcards (`*`). - Data_views_type: - type: string - description: When set to `rollup`, identifies the rollup data views. - Data_views_typemeta: - type: object - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - required: - - aggs - - params - properties: - aggs: - type: object - description: A map of rollup restrictions by aggregation type and field name. - params: - type: object - description: Properties for retrieving rollup fields. - Data_views_create_data_view_request_object: - title: Create data view request - type: object - required: - - data_view - properties: - data_view: - type: object - required: - - title - description: The data view object. - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - type: object - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - type: string - name: - type: string - description: The data view name. - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: + - in: query + name: sortField + schema: + nullable: true + type: string + - in: query + name: sortOrder + schema: + nullable: true + type: string + - in: query + name: filter + schema: + nullable: true + type: string + responses: + '200': + description: Indicates the requested notes were returned. + summary: Get all notes for a given document. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + patch: + operationId: PersistNoteRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: - type: string - override: - type: boolean - description: >- - Override an existing data view if a data view with the provided - title already exists. - default: false - Data_views_typemeta_response: - type: object - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - nullable: true - properties: - aggs: - type: object - description: A map of rollup restrictions by aggregation type and field name. - params: - type: object - description: Properties for retrieving rollup fields. - Data_views_data_view_response_object: - title: Data view response properties - type: object - properties: - data_view: - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: + properties: + eventDataView: + nullable: true + type: string + eventIngested: + nullable: true + type: string + eventTimestamp: + nullable: true + type: string + note: + $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + noteId: + nullable: true + type: string + overrideOwner: + nullable: true + type: boolean + version: + nullable: true + type: string + required: + - note + description: The note to persist or update along with additional metadata. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistNote: + type: object + properties: + code: + type: number + message: + type: string + note: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_Note + required: + - code + - message + - note + required: + - persistNote + required: + - data + description: Indicates the note was successfully created. + summary: Persists a note to a timeline. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/osquery/live_queries: + get: + operationId: OsqueryFindLiveQueries + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_FindLiveQueryRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Find live queries + tags: + - Security Solution Osquery API + post: + operationId: OsqueryCreateLiveQuery + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_CreateLiveQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a live query + tags: + - Security Solution Osquery API + '/api/osquery/live_queries/{id}': + get: + operationId: OsqueryGetLiveQueryDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + - in: query + name: query + schema: + additionalProperties: true + type: object + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live query details + tags: + - Security Solution Osquery API + '/api/osquery/live_queries/{id}/results/{actionId}': + get: + operationId: OsqueryGetLiveQueryResults + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + - in: path + name: actionId + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_GetLiveQueryResultsRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get live query results + tags: + - Security Solution Osquery API + /api/osquery/packs: + get: + operationId: OsqueryFindPacks + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_FindPacksRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Find packs + tags: + - Security Solution Osquery API + post: + operationId: OsqueryCreatePacks + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_CreatePacksRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a packs + tags: + - Security Solution Osquery API + '/api/osquery/packs/{id}': + delete: + operationId: OsqueryDeletePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Delete packs + tags: + - Security Solution Osquery API + get: + operationId: OsqueryGetPacksDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get packs details + tags: + - Security Solution Osquery API + put: + operationId: OsqueryUpdatePacks + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_UpdatePacksRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Update packs + tags: + - Security Solution Osquery API + /api/osquery/saved_queries: + get: + operationId: OsqueryFindSavedQueries + parameters: + - in: query + name: query + required: true + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_FindSavedQueryRequestQuery + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Find saved queries + tags: + - Security Solution Osquery API + post: + operationId: OsqueryCreateSavedQuery + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_CreateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Create a saved query + tags: + - Security Solution Osquery API + '/api/osquery/saved_queries/{id}': + delete: + operationId: OsqueryDeleteSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Delete saved query + tags: + - Security Solution Osquery API + get: + operationId: OsqueryGetSavedQueryDetails + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Get saved query details + tags: + - Security Solution Osquery API + put: + operationId: OsqueryUpdateSavedQuery + parameters: + - in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_UpdateSavedQueryRequestBody + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DefaultSuccessResponse + description: OK + summary: Update saved query + tags: + - Security Solution Osquery API + /api/pinned_event: + patch: + operationId: PersistPinnedEventRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: + properties: + eventId: + type: string + pinnedEventId: + nullable: true + type: string + timelineId: + type: string + required: + - eventId + - timelineId + description: The pinned event to persist or update along with additional metadata. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistPinnedEventOnTimeline: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Timeline_API_PinnedEvent + - type: object + properties: + code: + type: number + message: + type: string + required: + - persistPinnedEventOnTimeline + required: + - data + description: Indicate the event was successfully pinned in the timeline. + summary: Persists a pinned event to a timeline. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/saved_objects/_bulk_create: + post: + deprecated: true + operationId: bulkCreateSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: 'When true, overwrites the document with the same identifier.' + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Create saved objects + tags: + - saved objects + /api/saved_objects/_bulk_delete: + post: + deprecated: true + description: | + WARNING: When you delete a saved object, it cannot be recovered. + operationId: bulkDeleteSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: > + When true, force delete objects that exist in multiple namespaces. + Note that the option applies to the whole request. Use the delete + object API to specify per-object deletion behavior. TIP: Use this if + you attempted to delete objects and received an HTTP 400 error with + the following message: "Unable to delete saved object that exists in + multiple namespaces, use the force option to delete it anyway". + WARNING: When you bulk delete objects that exist in multiple + namespaces, the API also deletes legacy url aliases that reference + the object. These requests are batched to minimise the impact but + they can place a heavy load on Kibana. Make sure you limit the + number of objects that exist in multiple namespaces in a single bulk + delete operation. + in: query + name: force + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Delete saved objects + tags: + - saved objects + /api/saved_objects/_bulk_get: + post: + deprecated: true + operationId: bulkGetSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Get saved objects + tags: + - saved objects + /api/saved_objects/_bulk_resolve: + post: + deprecated: true + description: > + Retrieve multiple Kibana saved objects by identifier using any legacy + URL aliases if they exist. Under certain circumstances when Kibana is + upgraded, saved object migrations may necessitate regenerating some + object IDs to enable new features. When an object's ID is regenerated, a + legacy URL alias is created for that object, preserving its old ID. In + such a scenario, that object can be retrieved by the bulk resolve API + using either its new ID or its old ID. + operationId: bulkResolveSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Resolve saved objects + tags: + - saved objects + /api/saved_objects/_bulk_update: + post: + deprecated: true + description: Update the attributes for multiple Kibana saved objects. + operationId: bulkUpdateSavedObjects + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + items: + type: object + type: array + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: > + Indicates a successful call. NOTE: This HTTP response code indicates + that the bulk operation succeeded. Errors pertaining to individual + objects will be returned in the response body. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Update saved objects + tags: + - saved objects + /api/saved_objects/_export: + post: + description: > + Retrieve sets of saved objects that you want to import into Kibana. + + You must include `type` or `objects` in the request body. + + + Exported saved objects are not backwards compatible and cannot be + imported into an older version of Kibana. + + + NOTE: The `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be exported. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: exportSavedObjectsDefault + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + exportSavedObjectsRequest: + $ref: '#/components/examples/Saved_objects_export_objects_request' + schema: type: object - id: - type: string - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: - type: string - description: The data view name. - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: + properties: + excludeExportDetails: + default: false + description: Do not add export details entry at the end of the stream. + type: boolean + includeReferencesDeep: + description: >- + Includes all of the referenced objects in the exported + objects. + type: boolean + objects: + description: A list of objects to export. + items: + type: object + type: array + type: + description: >- + The saved object types to include in the export. Use `*` to + export all the types. + oneOf: + - type: string + - items: + type: string + type: array + required: true + responses: + '200': + content: + application/x-ndjson; Elastic-Api-Version=2023-10-31: + examples: + exportSavedObjectsResponse: + $ref: '#/components/examples/Saved_objects_export_objects_response' + schema: + additionalProperties: true + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Export saved objects + tags: + - saved objects + /api/saved_objects/_find: + get: + deprecated: true + description: Retrieve a paginated set of Kibana saved objects. + operationId: findSavedObjects + parameters: + - description: > + An aggregation structure, serialized as a string. The field format + is similar to filter, meaning that to use a saved object type + attribute in the aggregation, the `savedObjectType.attributes.title: + "myTitle"` format must be used. For root fields, the syntax is + `savedObjectType.rootField`. NOTE: As objects change in Kibana, the + results on each page of the response also change. Use the find API + for traditional paginated results, but avoid using it to export + large amounts of data. + in: query + name: aggs + schema: + type: string + - description: The default operator to use for the `simple_query_string`. + in: query + name: default_search_operator + schema: + type: string + - description: The fields to return in the attributes key of the response. + in: query + name: fields + schema: + oneOf: + - type: string + - type: array + - description: > + The filter is a KQL string with the caveat that if you filter with + an attribute from your saved object type, it should look like that: + `savedObjectType.attributes.title: "myTitle"`. However, if you use a + root attribute of a saved object such as `updated_at`, you will have + to define your filter like that: `savedObjectType.updated_at > + 2018-12-22`. + in: query + name: filter + schema: + type: string + - description: >- + Filters to objects that do not have a relationship with the type and + identifier combination. + in: query + name: has_no_reference + schema: + type: object + - description: >- + The operator to use for the `has_no_reference` parameter. Either + `OR` or `AND`. Defaults to `OR`. + in: query + name: has_no_reference_operator + schema: + type: string + - description: >- + Filters to objects that have a relationship with the type and ID + combination. + in: query + name: has_reference + schema: + type: object + - description: >- + The operator to use for the `has_reference` parameter. Either `OR` + or `AND`. Defaults to `OR`. + in: query + name: has_reference_operator + schema: + type: string + - description: The page of objects to return. + in: query + name: page + schema: + type: integer + - description: The number of objects to return per page. + in: query + name: per_page + schema: + type: integer + - description: >- + An Elasticsearch `simple_query_string` query that filters the + objects in the response. + in: query + name: search + schema: + type: string + - description: >- + The fields to perform the `simple_query_string` parsed query + against. + in: query + name: search_fields + schema: + oneOf: + - type: string + - type: array + - description: > + Sorts the response. Includes "root" and "type" fields. "root" fields + exist for all saved objects, such as "updated_at". "type" fields are + specific to an object type, such as fields returned in the + attributes key of the response. When a single type is defined in the + type parameter, the "root" and "type" fields are allowed, and + validity checks are made in that order. When multiple types are + defined in the type parameter, only "root" fields are allowed. + in: query + name: sort_field + schema: + type: string + - description: The saved object types to include. + in: query + name: type + required: true + schema: + oneOf: + - type: string + - type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request + summary: Search for saved objects + tags: + - saved objects + /api/saved_objects/_import: + post: + description: > + Create sets of Kibana saved objects from a file created by the export + API. + + Saved objects can be imported only into the same version, a newer minor + on the same major, or the next major. Exported saved objects are not + backwards compatible and cannot be imported into an older version of + Kibana. + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: importSavedObjectsDefault + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: > + Creates copies of saved objects, regenerates each object ID, and + resets the origin. When used, potential conflict errors are avoided. + NOTE: This option cannot be used with the `overwrite` and + `compatibilityMode` options. + in: query + name: createNewCopies + required: false + schema: + type: boolean + - description: > + Overwrites saved objects when they already exist. When used, + potential conflict errors are automatically resolved by overwriting + the destination object. NOTE: This option cannot be used with the + `createNewCopies` option. + in: query + name: overwrite + required: false + schema: + type: boolean + - description: > + Applies various adjustments to the saved objects that are being + imported to maintain compatibility between different Kibana + versions. Use this option only if you encounter issues with imported + saved objects. NOTE: This option cannot be used with the + `createNewCopies` option. + in: query + name: compatibilityMode + required: false + schema: + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + examples: + importObjectsRequest: + $ref: '#/components/examples/Saved_objects_import_objects_request' + schema: type: object - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' - version: - type: string - example: WzQ2LDJd - Data_views_404_response: - type: object - properties: - error: - type: string - example: Not Found - enum: - - Not Found - message: - type: string - example: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] - not found - statusCode: - type: integer - example: 404 - enum: - - 404 - Data_views_update_data_view_request_object: - title: Update data view request - type: object - required: - - data_view - properties: - data_view: - type: object - description: > - The data view properties you want to update. Only the specified - properties are updated in the data view. Unspecified fields stay as - they are persisted. - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: + properties: + file: + description: > + A file exported using the export API. NOTE: The + `savedObjects.maxImportExportSize` configuration setting + limits the number of saved objects which may be included in + this file. Similarly, the + `savedObjects.maxImportPayloadBytes` setting limits the + overall size of the file that can be imported. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + importObjectsResponse: + $ref: '#/components/examples/Saved_objects_import_objects_response' + schema: + type: object + properties: + errors: + description: > + Indicates the import was unsuccessful and specifies the + objects that failed to import. + + + NOTE: One object may result in multiple errors, which + requires separate steps to resolve. For instance, a + `missing_references` error and conflict error. + items: + type: object + type: array + success: + description: > + Indicates when the import was successfully completed. When + set to false, some objects may not have been created. For + additional information, refer to the `errors` and + `successResults` properties. + type: boolean + successCount: + description: Indicates the number of successfully imported records. + type: integer + successResults: + description: > + Indicates the objects that are successfully imported, with + any metadata if applicable. + + + NOTE: Objects are created only when all resolvable errors + are addressed, including conflicts and missing references. + If objects are created as new copies, each entry in the + `successResults` array includes a `destinationId` + attribute. + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Import saved objects + tags: + - saved objects + /api/saved_objects/_resolve_import_errors: + post: + description: > + To resolve errors from the Import objects API, you can: + + + * Retry certain saved objects + + * Overwrite specific saved objects + + * Change references to different saved objects + + + This functionality is in technical preview and may be changed or removed + in a future release. Elastic will work to fix any issues, but features + in technical preview are not subject to the support SLA of official GA + features. + operationId: resolveImportErrors + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - description: > + Applies various adjustments to the saved objects that are being + imported to maintain compatibility between different Kibana + versions. When enabled during the initial import, also enable when + resolving import errors. This option cannot be used with the + `createNewCopies` option. + in: query + name: compatibilityMode + required: false + schema: + type: boolean + - description: > + Creates copies of the saved objects, regenerates each object ID, and + resets the origin. When enabled during the initial import, also + enable when resolving import errors. + in: query + name: createNewCopies + required: false + schema: + type: boolean + requestBody: + content: + multipart/form-data; Elastic-Api-Version=2023-10-31: + examples: + resolveImportErrorsRequest: + $ref: >- + #/components/examples/Saved_objects_resolve_missing_reference_request + schema: type: object - name: - type: string - runtimeFieldMap: + properties: + file: + description: The same file given to the import API. + format: binary + type: string + retries: + description: >- + The retry operations, which can specify how to resolve + different types of errors. + items: + type: object + properties: + destinationId: + description: >- + Specifies the destination ID that the imported object + should have, if different from the current ID. + type: string + id: + description: The saved object ID. + type: string + ignoreMissingReferences: + description: >- + When set to `true`, ignores missing reference errors. + When set to `false`, does nothing. + type: boolean + overwrite: + description: >- + When set to `true`, the source object overwrites the + conflicting destination object. When set to `false`, + does nothing. + type: boolean + replaceReferences: + description: >- + A list of `type`, `from`, and `to` used to change the + object references. + items: + type: object + properties: + from: + type: string + to: + type: string + type: + type: string + type: array + type: + description: The saved object type. + type: string + required: + - type + - id + type: array + required: + - retries + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + resolveImportErrorsResponse: + $ref: >- + #/components/examples/Saved_objects_resolve_missing_reference_response + schema: + type: object + properties: + errors: + description: > + Specifies the objects that failed to resolve. + + + NOTE: One object can result in multiple errors, which + requires separate steps to resolve. For instance, a + `missing_references` error and a `conflict` error. + items: + type: object + type: array + success: + description: > + Indicates a successful import. When set to `false`, some + objects may not have been created. For additional + information, refer to the `errors` and `successResults` + properties. + type: boolean + successCount: + description: | + Indicates the number of successfully resolved records. + type: number + successResults: + description: > + Indicates the objects that are successfully imported, with + any metadata if applicable. + + + NOTE: Objects are only created when all resolvable errors + are addressed, including conflict and missing references. + items: + type: object + type: array + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Resolve import errors + tags: + - saved objects + '/api/saved_objects/{type}': + post: + deprecated: true + description: Create a Kibana saved object with a randomly generated identifier. + operationId: createSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - description: 'If true, overwrites the document with the same identifier.' + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: - type: boolean - description: Reloads the data view fields after the data view is updated. - default: false - Data_views_swap_data_view_request_object: - title: Data view reference swap request - type: object - required: - - fromId - - toId - properties: - delete: - type: boolean - description: Deletes referenced saved object if all references are removed. - forId: - oneOf: - - type: string - - type: array - items: - type: string - description: Limit the affected saved objects to one or more by identifier. - forType: - type: string - description: Limit the affected saved objects by type. - fromId: - type: string - description: The saved object reference to change. - fromType: - type: string - description: > - Specify the type of the saved object reference to alter. The default - value is `index-pattern` for data views. - toId: - type: string - description: New saved object reference value to replace the old value. - Machine_learning_APIs_mlSyncResponseSuccess: - type: boolean - description: The success or failure of the synchronization. - Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - type: object - title: Sync API response for anomaly detection jobs - description: >- - The sync machine learning saved objects API response contains this - object when there are anomaly detection jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - Machine_learning_APIs_mlSyncResponseDatafeeds: - type: object - title: Sync API response for datafeeds - description: >- - The sync machine learning saved objects API response contains this - object when there are datafeeds affected by the synchronization. There - is an object for each relevant datafeed, which contains the - synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - type: object - title: Sync API response for data frame analytics jobs + properties: + attributes: + $ref: '#/components/schemas/Saved_objects_attributes' + initialNamespaces: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + references: + $ref: '#/components/schemas/Saved_objects_references' + required: + - attributes + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a conflict error. + summary: Create a saved object + tags: + - saved objects + '/api/saved_objects/{type}/{id}': + get: + deprecated: true + description: Retrieve a single Kibana saved object by identifier. + operationId: getSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Get a saved object + tags: + - saved objects + post: + deprecated: true description: >- - The sync machine learning saved objects API response contains this - object when there are data frame analytics jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - type: object - title: Sync API response for created saved objects + Create a Kibana saved object and specify its identifier instead of using + a randomly generated ID. + operationId: createSavedObjectId + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + - description: 'If true, overwrites the document with the same identifier.' + in: query + name: overwrite + schema: + type: boolean + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + attributes: + $ref: '#/components/schemas/Saved_objects_attributes' + initialNamespaces: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + references: + $ref: '#/components/schemas/Saved_objects_initial_namespaces' + required: + - attributes + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a conflict error. + summary: Create a saved object + tags: + - saved objects + put: + deprecated: true + description: Update the attributes for Kibana saved objects. + operationId: updateSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_kbn_xsrf' + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates the object was not found. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a conflict error. + summary: Update a saved object + tags: + - saved objects + '/api/saved_objects/resolve/{type}/{id}': + get: + deprecated: true + description: > + Retrieve a single Kibana saved object by identifier using any legacy URL + alias if it exists. Under certain circumstances, when Kibana is + upgraded, saved object migrations may necessitate regenerating some + object IDs to enable new features. When an object's ID is regenerated, a + legacy URL alias is created for that object, preserving its old ID. In + such a scenario, that object can be retrieved using either its new ID or + its old ID. + operationId: resolveSavedObject + parameters: + - $ref: '#/components/parameters/Saved_objects_saved_object_id' + - $ref: '#/components/parameters/Saved_objects_saved_object_type' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Saved_objects_400_response' + description: Bad request. + summary: Resolve a saved object + tags: + - saved objects + /api/security_ai_assistant/anonymization_fields/_bulk_action: + post: description: >- - If saved objects are missing for machine learning jobs or trained - models, they are created when you run the sync machine learning saved - objects API. - properties: - anomaly-detector: - type: object - description: >- - If saved objects are missing for anomaly detection jobs, they are - created. - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - data-frame-analytics: - type: object - description: >- - If saved objects are missing for data frame analytics jobs, they are - created. - additionalProperties: + The bulk action is applied to all anonymization fields that match the + filter or to the list of anonymization fields by their IDs. + operationId: PerformAnonymizationFieldsBulkAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + create: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps + type: array + delete: + type: object + properties: + ids: + description: Array of anonymization fields IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter anonymization fields + type: string + update: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Applies a bulk action to multiple anonymization fields + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/anonymization_fields/_find: + get: + description: Finds anonymization fields that match the given query. + operationId: FindAnonymizationFields + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - trained-model: - type: object - description: If saved objects are missing for trained models, they are created. - additionalProperties: + #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: AnonymizationFields per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Finds anonymization fields that match the given query. + tags: + - Security AI Assistant API + - AnonymizationFields API + /api/security_ai_assistant/chat/complete: + post: + description: Creates a model response for the given chat conversation. + operationId: ChatComplete + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' + required: true + responses: + '200': + content: + application/octet-stream; Elastic-Api-Version=2023-10-31: + schema: + format: binary + type: string + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Creates a model response for the given chat conversation. + tags: + - Security AI Assistant API + - Chat Complete API + /api/security_ai_assistant/current_user/conversations: + post: + description: Create a conversation + operationId: CreateConversation + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Create a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/current_user/conversations/_find: + get: + description: Finds conversations that match the given query. + operationId: FindConversations + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: - type: object - title: Sync API response for deleted saved objects + #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Conversations per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Finds conversations that match the given query. + tags: + - Security AI Assistant API + - Conversations API + '/api/security_ai_assistant/current_user/conversations/{id}': + delete: + description: Deletes a single conversation using the `id` field. + operationId: DeleteConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Deletes a single conversation using the `id` field. + tags: + - Security AI Assistant API + - Conversation API + get: + description: Read a single conversation + operationId: ReadConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Read a single conversation + tags: + - Security AI Assistant API + - Conversations API + put: + description: Update a single conversation + operationId: UpdateConversation + parameters: + - description: The conversation's `id` value. + in: path + name: id + required: true + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Update a conversation + tags: + - Security AI Assistant API + - Conversation API + /api/security_ai_assistant/prompts/_bulk_action: + post: description: >- - If saved objects exist for machine learning jobs or trained models that - no longer exist, they are deleted when you run the sync machine learning - saved objects API. - properties: - anomaly-detector: - type: object - description: >- - If there are saved objects exist for nonexistent anomaly detection - jobs, they are deleted. - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - data-frame-analytics: - type: object - description: >- - If there are saved objects exist for nonexistent data frame - analytics jobs, they are deleted. - additionalProperties: + The bulk action is applied to all prompts that match the filter or to + the list of prompts by their IDs. + operationId: PerformPromptsBulkAction + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + create: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptCreateProps + type: array + delete: + type: object + properties: + ids: + description: Array of prompts IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter promps + type: string + update: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps + type: array + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse + description: Indicates a successful call. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Applies a bulk action to multiple prompts + tags: + - Security AI Assistant API + - Bulk API + /api/security_ai_assistant/prompts/_find: + get: + description: Finds prompts that match the given query. + operationId: FindPrompts + parameters: + - in: query + name: fields + required: false + schema: + items: + type: string + type: array + - description: Search query + in: query + name: filter + required: false + schema: + type: string + - description: Field to sort by + in: query + name: sort_field + required: false + schema: $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - trained-model: - type: object + #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField + - description: Sort order + in: query + name: sort_order + required: false + schema: + $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' + - description: Page number + in: query + name: page + required: false + schema: + default: 1 + minimum: 1 + type: integer + - description: Prompts per page + in: query + name: per_page + required: false + schema: + default: 20 + minimum: 0 + type: integer + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptResponse + type: array + page: + type: integer + perPage: + type: integer + total: + type: integer + required: + - page + - perPage + - total + - data + description: Successful response + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: number + description: Generic Error + summary: Finds prompts that match the given query. + tags: + - Security AI Assistant API + - Prompts API + /api/status: + get: + operationId: /api/status#0 + parameters: + - description: The version of the API to use + in: header + name: elastic-api-version + schema: + default: '2023-10-31' + enum: + - '2023-10-31' + type: string + - description: Set to "true" to get the response in v7 format. + in: query + name: v7format + required: false + schema: + type: boolean + - description: Set to "true" to get the response in v8 format. + in: query + name: v8format + required: false + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. + description: Overall status is OK and Kibana should be functioning normally. + '503': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + anyOf: + - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' + - $ref: >- + #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse + description: >- + Kibana's operational status. A minimal response is sent for + unauthorized users. description: >- - If there are saved objects exist for nonexistent trained models, - they are deleted. - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - Machine_learning_APIs_mlSyncResponseTrainedModels: - type: object - title: Sync API response for trained models + Kibana or some of it's essential services are unavailable. Kibana + may be degraded or unavailable. + summary: Get Kibana's current status + tags: + - system + /api/timeline: + delete: + operationId: DeleteTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + savedObjectIds: + items: + type: string + type: array + searchIds: + description: >- + Saved search ids that should be deleted alongside the + timelines + items: + type: string + type: array + required: + - savedObjectIds + description: The ids of the timelines or timeline templates to delete. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + deleteTimeline: + type: boolean + required: + - deleteTimeline + required: + - data + description: Indicates the timeline was successfully deleted. + summary: Deletes one or more timelines or timeline templates. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + get: + operationId: GetTimeline + parameters: + - description: The ID of the template timeline to retrieve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to retrieve + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + getOneTimeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + nullable: true + required: + - getOneTimeline + required: + - data + description: Indicates that the (template) timeline was found and returned. + summary: >- + Get an existing saved timeline or timeline template. This API is used to + retrieve an existing saved timeline or timeline template. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + patch: description: >- - The sync machine learning saved objects API response contains this - object when there are trained models affected by the synchronization. - There is an object for each relevant trained model, which contains the - synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - Machine_learning_APIs_mlSync200Response: - type: object - title: Successful sync API response - properties: - datafeedsAdded: - type: object + Updates an existing timeline. This API is used to update the title, + description, date range, pinned events, pinned queries, and/or pinned + saved queries of an existing timeline. + operationId: PatchTimeline + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SavedTimeline + timelineId: + nullable: true + type: string + version: + nullable: true + type: string + required: + - timelineId + - version + - timeline + description: The timeline updates along with the timeline ID and version. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - timeline + required: + - persistTimeline + required: + - data description: >- - If a saved object for an anomaly detection job is missing a datafeed - identifier, it is added when you run the sync machine learning saved - objects API. - additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - datafeedsRemoved: - type: object + Indicates that the draft timeline was successfully created. In the + event the user already has a draft timeline, the existing draft + timeline is cleared and returned. + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number description: >- - If a saved object for an anomaly detection job references a datafeed - that no longer exists, it is deleted when you run the sync machine - learning saved objects API. - additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - savedObjectsCreated: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated - savedObjectsDeleted: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted - Machine_learning_APIs_mlSync4xxResponse: - type: object - title: Unsuccessful sync API response - properties: - error: - type: string - example: Unauthorized - message: - type: string - statusCode: - type: integer - example: 401 - Saved_objects_400_response: - title: Bad request - type: object - required: - - error - - message - - statusCode - properties: - error: - type: string - enum: - - Bad Request - message: - type: string - statusCode: - type: integer - enum: - - 400 - Saved_objects_attributes: - type: object - description: > - The data that you want to create. WARNING: When you create saved - objects, attributes are not validated, which allows you to pass - arbitrary and ill-formed data into the API that can break Kibana. Make - sure any data that you send to the API is properly formed. - Saved_objects_initial_namespaces: - type: array - description: > - Identifiers for the spaces in which this object is created. If this is - provided, the object is created only in the explicitly defined spaces. - If this is not provided, the object is created in the current space - (default behavior). For shareable object types (registered with - `namespaceType: 'multiple'`), this option can be used to specify one or - more spaces, including the "All spaces" identifier ('*'). For isolated - object types (registered with `namespaceType: 'single'` or - `namespaceType: 'multiple-isolated'`), this option can only be used to - specify a single space, and the "All spaces" identifier ('*') is not - allowed. For global object types (`registered with `namespaceType: - agnostic`), this option cannot be used. - Saved_objects_references: - type: array - description: > - Objects with `name`, `id`, and `type` properties that describe the other - saved objects that this object references. Use `name` in attributes to - refer to the other saved object, but never the `id`, which can update - automatically during migrations or import and export. - Kibana_HTTP_APIs_core_status_redactedResponse: - additionalProperties: false - description: A minimal representation of Kibana's operational status. - properties: - status: - additionalProperties: false - properties: - overall: - additionalProperties: false + Indicates that the user does not have the required access to create + a draft timeline. + summary: Updates an existing timeline. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + post: + operationId: CreateTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object properties: - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical + status: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineStatus + nullable: true + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SavedTimeline + timelineId: + nullable: true + type: string + timelineType: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineType + nullable: true + version: + nullable: true type: string required: - - level + - timeline + description: >- + The required timeline fields used to create a new timeline along with + optional fields that will be created if not provided. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - persistTimeline + required: + - data + description: Indicates the timeline was successfully created. + '405': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates that there was an error in the timeline creation. + summary: Creates a new timeline. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timeline/_draft: + get: + operationId: GetDraftTimelines + parameters: + - in: query + name: timelineType + required: true + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - timeline + required: + - persistTimeline + required: + - data + description: Indicates that the draft timeline was successfully retrieved. + '403': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + If a draft timeline was not found and we attempted to create one, it + indicates that the user does not have the required permissions to + create a draft timeline. + '409': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + This should never happen, but if a draft timeline was not found and + we attempted to create one, it indicates that there is already a + draft timeline with the given timelineId. + summary: >- + Retrieves the draft timeline for the current user. If the user does not + have a draft timeline, an empty timeline is returned. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + post: + description: > + Retrieves a clean draft timeline. If a draft timeline does not exist, it + is created and returned. + operationId: CleanDraftTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - required: - - overall - type: object - required: - - status - type: object - Kibana_HTTP_APIs_core_status_response: - additionalProperties: false - description: >- - Kibana's operational status as well as a detailed breakdown of plugin - statuses indication of various loads (like event loop utilization and - network traffic) at time of request. - properties: - metrics: - additionalProperties: false - description: Metric groups collected by Kibana. - properties: - collection_interval_in_millis: - description: The interval at which metrics should be collected. - type: number - elasticsearch_client: - additionalProperties: false - description: Current network metrics of Kibana's Elasticsearch client. properties: - totalActiveSockets: - description: Count of network sockets currently in use. - type: number - totalIdleSockets: - description: Count of network sockets currently idle. - type: number - totalQueuedRequests: - description: Count of requests not yet assigned to sockets. - type: number + timelineType: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineType required: - - totalActiveSockets - - totalIdleSockets - - totalQueuedRequests + - timelineType + description: >- + The type of timeline to create. Valid values are `default` and + `template`. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistTimeline: + type: object + properties: + timeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + required: + - timeline + required: + - persistTimeline + required: + - data + description: >- + Indicates that the draft timeline was successfully created. In the + event the user already has a draft timeline, the existing draft + timeline is cleared and returned. + '403': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that the user does not have the required permissions to + create a draft timeline. + '409': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: + type: object + properties: + message: + type: string + status_code: + type: number + description: >- + Indicates that there is already a draft timeline with the given + timelineId. + summary: Retrieves a draft timeline or timeline template. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timeline/_export: + post: + operationId: ExportTimelines + parameters: + - description: The name of the file to export + in: query + name: file_name + required: true + schema: + type: string + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - last_updated: - description: The time metrics were collected. - type: string - required: - - elasticsearch_client - - last_updated - - collection_interval_in_millis - type: object - name: - description: Kibana instance name. - type: string - status: - additionalProperties: false - properties: - core: - additionalProperties: false - description: Statuses of core Kibana services. properties: - elasticsearch: - additionalProperties: false - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: >- - An unstructured set of extra metadata about this - service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - type: object - savedObjects: - additionalProperties: false - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: >- - An unstructured set of extra metadata about this - service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - type: object - required: - - elasticsearch - - savedObjects + ids: + items: + type: string + nullable: true + type: array + description: The ids of the timelines to export + required: true + responses: + '200': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + description: NDJSON of the exported timelines + type: string + description: Indicates the timelines were successfully exported + '400': + content: + application/ndjson; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Indicates that the export size limit was exceeded + summary: Exports timelines as an NDJSON file + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timeline/_favorite: + patch: + operationId: PersistFavoriteRoute + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - overall: - additionalProperties: false properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical + templateTimelineId: + nullable: true type: string - meta: - additionalProperties: {} - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. + templateTimelineVersion: + nullable: true + type: number + timelineId: + nullable: true type: string + timelineType: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineType + nullable: true required: - - level - - summary - - meta + - timelineId + - templateTimelineId + - templateTimelineVersion + - timelineType + description: The required fields used to favorite a (template) timeline. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + persistFavorite: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FavoriteTimelineResponse + required: + - persistFavorite + required: + - data + description: Indicates the favorite status was successfully updated. + '403': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: >- + Indicates the user does not have the required permissions to persist + the favorite status. + summary: Persists a given users favorite status of a timeline. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timeline/_import: + post: + operationId: ImportTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: type: object - plugins: - additionalProperties: - additionalProperties: false + properties: + file: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Timeline_API_Readable + - type: object + properties: + hapi: + type: object + properties: + filename: + type: string + headers: + type: object + isImmutable: + enum: + - 'true' + - 'false' + type: string + required: + - filename + - headers + required: + - hapi + description: The timelines to import as a readable stream. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object properties: - detail: - description: Human readable detail of the service status. + data: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelineResult + required: + - data + description: Indicates the import of timelines was successful. + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: type: string - documentationUrl: - description: A URL to further documentation regarding this service. + id: type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical + statusCode: + type: number + description: >- + Indicates the import of timelines was unsuccessful because of an + invalid file extension. + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + id: type: string - meta: - additionalProperties: {} - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. + statusCode: + type: number + description: >- + Indicates that we were unable to locate the saved object client + necessary to handle the import. + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + body: + type: string + id: type: string + statusCode: + type: number + description: Indicates the import of timelines was unsuccessful. + summary: Imports timelines. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timeline/_prepackaged: + post: + operationId: InstallPrepackedTimelines + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + prepackagedTimelines: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SavedTimeline + type: array + timelinesToInstall: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelines + nullable: true + type: array + timelinesToUpdate: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelines + nullable: true + type: array + required: + - timelinesToInstall + - timelinesToUpdate + - prepackagedTimelines + description: The timelines to install or update. + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ImportTimelineResult required: - - level - - summary - - meta + - data + description: Indicates the installation of prepackaged timelines was successful. + '500': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: type: object - description: A dynamic mapping of plugin ID to plugin status. - type: object - required: - - overall - - core - - plugins - type: object - uuid: + properties: + body: + type: string + statusCode: + type: number description: >- - Unique, generated Kibana instance UUID. This UUID should persist - even if the Kibana process restarts. - type: string - version: - additionalProperties: false - properties: - build_date: - description: The date and time of this build. - type: string - build_flavor: - description: >- - The build flavour determines configuration and behavior of - Kibana. On premise users will almost always run the - "traditional" flavour, while other flavours are reserved for - Elastic-specific use cases. - enum: - - serverless - - traditional - type: string - build_hash: - description: >- - A unique hash value representing the git commit of this Kibana - build. - type: string - build_number: - description: >- - A monotonically increasing number, each subsequent build will - have a higher number. - type: number - build_snapshot: - description: Whether this build is a snapshot build. - type: boolean - number: - description: A semantic version number. - type: string - required: - - number - - build_hash - - build_number - - build_snapshot - - build_flavor - - build_date - type: object - required: - - name - - uuid - - version - - status - - metrics - type: object + Indicates the installation of prepackaged timelines was + unsuccessful. + summary: Installs prepackaged timelines. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timeline/resolve: + get: + operationId: ResolveTimeline + parameters: + - description: The ID of the template timeline to resolve + in: query + name: template_timeline_id + schema: + type: string + - description: The ID of the timeline to resolve + in: query + name: id + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + getOneTimeline: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + nullable: true + required: + - getOneTimeline + required: + - data + description: The (template) timeline has been found + '400': + description: The request is missing parameters + '404': + description: The (template) timeline was not found + summary: Get an existing saved timeline or timeline template. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + /api/timelines: + get: + operationId: GetTimelines + parameters: + - description: >- + If true, only timelines that are marked as favorites by the user are + returned. + in: query + name: only_user_favorite + schema: + enum: + - 'true' + - 'false' + nullable: true + type: string + - in: query + name: timeline_type + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + nullable: true + - in: query + name: sort_field + schema: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SortFieldTimeline + - in: query + name: sort_order + schema: + enum: + - asc + - desc + type: string + - in: query + name: page_size + schema: + nullable: true + type: string + - in: query + name: page_index + schema: + nullable: true + type: string + - in: query + name: search + schema: + nullable: true + type: string + - in: query + name: status + schema: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineStatus' + nullable: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + type: object + properties: + data: + type: object + properties: + customTemplateTimelineCount: + type: number + defaultTimelineCount: + type: number + elasticTemplateTimelineCount: + type: number + favoriteCount: + type: number + templateTimelineCount: + type: number + timelines: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_TimelineResponse + type: array + totalCount: + type: number + required: + - timelines + - totalCount + - defaultTimelineCount + - templateTimelineCount + - favoriteCount + - elasticTemplateTimelineCount + - customTemplateTimelineCount + required: + - data + description: Indicates that the (template) timelines were found and returned. + '400': + content: + 'application:json; Elastic-Api-Version=2023-10-31': + schema: + type: object + properties: + body: + type: string + statusCode: + type: number + description: Bad request. The user supplied invalid data. + summary: >- + This API is used to retrieve a list of existing saved timelines or + timeline templates. + tags: + - Security Solution Timeline API + - 'access:securitySolution' + '/s/{spaceId}/api/observability/slos': + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: findSlosOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - description: A valid kql query to filter the SLO with + example: 'slo.name:latency* and slo.tags : "prod"' + in: query + name: kqlQuery + schema: + type: string + - description: 'The page to use for pagination, must be greater or equal than 1' + example: 1 + in: query + name: page + schema: + default: 1 + type: integer + - description: Number of SLOs returned by page + example: 25 + in: query + name: perPage + schema: + default: 25 + maximum: 5000 + type: integer + - description: Sort by field + example: status + in: query + name: sortBy + schema: + default: status + enum: + - sli_value + - status + - error_budget_consumed + - error_budget_remaining + type: string + - description: Sort order + example: asc + in: query + name: sortDirection + schema: + default: asc + enum: + - asc + - desc + type: string + - description: >- + Hide stale SLOs from the list as defined by stale SLO threshold in + SLO settings + in: query + name: hideStale + schema: + type: boolean + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_find_slo_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get a paginated list of SLOs + tags: + - slo + post: + description: > + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: createSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_create_slo_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_create_slo_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '409': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_409_response' + description: Conflict - The SLO id already exists + summary: Create an SLO + tags: + - slo + '/s/{spaceId}/api/observability/slos/_delete_instances': + post: + description: > + The deletion occurs for the specified list of `sloId` and `instanceId`. + You must have `all` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloInstancesOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_delete_slo_instances_request' + required: true + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + summary: Batch delete rollup and summary data + tags: + - slo + '/s/{spaceId}/api/observability/slos/{sloId}': + delete: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: deleteSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Delete an SLO + tags: + - slo + get: + description: > + You must have the `read` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: getSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + - description: the specific instanceId used by the summary calculation + example: host-abcde + in: query + name: instanceId + schema: + type: string + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Get an SLO + tags: + - slo + put: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: updateSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_update_slo_request' + required: true + responses: + '200': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Update an SLO + tags: + - slo + '/s/{spaceId}/api/observability/slos/{sloId}/_reset': + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: resetSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_slo_definition_response' + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Reset an SLO + tags: + - slo + '/s/{spaceId}/api/observability/slos/{sloId}/disable': + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: disableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '200': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Disable an SLO + tags: + - slo + '/s/{spaceId}/api/observability/slos/{sloId}/enable': + post: + description: > + You must have the `write` privileges for the **SLOs** feature in the + **Observability** section of the Kibana feature privileges. + operationId: enableSloOp + parameters: + - $ref: '#/components/parameters/SLOs_kbn_xsrf' + - $ref: '#/components/parameters/SLOs_space_id' + - $ref: '#/components/parameters/SLOs_slo_id' + responses: + '204': + description: Successful request + '400': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_400_response' + description: Bad request + '401': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_401_response' + description: Unauthorized response + '403': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_403_response' + description: Unauthorized response + '404': + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/SLOs_404_response' + description: Not found response + summary: Enable an SLO + tags: + - slo +components: examples: - Alerting_create_es_query_esql_rule_request: - summary: >- - Create an Elasticsearch query rule that uses Elasticsearch Query - Language (ES|QL). - value: - name: my Elasticsearch query ESQL rule - params: - searchType: esqlQuery - esqlQuery: - esql: >- - FROM kibana_sample_data_logs | KEEP bytes, clientip, host, - geo.dest | where geo.dest != "GB" | STATS sumbytes = sum(bytes) by - clientip, host | WHERE sumbytes > 5000 | SORT sumbytes desc | - LIMIT 10 - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - size: 0 - thresholdComparator: '>' - threshold: - - 0 - consumer: stackAlerts - rule_type_id: .es-query - schedule: - interval: 1d - actions: - - group: query matched - id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 - params: - level: info - message: >- - Elasticsearch query rule '{{rule.name}}' is active: - - - Value: {{context.value}} - Conditions Met: - {{context.conditions}} over - {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - Link: {{context.link}} - frequency: - summary: false - notify_when: onActiveAlert - Alerting_create_es_query_rule_request: - summary: >- - Create an Elasticsearch query rule that uses Elasticsearch query domain - specific language (DSL) to define its query and a server log connector - to send notifications. - value: - actions: - - group: query matched - params: - level: info - message: >- - The system has detected {{alerts.new.count}} new, - {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} - recovered alerts. - id: fdbece50-406c-11ee-850e-c71febc4ca7f - frequency: - throttle: 1d - summary: true - notify_when: onThrottleInterval - - group: recovered - params: - level: info - message: Recovered - id: fdbece50-406c-11ee-850e-c71febc4ca7f - frequency: - summary: false - notify_when: onActionGroupChange - consumer: alerts - name: my Elasticsearch query rule - params: - esQuery: '"""{"query":{"match_all" : {}}}"""' - index: - - kibana_sample_data_logs - size: 100 - threshold: - - 100 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - rule_type_id: .es-query - schedule: - interval: 1d - Alerting_create_es_query_kql_rule_request: - summary: >- - Create an Elasticsearch query rule that uses Kibana query language - (KQL). - value: - consumer: alerts - name: my Elasticsearch query KQL rule - params: - aggType: count - excludeHitsFromPreviousRun: true - groupBy: all - searchConfiguration: - query: - query: '""geo.src : "US" ""' - language: kuery - index: 90943e30-9a47-11e8-b64d-95841ca0b247 - searchType: searchSource - size: 100 - threshold: - - 1000 - thresholdComparator: '>' - timeWindowSize: 5 - timeWindowUnit: m - rule_type_id: .es-query - schedule: - interval: 1m - Alerting_create_index_threshold_rule_request: - summary: Create an index threshold rule. - value: - actions: - - id: 48de3460-f401-11ed-9f8e-399c75a2deeb - frequency: - notify_when: onActionGroupChange - summary: false - group: threshold met - params: - level: info - message: >- - Rule '{{rule.name}}' is active for group '{{context.group}}': - - - - Value: {{context.value}} - - - Conditions Met: {{context.conditions}} over - {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - - Timestamp: {{context.date}} - alert_delay: - active: 3 - consumer: alerts - name: my rule - params: - aggType: avg - termSize: 6 - thresholdComparator: '>' - timeWindowSize: 5 - timeWindowUnit: m - groupBy: top - threshold: - - 1000 - index: - - .test-index - timeField: '@timestamp' - aggField: sheet.version - termField: name.keyword - rule_type_id: .index-threshold - schedule: - interval: 1m - tags: - - cpu - Alerting_create_tracking_containment_rule_request: - summary: Create a tracking containment rule. - value: - consumer: alerts - name: my tracking rule - params: - index: kibana_sample_data_logs - dateField": '@timestamp' - geoField: geo.coordinates - entity: agent.keyword - boundaryType: entireIndex - boundaryIndexTitle: boundary* - boundaryGeoField: location - boundaryNameField: name - indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 - boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc - rule_type_id: .geo-containment - schedule: - interval: 1h - Alerting_create_es_query_esql_rule_response: - summary: >- - The create rule API returns a JSON object that contains details about - the rule. - value: - id: e0d62360-78e8-11ee-9177-f7d404c8c945 - enabled: true - name: my Elasticsearch query ESQL rule - tags: [] - rule_type_id: .es-query - consumer: stackAlerts - schedule: - interval: 1d - actions: - - group: query matched - id: d0db1fe0-78d6-11ee-9177-f7d404c8c945 - params: - level: info - message: >- - Elasticsearch query rule '{{rule.name}}' is active: - - - Value: {{context.value}} - Conditions Met: - {{context.conditions}} over - {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - Timestamp: {{context.date}} - Link: {{context.link}} - connector_type_id: .server-log - frequency: - summary: false - notify_when: onActiveAlert - throttle: null - uuid: bfe370a3-531b-4855-bbe6-ad739f578844 - params: - searchType: esqlQuery - esqlQuery: - esql: >- - FROM kibana_sample_data_logs | keep bytes, clientip, host, - geo.dest | WHERE geo.dest != "GB" | stats sumbytes = sum(bytes) by - clientip, host | WHERE sumbytes > 5000 | sort sumbytes desc | - limit 10 - timeField: '@timestamp' - timeWindowSize: 1 - timeWindowUnit: d - size: 0 - thresholdComparator: '>' - threshold: - - 0 - excludeHitsFromPreviousRun": true, - aggType: count - groupBy: all - scheduled_task_id: e0d62360-78e8-11ee-9177-f7d404c8c945 - created_by: elastic - updated_by: elastic", - created_at: '2023-11-01T19:00:10.453Z' - updated_at: '2023-11-01T19:00:10.453Z' - api_key_owner: elastic - api_key_created_by_user: false - throttle: null - mute_all: false - notify_when: null - muted_alert_ids: [] - execution_status: - status: pending - last_execution_date: '2023-11-01T19:00:10.453Z' - revision: 0 - running: false - Alerting_create_es_query_rule_response: - summary: >- - The create rule API returns a JSON object that contains details about - the rule. - value: - id: 58148c70-407f-11ee-850e-c71febc4ca7f - enabled: true - name: my Elasticsearch query rule - tags: [] - rule_type_id: .es-query - consumer: alerts - schedule: - interval: 1d - actions: - - group: query matched - id: fdbece50-406c-11ee-850e-c71febc4ca7f - params: - level: info - message: >- - The system has detected {{alerts.new.count}} new, - {{alerts.ongoing.count}} ongoing, and {{alerts.recovered.count}} - recovered alerts. - connector_type_id: .server-log - frequency: - summary: true - notify_when: onThrottleInterval - throttle: 1d - uuid: 53f3c2a3-e5d0-4cfa-af3b-6f0881385e78 - - group: recovered - id: fdbece50-406c-11ee-850e-c71febc4ca7f - params: - level: info - message: Recovered - connector_type_id: .server-log - frequency: - summary: false - notify_when: onActionGroupChange - throttle: null - uuid: 2324e45b-c0df-45c7-9d70-4993e30be758 - params: - thresholdComparator: '>' - timeWindowSize: 1 - timeWindowUnit: d - threshold: - - 100 - size: 100 - timeField: '@timestamp' - index: - - kibana_sample_data_logs - esQuery: '"""{"query":{"match_all" : {}}}"""' - excludeHitsFromPreviousRun: true - aggType: count - groupBy: all - searchType: esQuery - scheduled_task_id: 58148c70-407f-11ee-850e-c71febc4ca7f - created_by: elastic - updated_by: elastic - created_at: '2023-08-22T00:03:38.263Z' - updated_at: '2023-08-22T00:03:38.263Z' - api_key_owner: elastic - api_key_created_by_user: false - throttle: null - mute_all: false - notify_when: null - muted_alert_ids: [] - execution_status: - status: pending - last_execution_date: '2023-08-22T00:03:38.263Z' - revision: 0 - running: false - Alerting_create_es_query_kql_rule_response: - summary: >- - The create rule API returns a JSON object that contains details about - the rule. - value: - id: 7bd506d0-2284-11ee-8fad-6101956ced88 - enabled: true - name: my Elasticsearch query KQL rule" - tags: [] - rule_type_id: .es-query - consumer: alerts - schedule: - interval: 1m - actions: [] - params: - searchConfiguration: - query: - query: '""geo.src : "US" ""' - language: kuery - index: 90943e30-9a47-11e8-b64d-95841ca0b247 - searchType: searchSource - timeWindowSize: 5 - timeWindowUnit: m - threshold: - - 1000 - thresholdComparator: '>' - size: 100 - aggType: count - groupBy: all - excludeHitsFromPreviousRun: true - created_by: elastic - updated_by: elastic - created_at: '2023-07-14T20:24:50.729Z' - updated_at: '2023-07-14T20:24:50.729Z' - api_key_owner: elastic - api_key_created_by_user: false - throttle: null - notify_when: null - mute_all: false - muted_alert_ids: [] - scheduled_task_id: 7bd506d0-2284-11ee-8fad-6101956ced88 - execution_status: - status: pending - last_execution_date: '2023-07-14T20:24:50.729Z' - revision: 0 - running: false - Alerting_create_index_threshold_rule_response: - summary: >- - The create rule API returns a JSON object that contains details about - the rule. - value: - actions: - - group: threshold met - id: dceeb5d0-6b41-11eb-802b-85b0c1bc8ba2 - uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d - connector_type_id: .server-log - frequency: - notify_when: onActionGroupChange - summary: false - throttle: null - params: - level: info - message: >- - Rule {{rule.name}} is active for group {{context.group} : - - - - Value: {{context.value}} - - - Conditions Met: {{context.conditions}} over - {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - - Timestamp: {{context.date}} - alert_delay: - active: 3 - api_key_created_by_user: false - api_key_owner: elastic - consumer: alerts - created_at: '2022-06-08T17:20:31.632Z' - created_by: elastic - enabled: true - execution_status: - last_execution_date: '2022-06-08T17:20:31.632Z' - status: pending - id: 41893910-6bca-11eb-9e0d-85d233e3ee35 - muted_alert_ids: [] - mute_all: false - name: my rule - notify_when: null - params: - aggType: avg - termSize: 6 - thresholdComparator: '>' - timeWindowSize: 5 - timeWindowUnit: m - groupBy: top - threshold: - - 1000 - index: - - .test-index - timeField: '@timestamp' - aggField: sheet.version - termField: name.keyword - revision: 0 - rule_type_id: .index-threshold - running: false - schedule: - interval: 1m - scheduled_task_id: 425b0800-6bca-11eb-9e0d-85d233e3ee35 - tags: - - cpu - throttle: null - updated_at: '2022-06-08T17:20:31.632Z' - updated_by: elastic - Alerting_create_tracking_containment_rule_response: - summary: >- - The create rule API returns a JSON object that contains details about - the rule. - value: - id: b6883f9d-5f70-4758-a66e-369d7c26012f - name: my tracking rule - tags: [] - enabled: true - consumer: alerts - throttle: null - revision: 1 - running: false - schedule: - interval: 1h - params: - index: kibana_sample_data_logs - dateField: '@timestamp' - geoField: geo.coordinates - entity: agent.keyword - boundaryType: entireIndex - boundaryIndexTitle: boundary* - boundaryGeoField: location - boundaryNameField: name - indexId: 90943e30-9a47-11e8-b64d-95841ca0b247 - boundaryIndexId: 0cd90abf-abe7-44c7-909a-f621bbbcfefc - rule_type_id: .geo-containment - created_by: elastic - updated_by: elastic - created_at: '2024-02-14T19:52:55.920Z' - updated_at: '2024-02-15T03:24:32.574Z' - api_key_owner: elastic - notify_when: null - mute_all: false - muted_alert_ids: [] - scheduled_task_id: b6883f9d-5f70-4758-a66e-369d7c26012f - execution_status: - status: ok - last_execution_date: '2024-02-15T03:25:38.125Z' - last_duration: 74 - actions: [] - last_run: - alerts_count: - active: 0 - new: 0 - recovered: 0 - ignored: 0 - outcome_msg: null - outcome_order: 0 - outcome: succeeded - warning: null - next_run: '2024-02-15T03:26:38.033Z' - api_key_created_by_user: false - Alerting_get_rule_response: - summary: >- - The get rule API returns a JSON object that contains details about the - rule. - value: - id: 31697a40-7b36-11ed-aa79-f742c05329b2 - consumer: alerts - tags: - - cpu - name: my alert - enabled: true - throttle: null - schedule: - interval: 1m - params: - aggType: avg - termSize: 6 - thresholdComparator: '>' - timeWindowSize: 5 - timeWindowUnit: m - groupBy: top - threshold: - - 1000 - index: - - test-index - timeField: '@timestamp' - aggField: sheet.version - termField: name.keyword - revision: 1 - rule_type_id: .index-threshold - created_by: elastic - updated_by: elastic - created_at: '2022-12-13T22:33:41.163Z' - updated_at: '2022-12-13T22:33:41.163Z' - api_key_owner: elastic - notify_when: null - muted_alert_ids: [] - mute_all: false - scheduled_task_id: 31697a40-7b36-11ed-aa79-f742c05329b2 - execution_status: - status: ok - last_execution_date: '2022-12-13T22:33:44.388Z' - last_duration: 83 - actions: - - group: threshold met - id: 1007a0c0-7a6e-11ed-89d5-abec321c0def - uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 - params: - level: info - message: >- - Rule {{rule.name}} is active for group {{context.group}}: - - - - Value: {{context.value}} - - - Conditions Met: {{context.conditions}} over - {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - - Timestamp: {{context.date} - connector_type_id: .server-log - connector_type_id: .server-log - frequency: - throttle: null - summary: false - notify_when: onActionGroupChange - last_run: - alerts_count: - new: 0 - ignored: 0 - recovered: 0 - active: 0 - outcome_msg: null - warning: null - outcome: succeeded - next_run: '2022-12-13T22:34:44.314Z' - api_key_created_by_user: false - Alerting_update_rule_request: - summary: Update an index threshold rule. - value: - actions: - - frequency: - summary: false - notify_when: onActionGroupChange - group: threshold met - id: 96b668d0-a1b6-11ed-afdf-d39a49596974 - params: - level: info - message: >- - Rule {{rule.name}} is active for group {{context.group}}: - - - - Value: {{context.value}} - - - Conditions Met: {{context.conditions}} over - {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - - Timestamp: {{context.date}} - params: - aggField: sheet.version - aggType: avg - index: - - .updated-index - groupBy: top - termField: name.keyword - termSize: 6 - threshold: - - 1000 - thresholdComparator: '>' - timeField: '@timestamp' - timeWindowSize: 5 - timeWindowUnit: m - name: new name - schedule: - interval: 1m - tags: [] - Alerting_update_rule_response: - summary: >- - The update rule API returns a JSON object that contains details about - the rule. - value: - id: ac4e6b90-6be7-11eb-ba0d-9b1c1f912d74 - consumer: alerts - tags: [] - name: new name - enabled: true - throttle: null - revision: 1 - running: false - schedule: - interval: 1m - params: - index: - - .updated-index - timeField: '@timestamp' - groupBy: top - aggType: avg - timeWindowSize: 5 - timeWindowUnit: m - thresholdComparator: '>' - threshold: - - 1000 - aggField: sheet.version - termField: name.keyword - termSize: 6 - api_key_owner: elastic - created_by: elastic - updated_by: elastic - rule_type_id: .index-threshold - scheduled_task_id: 4c5eda00-e74f-11ec-b72f-5b18752ff9ea - created_at: '2024-03-26T23:13:20.985Z' - updated_at: '2024-03-26T23:22:59.949Z' - mute_all: false - muted_alert_ids: [] - execution_status: - status: ok - last_execution_date: '2024-03-26T23:22:51.390Z' - last_duration: 52 - actions: - - group: threshold met - params: - level: info - message: >- - Rule {{rule.name}} is active for group {{context.group}}: - - - - Value: {{context.value}} - - - Conditions Met: {{context.conditions}} over - {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - - Timestamp: {{context.date} - id: 96b668d0-a1b6-11ed-afdf-d39a49596974 - uuid: 07aef2a0-9eed-4ef9-94ec-39ba58eb609d - connector_type_id: .server-log - frequency: - summary: false - throttle: null - notify_when: onActionGroupChange - last_run: - alerts_count: - new: 0 - ignored: 0 - recovered: 0 - active: 0 - outcome_msg: null - warning: null - outcome: succeeded - next_run: '2024-03-26T23:23:51.316Z' - api_key_created_by_user: false - Alerting_find_rules_response: - summary: Retrieve information about a rule. - value: - page: 1 - total: 1 - per_page: 10 - data: - - id: 3583a470-74f6-11ed-9801-35303b735aef - consumer: alerts - tags: - - cpu - name: my alert - enabled: true - throttle: null - schedule: - interval: 1m - params: - aggType: avg - termSize: 6 - thresholdComparator: '>' - timeWindowSize: 5 - timeWindowUnit: m - groupBy: top - threshold: - - 1000 - index: - - test-index - timeField: '@timestamp' - aggField: sheet.version - termField: name.keyword - revision: 1 - rule_type_id: .index-threshold - created_by: elastic - updated_by: elastic - created_at: '2022-12-05T23:40:33.132Z' - updated_at: '2022-12-05T23:40:33.132Z' - api_key_owner: elastic - mute_all: false - muted_alert_ids: [] - scheduled_task_id: 3583a470-74f6-11ed-9801-35303b735aef - execution_status: - status: ok - last_execution_date: '2022-12-06T01:44:23.983Z' - last_duration: 48 - actions: - - id: 9dca3e00-74f5-11ed-9801-35303b735aef - group: threshold met - uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 - params: - level: info - message: >- - Rule {{rule.name}} is active for group {{context.group}}: - - - - Value: {{context.value}} - - - Conditions Met: {{context.conditions}} over - {{rule.params.timeWindowSize}}{{rule.params.timeWindowUnit}} - - - Timestamp: {{context.date}} - connector_type_id: .server-log - frequency: - summary: false - notify_when: onActionGroupChange - throttle: null - last_run: - alerts_count: - new: 0 - ignored: 0 - recovered: 0 - active: 0 - outcome_msg: null - warning: null - outcome: succeeded - next_run: '2022-12-06T01:45:23.912Z' - api_key_created_by_user: false - Alerting_find_rules_response_conditional_action: - summary: Retrieve information about a rule that has conditional actions. - value: - page: 1 - total: 1 - per_page: 10 - data: - - id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb - name: security_rule - consumer: siem - enabled: true - tags: [] - throttle: null - revision: 1 - running: false - schedule: - interval: 1m - params: - author: [] - description: A security threshold rule. - ruleId: an_internal_rule_id - falsePositives: [] - from: now-3660s - immutable: false - license: '' - outputIndex: '' - meta: - from: 1h - kibana_siem_app_url: https://localhost:5601/app/security - maxSignals: 100 - riskScore: 21 - riskScoreMapping: [] - severity: low - severityMapping: [] - threat: [] - to: now - references: [] - version: 1 - exceptionsList: [] - type: threshold - language: kuery - index: - - kibana_sample_data_logs - query: '*' - filters: [] - threshold: - field: - - bytes - value: 1 - cardinality: [] - rule_type_id: siem.thresholdRule - created_by: elastic - updated_by: elastic - created_at: '2023-05-16T15:50:28.358Z' - updated_at: '2023-05-16T20:25:42.559Z' - api_key_owner: elastic - notify_when: null - mute_all: false - muted_alert_ids: [] - scheduled_task_id: 6107a8f0-f401-11ed-9f8e-399c75a2deeb - execution_status: - status: ok - last_execution_date: '2023-05-16T20:26:49.590Z' - last_duration: 166 - actions: - - group: default - id: 49eae970-f401-11ed-9f8e-399c75a2deeb - params: - documents: - - rule_id: - '[object Object]': null - rule_name: - '[object Object]': null - alert_id: - '[object Object]': null - context_message: - '[object Object]': null - connector_type_id: .index - frequency: - summary: true - notify_when: onActiveAlert - throttle: null - uuid: 1c7a1280-f28c-4e06-96b2-e4e5f05d1d61 - alerts_filter: - timeframe: - days: - - 7 - timezone: UTC - hours: - start: '08:00' - end: '17:00' - query: - kql: '' - filters: - - meta: - disabled: false - negate: false - alias: null - index: c4bdca79-e69e-4d80-82a1-e5192c621bea - key: client.geo.region_iso_code - field: client.geo.region_iso_code - params: - query: CA-QC - type: phrase - $state: - store: appState - query: - match_phrase: - client.geo.region_iso_code: CA-QC - last_run: - alerts_count: - new: 0 - ignored: 0 - recovered: 0 - active: 0 - outcome_msg: - - Rule execution completed successfully - outcome_order: 0 - warning: null - outcome: succeeded - next_run: '2023-05-16T20:27:49.507Z' - api_key_created_by_user: false - Alerting_get_health_response: - summary: Retrieve information about the health of the alerting framework. - value: - is_sufficiently_secure: true - has_permanent_encryption_key: true - alerting_framework_health: - decryption_health: - status: ok - timestamp: '2023-01-13T01:28:00.280Z' - execution_health: - status: ok - timestamp: '2023-01-13T01:28:00.280Z' - read_health: - status: ok - timestamp: '2023-01-13T01:28:00.280Z' - Alerting_get_rule_types_response: - summary: Retrieve rule types associated with Kibana machine learning features - value: - - id: xpack.ml.anomaly_detection_alert - name: Anomaly detection alert - category: management - producer: ml - alerts: - context: ml.anomaly-detection - mappings: - fieldMap: - kibana.alert.job_id: - type: keyword - array: false - required: true - kibana.alert.anomaly_score: - type: double - array: false - required: false - kibana.alert.is_interim: - type: boolean - array: false - required: false - kibana.alert.anomaly_timestamp: - type: date - array: false - required: false - kibana.alert.top_records: - type: object - array: true - required: false - dynamic: false - properties: - job_id: - type: keyword - record_score: - type: double - initial_record_score: - type: double - detector_index: - type: integer - is_interim: - type: boolean - timestamp: - type: date - partition_field_name: - type: keyword - partition_field_value: - type: keyword - over_field_name: - type: keyword - over_field_value: - type: keyword - by_field_name: - type: keyword - by_field_value: - type: keyword - function: - type: keyword - typical: - type: double - actual: - type: double - field_name: - type: keyword - kibana.alert.top_influencers: - type: object - array: true - required: false - dynamic: false - properties: - job_id: - type: keyword - influencer_field_name: - type: keyword - influencer_field_value: - type: keyword - influencer_score: - type: double - initial_influencer_score: - type: double - is_interim: - type: boolean - timestamp: - type: date - shouldWrite: true - enabled_in_license: true - recovery_action_group: - id: recovered - name: Recovered - action_groups: - - id: anomaly_score_match - name: Anomaly score matched the condition - - id: recovered - name: Recovered - default_action_group_id: anomaly_score_match - minimum_license_required: platinum - is_exportable: true - rule_task_timeout: 5m - action_variables: - context: - - name: timestamp - description: The bucket timestamp of the anomaly - - name: timestampIso8601 - description: The bucket time of the anomaly in ISO8601 format - - name: jobIds - description: List of job IDs that triggered the alert - - name: message - description: Alert info message - - name: isInterim - description: Indicate if top hits contain interim results - - name: score - description: Anomaly score at the time of the notification action - - name: topRecords - description: Top records - - name: topInfluencers - description: Top influencers - - name: anomalyExplorerUrl - description: URL to open in the Anomaly Explorer - useWithTripleBracesInTemplates: true - state: [] - params: [] - authorized_consumers: - alerts: - read: true - all: true - stackAlerts: - read: true - all: true - slo: - read: true - all: true - ml: - read: true - all: true - uptime: - read: true - all: true - infrastructure: - read: true - all: true - logs: - read: true - all: true - monitoring: - read: true - all: true - siem: - read: true - all: true - apm: - read: true - all: true - discover: - read: true - all: true - does_set_recovery_context: true - has_alerts_mappings: true - has_fields_for_a_a_d: false - - id: xpack.ml.anomaly_detection_jobs_health - name: Anomaly detection jobs health - category: management - producer: ml - enabled_in_license: true - recovery_action_group: - id: recovered - name: Recovered - action_groups: - - id: anomaly_detection_realtime_issue - name: Issue detected - - id: recovered - name: Recovered - default_action_group_id: anomaly_detection_realtime_issue - minimum_license_required: platinum - is_exportable: true - rule_task_timeout: 5m - action_variables: - context: - - name: results - description: Results of the rule execution - - name: message - description: Alert info message - state: [] - params: [] - authorized_consumers: - alerts: - read: true - all: true - stackAlerts: - read: true - all: true - slo: - read: true - all: true - ml: - read: true - all: true - uptime: - read: true - all: true - infrastructure: - read: true - all: true - logs: - read: true - all: true - monitoring: - read: true - all: true - siem: - read: true - all: true - apm: - read: true - all: true - discover: - read: true - all: true - does_set_recovery_context: true - has_alerts_mappings: false - has_fields_for_a_a_d: false - Cases_create_case_request: - summary: Create a security case that uses a Jira connector. - value: - description: A case description. - title: Case title 1 - tags: - - tag-1 - connector: - id: 131d4448-abe0-4789-939d-8ef60680b498 - name: My connector - type: .jira - fields: - issueType: '10006' - priority: High - parent: null - settings: - syncAlerts: true - owner: cases - customFields: - - type: text - key: d312efda-ec2b-42ec-9e2c-84981795c581 - value: My field value - Cases_create_case_response: - summary: >- - The create case API returns a JSON object that contains details about - the case. - value: - comments: [] - totalAlerts: 0 - id: 66b9aa00-94fa-11ea-9f74-e7e108796192 - version: WzUzMiwxXQ== - totalComment: 0 - title: Case title 1 - tags: - - tag 1 - assignees: [] - description: A case description. - settings: - syncAlerts: true - owner: cases - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: My field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: null - duration: null - severity: low - closed_at: null - closed_by: null - created_at: '2022-10-13T15:33:50.604Z' - created_by: - username: elastic - full_name: null - email: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - status: open - updated_at: null - updated_by: null - connector: - id: 131d4448-abe0-4789-939d-8ef60680b498 - name: My connector - type: .jira - fields: - issueType: '10006' - parent: null - priority: High - external_service: null - Cases_update_case_request: - summary: Update the case description, tags, and connector. - value: - cases: - - id: a18b38a0-71b0-11ea-a0b2-c51ea50a58e2 - version: WzIzLDFd - connector: - id: 131d4448-abe0-4789-939d-8ef60680b498 - name: My connector - type: .jira - fields: - issueType: '10006' - priority: null - parent: null - description: A case description. - tags: - - tag-1 - settings: - syncAlerts: true - customFields: - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: false - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: My new field value - Cases_update_case_response: - summary: >- - This is an example response when the case description, tags, and - connector were updated. - value: - - id: 66b9aa00-94fa-11ea-9f74-e7e108796192 - version: WzU0OCwxXQ== - comments: [] - totalComment: 0 - totalAlerts: 0 - title: Case title 1 - tags: - - tag-1 - settings: - syncAlerts: true - owner: cases - description: A case description. - duration: null - severity: low - closed_at: null - closed_by: null - created_at: '2023-10-13T09:16:17.416Z' - created_by: - email: null - full_name: null - username: elastic - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - status: open - updated_at: '2023-10-13T09:48:33.043Z' - updated_by: - email: null - full_name: null - username: elastic - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - assignees: [] - category: null - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: My new field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: false - connector: - id: 131d4448-abe0-4789-939d-8ef60680b498 - name: My connector - type: .jira - fields: - issueType: '10006' - parent: null - priority: null - external_service: - external_title: IS-4 - pushed_by: - full_name: null - email: null - username: elastic - external_url: https://hms.atlassian.net/browse/IS-4 - pushed_at: '2023-10-13T09:20:40.672Z' - connector_id: 05da469f-1fde-4058-99a3-91e4807e2de8 - external_id: '10003' - connector_name: Jira - Cases_find_case_response: - summary: >- - Retrieve the first five cases with the `tag-1` tag, in ascending order - by last update time. - value: - page: 1 - per_page: 5 - total: 1 - cases: - - id: abed3a70-71bd-11ea-a0b2-c51ea50a58e2 - version: WzExMCwxXQ== - comments: [] - totalComment: 1 - totalAlerts: 0 - title: Case title - tags: - - tag-1 - description: Case description - settings: - syncAlerts: true - owner: cases - customFields: - - type: text - key: d312efda-ec2b-42ec-9e2c-84981795c581 - value: My field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: null - duration: null - severity: low - closed_at: null - closed_by: null - created_at: '2023-10-12T00:16:36.371Z' - created_by: - email: null - full_name: null - username: elastic - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - status: open - updated_at: '2023-10-12T00:27:58.162Z' - updated_by: - email: null - full_name: null - username: elastic - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - assignees: [] - category: null - connector: - id: none - name: none - type: .none - fields: null - external_service: null - count_open_cases: 1 - count_in_progress_cases: 0 - count_closed_cases: 0 - Cases_get_case_configuration_response: - summary: Get the case configuration. - value: - - id: 856ee650-6c82-11ee-a20a-6164169afa58 - closure_type: close-by-user - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - defaultValue: Custom text field value. - label: my-text-field - required: false - type: text - owner: cases - created_at: '2024-07-01T17:07:17.767Z' - created_by: - username: elastic - email: null - full_name: null - updated_at: null - updated_by: null - connector: - id: none - name: none - type: .none - fields: null - mappings: [] - version: WzEyLDNd - error: null - templates: - - key: 505932fe-ee3a-4960-a661-c781b5acdb05 - name: template-1 - caseFields: - title: Default case title - tags: - - Default case tag - category: Default-category - description: A default description for cases. - assignees: - - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - connector: - id: none - type: .none - fields: null - name: none - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - value: Default text field value. - type: text - settings: - syncAlerts: false - description: A description of the template. - tags: - - Template tag 1 - Cases_set_case_configuration_request: - summary: >- - Set the closure type, custom fields, and default connector for Stack - Management cases. - value: - owner: cases - connector: - id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 - name: my-jira-connector - type: .jira - fields: null - closure_type: close-by-user - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - label: my-text-field - required: false - type: text - defaultValue: My custom field default value. - templates: - - key: 505932fe-ee3a-4960-a661-c781b5acdb05 - name: template-1 - caseFields: - title: Default case title - tags: - - Default case tag - category: Default-category - description: A default description for cases. - assignees: - - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: A text field value for the template. - description: A description of the template. - tags: - - Template tag 1 - Cases_set_case_configuration_response: - summary: This is an example response for case settings. - value: - closure_type: close-by-user - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - label: my-text-field - required: false - type: text - defaultValue: My custom field default value. - templates: - - key: 505932fe-ee3a-4960-a661-c781b5acdb05 - name: template-1 - caseFields: - title: Default case title - tags: - - Default case tag - category: Default-category - description: A default description for cases. - assignees: - - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: A text field value for the template. - description: A description of the template. - tags: - - Template tag 1 - owner: cases - created_at: '2024-07-01T17:07:17.767Z' - created_by: - username: elastic - email: null, - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - updated_at: null - updated_by: null - connector: - id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 - name: my-jira-connector - type: .jira - fields: null - mappings: - - source: title - target: summary - action_type: overwrite - - source: description - target: description - action_type: overwrite - - source: comments - target: comments - action_type: append - - source: tags - target: labels - action_type: overwrite - version: WzIwNzMsMV0= - error: null - id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - Cases_update_case_configuration_request: - summary: Update the case settings. - value: - version: WzExOSw0XQ== - connector: - id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 - name: my-jira-connector - type: .jira - fields: null - closure_type: close-by-user - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - label: my-text-field - required: true - type: text - defaultValue: A new default value. - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - label: my-toggle - required: false - type: toggle - Cases_update_case_configuration_response: - summary: This is an example response when the case configuration was updated. - value: - closure_type: close-by-user - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - label: my-text-field - required: true - type: text - defaultValue: A new default value. - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - label: my-toggle - required: false - type: toggle - owner: cases - created_at: '2024-07-01T17:07:17.767Z' - created_by: - username: elastic - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - updated_at: '2024-07-19T00:52:42.401Z' - updated_by: - username: elastic - full_name: null - email: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - connector: - id: 5e656730-e1ca-11ec-be9b-9b1838238ee6 - name: my-jira-connector - type: .jira - fields: null - mappings: - - source: title - target: summary - action_type: overwrite - - source: description - target: description - action_type: overwrite - - source: tags - target: labels - action_type: overwrite - - source: comments - target: comments - action_type: append - version: WzI2LDNd - error: null - id: 4a97a440-e1cd-11ec-be9b-9b1838238ee6 - templates: [] - Cases_get_reporters_response: - summary: A list of two users that opened cases - value: - - username: elastic - full_name: null - email: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - - username: jdoe - full_name: Jane Doe - email: jdoe@example.com - profile_uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 - Cases_get_tags_response: - summary: A list of tags that are used in cases - value: - - observability - - security - - tag 1 - - tag 2 - Cases_get_case_response: - summary: Retrieves information about a case including its comments. - value: - id: 31cdada0-02c1-11ed-85f2-4f7c222ca2fa - version: WzM2LDFd - comments: - - id: 2134c1d0-02c2-11ed-85f2-4f7c222ca2fa - version: WzM3LDFd - type: user - owner: cases - comment: A new comment - created_at: '2023-10-13T15:40:32.335Z' - created_by: - email: null - full_name: null - username: elastic - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - pushed_at: null - pushed_by: null - updated_at: null - updated_by: null - totalComment: 1 - totalAlerts: 0 - title: Case title 1 - tags: - - tag 1 - settings: - syncAlerts: true - owner: cases - category: null - customFields: - - type: text - key: d312efda-ec2b-42ec-9e2c-84981795c581 - value: My field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: null - description: A case description - duration: null - severity: low - closed_at: null - closed_by: null - created_at: '2023-10-13T15:33:50.604Z' - created_by: - username: elastic - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - status: open - updated_at: '2023-10-13T15:40:32.335Z' - updated_by: - full_name: null - email: null - username: elastic - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - assignees: - - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - connector: - id: none - name: none - type: .none - fields: null - external_service: null - Cases_get_case_observability_response: - summary: >- - Retrieves information about an Observability case including its alerts - and comments. - value: - description: An Observability case description. - owner: observability - settings: - syncAlerts: false - tags: - - observability - - tag 1 - title: Observability case title 1 - category: null - customFields: [] - assignees: - - uid: u_0wpfV1MqYDaXzLtRVY-gLMrddKDEmfz51Fszhj7hWC8_0 - connector: - id: none - type: .none - fields: null - name: none - severity: low - status: in-progress - duration: null - closed_at: null - closed_by: null - created_at: '2023-11-06T19:29:04.086Z' - created_by: - username: elastic - full_name: null - email: null - updated_at: '2023-11-06T19:47:55.662Z' - updated_by: - username: elastic - full_name: null - email: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - external_service: null - id: c3ff7550-def1-4e90-b6bc-c9969a4a09b1 - version: WzI0NywyXQ== - totalComment: 1 - totalAlerts: 1 - comments: - - alertId: - - a6e12ac4-7bce-457b-84f6-d7ce8deb8446 - index: - - .internal.alerts-observability.logs.alerts-default-000001 - type: alert - rule: - id: 03e4eb87-62ca-4e5d-9570-3d7625e9669d - name: Observability rule - owner: observability - created_at: '2023-11-06T19:29:38.424Z' - created_by: - email: null - full_name: null - username: elastic - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - pushed_at: null - pushed_by: null - updated_at: null - updated_by: null - id: 59d438d0-79a9-4864-8d4b-e63adacebf6e - version: WzY3LDJd - - comment: The first comment. - type: user - owner: observability - created_at: '2023-11-06T19:29:57.812Z' - created_by: - email: null - full_name: null - username: elastic - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - pushed_at: null - pushed_by: null - updated_at: null - updated_by: null - id: d99342d3-3aa3-4b80-90ec-a702607604f5 - version: WzcyLDJd - Cases_get_case_alerts_response: - summary: Retrieves all alerts attached to a case - value: - - id: f6a7d0c3-d52d-432c-b2e6-447cd7fce04d - index: .alerts-observability.logs.alerts-default - attached_at: '2022-07-25T20:09:40.963Z' - Cases_add_comment_request: - summary: Adds a comment to a case. - value: - type: user - comment: A new comment. - owner: cases - Cases_add_comment_response: - summary: >- - The add comment to case API returns a JSON object that contains details - about the case and its comments. - value: - comments: - - id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - version: WzIwNDMxLDFd - type: user - owner: cases - comment: A new comment. - created_at: '2022-10-02T00:49:47.716Z' - created_by: - username: elastic - email: null - full_name: null - totalAlerts: 0 - id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 - version: WzIzMzgsMV0= - totalComment: 1 - title: Case title 1 - tags: - - tag 1 - description: A case description. - category: null - assignees: [] - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: Field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: true - settings: - syncAlerts: false - owner: cases - duration: null - severity: low - closed_at: null - closed_by: null - created_at: '2022-03-24T00:37:03.906Z' - created_by: - username: elastic - full_name: null - email: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - status: open - updated_at: '2022-06-03T00:49:47.716Z' - updated_by: - username: elastic - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - connector: - id: none - name: none - type: .none - fields: null - external_service: null - Cases_update_comment_request: - summary: Updates a comment of a case. - value: - id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - version: Wzk1LDFd - type: user - comment: An updated comment. - owner: cases - Cases_update_comment_response: - summary: >- - The add comment to case API returns a JSON object that contains details - about the case and its comments. - value: - comments: - - id: 8af6ac20-74f6-11ea-b83a-553aecdb28b6 - version: WzIwNjM3LDFd - comment: An updated comment. - type: user - owner: cases - created_at: '2023-10-24T00:37:10.832Z' - created_by: - username: elastic - full_name: null - email: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - pushed_at: null - pushed_by: null - updated_at: '2023-10-24T01:27:06.210Z' - updated_by: - username: elastic - full_name: null - email: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - totalAlerts: 0 - id: 293f1bc0-74f6-11ea-b83a-553aecdb28b6 - version: WzIwNjM2LDFd - totalComment: 1 - title: Case title 1 - tags: - - tag 1 - description: A case description. - settings: - syncAlerts: false - owner: cases - category: null - assignees: [] - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: My new field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: false - duration: null - severity: low - closed_at: null - closed_by: null - created_at: '2023-10-24T00:37:03.906Z' - created_by: - username: elastic - full_name: null - email: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - status: open - updated_at: '2023-10-24T01:27:06.210Z' - updated_by: - username: elastic - full_name: null - email: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - connector: - id: none - name: none - type: .none - fields: null - external_service: null - Cases_get_comment_response: - summary: A single user comment retrieved from a case - value: - id: 8048b460-fe2b-11ec-b15d-779a7c8bbcc3 - version: WzIzLDFd - type: user - owner: cases - comment: A new comment - created_at: '2023-10-07T19:32:13.104Z' - created_by: - email: null - full_name: null - username: elastic - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - pushed_at: null - pushed_by: null - updated_at: null - updated_by: null - Cases_push_case_response: - summary: >- - The push case API returns a JSON object with details about the case and - the external service. - value: - id: b917f300-0ed9-11ed-bd18-65557fe66949 - version: WzE3NjgsM10= - comments: [] - totalComment: 0 - totalAlerts: 0 - description: A case description. - title: Case title 1 - tags: - - tag 1 - settings: - syncAlerts: true - owner: cases - duration: null - severity: low - closed_at: null - closed_by: null - created_at: '2022-07-29T00:59:39.444Z' - created_by: - username: elastic - email: null - full_name: null - status: open - updated_at: '2022-07-29T01:20:58.436Z' - updated_by: - username: elastic - full_name: null - email: null - connector: - id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 - name: My connector - type: .jira - fields: - issueType: '10006' - parent: null - priority: Low - external_service: - pushed_at: '2022-07-29T01:20:58.436Z' - pushed_by: - username: elastic - full_name: null - email: null - connector_name: My connector - external_id: '71926' - external_title: ES-554 - external_url: https://cases.jira.com - connector_id: 09f8c0b0-0eda-11ed-bd18-65557fe66949 - Cases_find_case_activity_response: - summary: Retrieves all activity for a case - value: - page: 1 - perPage: 20 - total: 3 - userActions: - - id: b4cd0770-07c9-11ed-a5fd-47154cb8767e - action: create - comment_id: null - created_at: '2023-10-20T01:17:22.150Z' - created_by: - username: elastic - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - owner: cases - payload: - assignees: [] - connector: - name: none - type: .none - fields: null - id: none - description: A case description. - tags: - - tag 1 - title: Case title 1 - owner: cases - settings: - syncAlerts: false - severity: low - status: open - category: null - customFields: - - key: d312efda-ec2b-42ec-9e2c-84981795c581 - type: text - value: My field value - - key: fcc6840d-eb14-42df-8aaf-232201a705ec - type: toggle - value: null - version: WzM1ODg4LDFd - type: create_case - - id: 57af14a0-03b1-11ed-920c-974bfa104448 - action: create - comment_id: 578608d0-03b1-11ed-920c-974bfa104448 - created_at: '2023-10-14T20:12:53.354Z' - created_by: - username: elastic - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - owner: cases - payload: - comment: A new comment - owner: cases - type: user - version: WzM1ODg4LDFa - type: comment - - id: 573c6980-6123-11ed-aa41-81a0a61fe447 - action: add - comment_id: null - created_at: '2023-10-20T01:10:28.238Z' - created_by: - username: elastic - email: null - full_name: null - profile_uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - owner: cases - payload: - assignees: - uid: u_mGBROF_q5bmFCATbLXAcCwKa0k8JvONAwSruelyKA5E_0 - version: WzM1ODg4LDFb - type: assignees - Cases_find_connector_response: - summary: Retrieve information about the connectors and their settings. - value: - - id: 61787f53-4eee-4741-8df6-8fe84fa616f7 - actionTypeId: .jira - name: my-Jira - isMissingSecrets: false - config: - apiUrl: https://elastic.atlassian.net/ - projectKey: ES - isPreconfigured: false - isDeprecated: false - referencedByCount: 0 Connectors_create_email_connector_request: summary: Create an email connector. - value: - name: email-connector-1 - connector_type_id: .email - config: - from: tester@example.com - hasAuth: true - host: https://example.com - port: 1025 - secure: false - service: other - secrets: - user: username - password: password - Connectors_create_index_connector_request: - summary: Create an index connector. - value: - name: my-connector - connector_type_id: .index - config: - index: test-index - Connectors_create_webhook_connector_request: - summary: Create a webhook connector with SSL authentication. - value: - name: my-webhook-connector - connector_type_id: .webhook - config: - method: post - url: https://example.com - authType: webhook-authentication-ssl - certType: ssl-crt-key - secrets: - crt: QmFnIEF0dH... - key: LS0tLS1CRUdJ... - password: my-passphrase - Connectors_create_xmatters_connector_request: - summary: Create an xMatters connector with URL authentication. - value: - name: my-xmatters-connector - connector_type_id: .xmatters + value: config: - usesBasic: false + from: tester@example.com + hasAuth: true + host: 'https://example.com' + port: 1025 + secure: false + service: other + connector_type_id: .email + name: email-connector-1 secrets: - secretsUrl: https://example.com?apiKey=xxxxx + password: password + user: username Connectors_create_email_connector_response: summary: A new email connector. value: - id: 90a82c60-478f-11ee-a343-f98a117c727f - connector_type_id: .email - name: email-connector-1 config: + clientId: null from: tester@example.com - service: other - host: https://example.com + hasAuth: true + host: 'https://example.com' + oauthTokenUrl: null port: 1025 secure: false - hasAuth: true + service: other tenantId: null - clientId: null - oauthTokenUrl: null - is_preconfigured: false + connector_type_id: .email + id: 90a82c60-478f-11ee-a343-f98a117c727f is_deprecated: false is_missing_secrets: false + is_preconfigured: false is_system_action: false - Connectors_create_index_connector_response: - summary: A new index connector. + name: email-connector-1 + Connectors_create_index_connector_request: + summary: Create an index connector. value: - id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad + config: + index: test-index connector_type_id: .index name: my-connector + Connectors_create_index_connector_response: + summary: A new index connector. + value: config: + executionTimeField: null index: test-index refresh: false - executionTimeField: null - is_preconfigured: false + connector_type_id: .index + id: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad is_deprecated: false is_missing_secrets: false + is_preconfigured: false is_system_action: false + name: my-connector + Connectors_create_webhook_connector_request: + summary: Create a webhook connector with SSL authentication. + value: + config: + authType: webhook-authentication-ssl + certType: ssl-crt-key + method: post + url: 'https://example.com' + connector_type_id: .webhook + name: my-webhook-connector + secrets: + crt: QmFnIEF0dH... + key: LS0tLS1CRUdJ... + password: my-passphrase Connectors_create_webhook_connector_response: summary: A new webhook connector. value: - id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd - name: my-webhook-connector config: - method: post - url: https://example.com authType: webhook-authentication-ssl certType: ssl-crt-key - verificationMode: full - headers: null hasAuth: true + headers: null + method: post + url: 'https://example.com' + verificationMode: full connector_type_id: .webhook - is_preconfigured: false + id: 900eb010-3b9d-11ee-a642-8ffbb94e38bd is_deprecated: false is_missing_secrets: false + is_preconfigured: false is_system_action: false + name: my-webhook-connector + Connectors_create_xmatters_connector_request: + summary: Create an xMatters connector with URL authentication. + value: + config: + usesBasic: false + connector_type_id: .xmatters + name: my-xmatters-connector + secrets: + secretsUrl: 'https://example.com?apiKey=xxxxx' Connectors_create_xmatters_connector_response: summary: A new xMatters connector. value: - id: 4d2d8da0-4d1f-11ee-9367-577408be4681 - name: my-xmatters-connector config: - usesBasic: false configUrl: null + usesBasic: false connector_type_id: .xmatters - is_preconfigured: false + id: 4d2d8da0-4d1f-11ee-9367-577408be4681 is_deprecated: false is_missing_secrets: false + is_preconfigured: false is_system_action: false + name: my-xmatters-connector Connectors_get_connector_response: summary: Get connector details. value: - id: df770e30-8b8b-11ed-a780-3b746c987a81 - name: my_server_log_connector config: {} connector_type_id: .server-log - is_preconfigured: false + id: df770e30-8b8b-11ed-a780-3b746c987a81 is_deprecated: false is_missing_secrets: false + is_preconfigured: false is_system_action: false - Connectors_update_index_connector_request: - summary: Update an index connector. + name: my_server_log_connector + Connectors_get_connector_types_generativeai_response: + summary: A list of connector types for the `generativeAI` feature. value: - name: updated-connector - config: - index: updated-index + - enabled: true + enabled_in_config: true + enabled_in_license: true + id: .gen-ai + is_system_action_type: false + minimum_license_required: enterprise + name: OpenAI + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + - enabled: true + enabled_in_config: true + enabled_in_license: true + id: .bedrock + is_system_action_type: false + minimum_license_required: enterprise + name: AWS Bedrock + supported_feature_ids: + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + - enabled: true + enabled_in_config: true + enabled_in_license: true + id: .gemini + is_system_action_type: false + minimum_license_required: enterprise + name: Google Gemini + supported_feature_ids: + - generativeAIForSecurity + Connectors_get_connectors_response: + summary: A list of connectors + value: + - connector_type_id: .email + id: preconfigured-email-connector + is_deprecated: false + is_preconfigured: true + is_system_action: false + name: my-preconfigured-email-notification + referenced_by_count: 0 + - config: + executionTimeField: null + index: test-index + refresh: false + connector_type_id: .index + id: e07d0c80-8b8b-11ed-a780-3b746c987a81 + is_deprecated: false + is_missing_secrets: false + is_preconfigured: false + is_system_action: false + name: my-index-connector + referenced_by_count: 2 Connectors_run_cases_webhook_connector_request: summary: Run a Webhook - Case Management connector to create a case. value: @@ -18418,17 +10685,32 @@ components: subAction: pushToService subActionParams: comments: - - commentId: 1 - comment: A comment about the incident. + - comment: A comment about the incident. + commentId: 1 incident: - title: Case title description: Description of the incident. + id: caseID + severity: low + status: open tags: - tag1 - tag2 - severity: low - status: open - id: caseID + title: Case title + Connectors_run_cases_webhook_connector_response: + summary: >- + Response from a pushToService action for a Webhook - Case Management + connector. + value: + connector_id: 1824b5b8-c005-4dcc-adac-57f92db46459 + data: + comments: + - commentId: 1 + pushedDate: '2023-12-05T19:43:36.360Z' + id: 100665 + pushedDate: '2023-12-05T19:43:36.360Z' + title: TEST-29034 + url: 'https://example.com/browse/TEST-29034' + status: ok Connectors_run_email_connector_request: summary: Send an email message from an email connector. value: @@ -18442,36 +10724,113 @@ components: subject: Test message subject to: - user4@example.com + Connectors_run_email_connector_response: + summary: Response for sending a message from an email connector. + value: + connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 + data: + accepted: + - user1@example.com + - user2@example.com + - user3@example.com + - user4@example.com + envelope: + from: tester@example.com + to: + - user1@example.com + - user2@example.com + - user3@example.com + - user4@example.com + envelopeTime: 8 + messageId: <08a92d29-642a-0706-750c-de5996bd5cf3@example.com> + messageSize: 729 + messageTime: 3 + rejected: [] + response: 250 Message queued as QzEXKcGJ + status: ok Connectors_run_index_connector_request: summary: Run an index connector. value: params: documents: - id: my_doc_id + message: 'hello, world' name: my_doc_name - message: hello, world + Connectors_run_index_connector_response: + summary: Response from running an index connector. + value: + connector_id: fd38c600-96a5-11ed-bb79-353b74189cba + data: + errors: false + items: + - create: + _id: 4JtvwYUBrcyxt2NnfW3y + _index: my-index + _primary_term: 1 + _seq_no: 0 + _shards: + failed: 0 + successful: 1 + total: 2 + _version: 1 + result: created + status: 201 + took: 135 + status: ok Connectors_run_jira_connector_request: summary: Run a Jira connector to retrieve the list of issue types. value: params: subAction: issueTypes + Connectors_run_jira_connector_response: + summary: Response from retrieving the list of issue types for a Jira connector. + value: + connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 + data: + - id: 10024 + name: Improvement + - id: 10006 + name: Task + - id: 10007 + name: Sub-task + - id: 10025 + name: New Feature + - id: 10023 + name: Bug + - id: 10000 + name: Epic + status: ok Connectors_run_pagerduty_connector_request: summary: Run a PagerDuty connector to trigger an alert. value: params: + customDetails: + my_data_1: test data eventAction: trigger - summary: A brief event summary links: - - href: http://example.com/pagerduty + - href: 'http://example.com/pagerduty' text: An example link - customDetails: - my_data_1: test data + summary: A brief event summary + Connectors_run_pagerduty_connector_response: + summary: Response from running a PagerDuty connector. + value: + connector_id: 45de9f70-954f-4608-b12a-db7cf808e49d + data: + dedup_key: 5115e138b26b484a81eaea779faa6016 + message: Event processed + status: success + status: ok Connectors_run_server_log_connector_request: summary: Run a server log connector. value: params: level: warn message: Test warning message. + Connectors_run_server_log_connector_response: + summary: Response from running a server log connector. + value: + connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 + status: ok Connectors_run_servicenow_itom_connector_request: summary: Run a ServiceNow ITOM connector to retrieve the list of choices. value: @@ -18481,6 +10840,50 @@ components: fields: - severity - urgency + Connectors_run_servicenow_itom_connector_response: + summary: >- + Response from retrieving the list of choices for a ServiceNow ITOM + connector. + value: + connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 + data: + - dependent_value: '' + element: severity + label: Critical + value: 1 + - dependent_value: '' + element: severity + label: Major + value: 2 + - dependent_value: '' + element: severity + label: Minor + value: 3 + - dependent_value: '' + element: severity + label: Warning + value: 4 + - dependent_value: '' + element: severity + label: OK + value: 5 + - dependent_value: '' + element: severity + label: Clear + value: 0 + - dependent_value: '' + element: urgency + label: 1 - High + value: 1 + - dependent_value: '' + element: urgency + label: 2 - Medium + value: 2 + - dependent_value: '' + element: urgency + label: 3 - Low + value: 3 + status: ok Connectors_run_slack_api_connector_request: summary: >- Run a Slack connector that uses the web API method to post a message on @@ -18492,6 +10895,40 @@ components: channelIds: - C123ABC456 text: A test message. + Connectors_run_slack_api_connector_response: + summary: Response from posting a message with a Slack connector. + value: + connector_id: .slack_api + data: + channel: C123ABC456 + message: + app_id: A01BC2D34EF + blocks: + - block_id: /NXe + elements: + - elements: + - text: A test message. + type: text + type: rich_text_section + type: rich_text + bot_id: B12BCDEFGHI + bot_profile: + app_id: A01BC2D34EF + deleted: false + icons: + image_36: 'https://a.slack-edge.com/80588/img/plugins/app/bot_36.png' + id: B12BCDEFGHI + name: test + team_id: T01ABCDE2F + updated: 1672169705 + team: T01ABCDE2F + text: A test message + ts: '1234567890.123456' + type: message + user: U12A345BC6D + ok: true + ts: '1234567890.123456' + status: ok Connectors_run_swimlane_connector_request: summary: Run a Swimlane connector to create an incident. value: @@ -18499,1973 +10936,18145 @@ components: subAction: pushToService subActionParams: comments: - - commentId: 1 - comment: A comment about the incident. + - comment: A comment about the incident. + commentId: 1 incident: caseId: '1000' caseName: Case name description: Description of the incident. - Connectors_run_cases_webhook_connector_response: - summary: >- - Response from a pushToService action for a Webhook - Case Management - connector. + Connectors_run_swimlane_connector_response: + summary: Response from creating a Swimlane incident. value: - connector_id: 1824b5b8-c005-4dcc-adac-57f92db46459 + connector_id: a4746470-2f94-11ed-b0e0-87533c532698 data: - id: 100665 - title: TEST-29034 - url: https://example.com/browse/TEST-29034 - pushedDate: '2023-12-05T19:43:36.360Z' comments: - commentId: 1 - pushedDate: '2023-12-05T19:43:36.360Z' + pushedDate: '2022-09-08T16:52:27.865Z' + id: aKPmBHWzmdRQtx6Mx + pushedDate: '2022-09-08T16:52:27.866Z' + title: TEST-457 + url: >- + https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx status: ok - Connectors_run_email_connector_response: - summary: Response for sending a message from an email connector. + Connectors_update_index_connector_request: + summary: Update an index connector. value: - connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 - data: - accepted: - - user1@example.com - - user2@example.com - - user3@example.com - - user4@example.com - envelope: - from: tester@example.com - to: - - user1@example.com - - user2@example.com - - user3@example.com - - user4@example.com - envelopeTime: 8 - messageTime: 3 - messageSize: 729 - response: 250 Message queued as QzEXKcGJ - messageId: <08a92d29-642a-0706-750c-de5996bd5cf3@example.com> - rejected: [] - status: ok - Connectors_run_index_connector_response: - summary: Response from running an index connector. + config: + index: updated-index + name: updated-connector + Data_views_create_data_view_request: + summary: Create a data view with runtime fields. + value: + data_view: + name: My Logstash data view + runtimeFieldMap: + runtime_shape_name: + script: + source: 'emit(doc[''shape_name''].value)' + type: keyword + title: logstash-* + Data_views_create_runtime_field_request: + summary: Create a runtime field. + value: + name: runtimeFoo + runtimeField: + script: + source: 'emit(doc["foo"].value)' + type: long + Data_views_get_data_view_response: + summary: >- + The get data view API returns a JSON object that contains information + about the data view. + value: + data_view: + allowNoIndex: false + fieldAttrs: + products.manufacturer: + count: 1 + products.price: + count: 1 + products.product_name: + count: 1 + total_quantity: + count: 1 + fieldFormats: + products.base_price: + id: number + params: + pattern: '$0,0.00' + products.base_unit_price: + id: number + params: + pattern: '$0,0.00' + products.min_price: + id: number + params: + pattern: '$0,0.00' + products.price: + id: number + params: + pattern: '$0,0.00' + products.taxful_price: + id: number + params: + pattern: '$0,0.00' + products.taxless_price: + id: number + params: + pattern: '$0,0.00' + taxful_total_price: + id: number + params: + pattern: '$0,0.[00]' + taxless_total_price: + id: number + params: + pattern: '$0,0.00' + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: category + type: string + currency: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: currency + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_birth_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: customer_birth_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + customer_first_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_first_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_first_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_first_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_first_name + type: string + customer_full_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_full_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_full_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_full_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_full_name + type: string + customer_gender: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_gender + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: customer_last_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + customer_last_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_last_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: customer_last_name + type: string + customer_phone: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: customer_phone + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: day_of_week + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + day_of_week_i: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: day_of_week_i + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + email: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: email + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + event.dataset: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: event.dataset + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.city_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.city_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.continent_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.continent_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.country_iso_code: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.country_iso_code + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + geoip.location: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: geoip.location + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + geoip.region_name: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: geoip.region_name + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: manufacturer + type: string + order_date: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: order_date + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + order_id: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: order_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products._id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products._id.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products._id.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products._id + type: string + products.base_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: products.base_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.base_unit_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: products.base_unit_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.category: + aggregatable: false + count: 0 + esTypes: + - text + format: + id: string + isMapped: true + name: products.category + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.category.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.category.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.category + type: string + products.created_on: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: products.created_on + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + products.discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.discount_percentage: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.discount_percentage + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.manufacturer: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.manufacturer + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.manufacturer.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.manufacturer.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.manufacturer + type: string + products.min_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: products.min_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.price: + aggregatable: true + count: 1 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: products.price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_id: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + isMapped: true + name: products.product_id + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.product_name: + aggregatable: false + count: 1 + esTypes: + - text + format: + id: string + isMapped: true + name: products.product_name + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.product_name.keyword: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.product_name.keyword + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + subType: + multi: + parent: products.product_name + type: string + products.quantity: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: products.quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: products.sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + products.tax_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.tax_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxful_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: products.taxful_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.taxless_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: products.taxless_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + products.unit_discount_amount: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + isMapped: true + name: products.unit_discount_amount + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + sku: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: sku + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + taxful_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.[00]' + isMapped: true + name: taxful_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + taxless_total_price: + aggregatable: true + count: 0 + esTypes: + - half_float + format: + id: number + params: + pattern: '$0,0.00' + isMapped: true + name: taxless_total_price + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_quantity: + aggregatable: true + count: 1 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_quantity + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + total_unique_products: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: total_unique_products + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + type: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: type + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + user: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: user + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + runtimeFieldMap: {} + sourceFilters: [] + timeFieldName: order_date + title: kibana_sample_data_ecommerce + typeMeta: {} + version: WzUsMV0= + Data_views_get_data_views_response: + summary: The get all data views API returns a list of data views. value: - connector_id: fd38c600-96a5-11ed-bb79-353b74189cba - data: - errors: false - items: - - create: - _id: 4JtvwYUBrcyxt2NnfW3y - _index: my-index - _primary_term: 1 - _seq_no: 0 - _shards: - failed: 0 - successful: 1 - total: 2 - _version: 1 - result: created - status: 201 - took: 135 - status: ok - Connectors_run_jira_connector_response: - summary: Response from retrieving the list of issue types for a Jira connector. + data_view: + - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + name: Kibana Sample Data eCommerce + namespaces: + - default + title: kibana_sample_data_ecommerce + typeMeta: {} + - id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + namespaces: + - default + title: kibana_sample_data_flights + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: Kibana Sample Data Logs + namespaces: + - default + title: kibana_sample_data_logs + Data_views_get_default_data_view_response: + summary: The get default data view API returns the default data view identifier. value: - connector_id: b3aad810-edbe-11ec-82d1-11348ecbf4a6 - data: - - id: 10024 - name: Improvement - - id: 10006 - name: Task - - id: 10007 - name: Sub-task - - id: 10025 - name: New Feature - - id: 10023 - name: Bug - - id: 10000 - name: Epic - status: ok - Connectors_run_pagerduty_connector_response: - summary: Response from running a PagerDuty connector. + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + Data_views_get_runtime_field_response: + summary: >- + The get runtime field API returns a JSON object that contains + information about the runtime field (`hour_of_day`) and the data view + (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). + value: + data_view: + allowNoIndex: false + fieldAttrs: {} + fieldFormats: + AvgTicketPrice: + id: number + params: + pattern: '$0,0.[00]' + hour_of_day: + id: number + params: + pattern: '00' + fields: + _id: + aggregatable: false + count: 0 + esTypes: + - _id + format: + id: string + isMapped: true + name: _id + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _index: + aggregatable: true + count: 0 + esTypes: + - _index + format: + id: string + isMapped: true + name: _index + readFromDocValues: false + scripted: false + searchable: true + shortDotsEnable: false + type: string + _score: + aggregatable: false + count: 0 + format: + id: number + isMapped: true + name: _score + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: number + _source: + aggregatable: false + count: 0 + esTypes: + - _source + format: + id: _source + isMapped: true + name: _source + readFromDocValues: false + scripted: false + searchable: false + shortDotsEnable: false + type: _source + AvgTicketPrice: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + params: + pattern: '$0,0.[00]' + isMapped: true + name: AvgTicketPrice + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Cancelled: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: Cancelled + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + Carrier: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Carrier + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + dayOfWeek: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: dayOfWeek + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + Dest: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Dest + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: DestLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + DestRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DestWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: DestWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + DistanceKilometers: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceKilometers + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + DistanceMiles: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: DistanceMiles + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelay: + aggregatable: true + count: 0 + esTypes: + - boolean + format: + id: boolean + isMapped: true + name: FlightDelay + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: boolean + FlightDelayMin: + aggregatable: true + count: 0 + esTypes: + - integer + format: + id: number + isMapped: true + name: FlightDelayMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + FlightDelayType: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightDelayType + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightNum: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightNum + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeHour: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: FlightTimeHour + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + FlightTimeMin: + aggregatable: true + count: 0 + esTypes: + - float + format: + id: number + isMapped: true + name: FlightTimeMin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: number + hour_of_day: + aggregatable: true + count: 0 + esTypes: + - long + format: + id: number + params: + pattern: '00' + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: 'emit(doc[''timestamp''].value.getHour());' + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Origin: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: Origin + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginAirportID: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginAirportID + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCityName: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCityName + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginCountry: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginCountry + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginLocation: + aggregatable: true + count: 0 + esTypes: + - geo_point + format: + id: geo_point + params: + transform: wkt + isMapped: true + name: OriginLocation + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: geo_point + OriginRegion: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginRegion + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + OriginWeather: + aggregatable: true + count: 0 + esTypes: + - keyword + format: + id: string + isMapped: true + name: OriginWeather + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: string + timestamp: + aggregatable: true + count: 0 + esTypes: + - date + format: + id: date + isMapped: true + name: timestamp + readFromDocValues: true + scripted: false + searchable: true + shortDotsEnable: false + type: date + id: d3d7af60-4c81-11e8-b3d7-01146121b73d + name: Kibana Sample Data Flights + runtimeFieldMap: + hour_of_day: + script: + source: 'emit(doc[''timestamp''].value.getHour());' + type: long + sourceFilters: [] + timeFieldName: timestamp + title: kibana_sample_data_flights + version: WzM2LDJd + fields: + - aggregatable: true + count: 0 + esTypes: + - long + name: hour_of_day + readFromDocValues: false + runtimeField: + script: + source: 'emit(doc[''timestamp''].value.getHour());' + type: long + scripted: false + searchable: true + shortDotsEnable: false + type: number + Data_views_preview_swap_data_view_request: + summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". value: - connector_id: 45de9f70-954f-4608-b12a-db7cf808e49d - data: - dedup_key: 5115e138b26b484a81eaea779faa6016 - message: Event processed - status: success - status: ok - Connectors_run_server_log_connector_response: - summary: Response from running a server log connector. + fromId: abcd-efg + toId: xyz-123 + Data_views_set_default_data_view_request: + summary: Set the default data view identifier. value: - connector_id: 7fc7b9a0-ecc9-11ec-8736-e7d63118c907 - status: ok - Connectors_run_servicenow_itom_connector_response: + data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f + force: true + Data_views_swap_data_view_request: summary: >- - Response from retrieving the list of choices for a ServiceNow ITOM - connector. + Swap references from data view ID "abcd-efg" to "xyz-123" and remove the + data view that is no longer referenced. value: - connector_id: 9d9be270-2fd2-11ed-b0e0-87533c532698 - data: - - dependent_value: '' - element: severity - label: Critical - value: 1 - - dependent_value: '' - element: severity - label: Major - value: 2 - - dependent_value: '' - element: severity - label: Minor - value: 3 - - dependent_value: '' - element: severity - label: Warning - value: 4 - - dependent_value: '' - element: severity - label: OK - value: 5 - - dependent_value: '' - element: severity - label: Clear - value: 0 - - dependent_value: '' - element: urgency - label: 1 - High - value: 1 - - dependent_value: '' - element: urgency - label: 2 - Medium - value: 2 - - dependent_value: '' - element: urgency - label: 3 - Low - value: 3 - status: ok - Connectors_run_slack_api_connector_response: - summary: Response from posting a message with a Slack connector. + delete: true + fromId: abcd-efg + toId: xyz-123 + Data_views_update_data_view_request: + summary: Update some properties for a data view. value: - status: ok - data: - ok: true - channel: C123ABC456 - ts: '1234567890.123456' - message: - bot_id: B12BCDEFGHI - type: message - text: A test message - user: U12A345BC6D - ts: '1234567890.123456' - app_id: A01BC2D34EF - blocks: - - type: rich_text - block_id: /NXe - elements: - - type: rich_text_section - elements: - - type: text - text: A test message. - team: T01ABCDE2F - bot_profile: - id: B12BCDEFGHI - app_id: A01BC2D34EF - name: test - icons: - image_36: https://a.slack-edge.com/80588/img/plugins/app/bot_36.png - deleted: false - updated: 1672169705 - team_id: T01ABCDE2F - connector_id: .slack_api - Connectors_run_swimlane_connector_response: - summary: Response from creating a Swimlane incident. + data_view: + allowNoIndex: false + name: Kibana Sample Data eCommerce + timeFieldName: order_date + title: kibana_sample_data_ecommerce + refresh_fields: true + Data_views_update_field_metadata_request: + summary: Update metadata for multiple fields. value: - connector_id: a4746470-2f94-11ed-b0e0-87533c532698 - data: - id: aKPmBHWzmdRQtx6Mx - title: TEST-457 - url: >- - https://elastic.swimlane.url.us/record/aNcL2xniGHGpa2AHb/aKPmBHWzmdRQtx6Mx - pushedDate: '2022-09-08T16:52:27.866Z' - comments: - - commentId: 1 - pushedDate: '2022-09-08T16:52:27.865Z' - status: ok - Connectors_get_connectors_response: - summary: A list of connectors + fields: + field1: + count: 123 + customLabel: Field 1 label + field2: + customDescription: Field 2 description + customLabel: Field 2 label + Data_views_update_runtime_field_request: + summary: Update an existing runtime field on a data view. value: - - id: preconfigured-email-connector - name: my-preconfigured-email-notification - connector_type_id: .email - is_preconfigured: true - is_deprecated: false - referenced_by_count: 0 - is_system_action: false - - id: e07d0c80-8b8b-11ed-a780-3b746c987a81 - name: my-index-connector - config: - index: test-index - refresh: false - executionTimeField: null - connector_type_id: .index - is_preconfigured: false - is_deprecated: false - referenced_by_count: 2 - is_missing_secrets: false - is_system_action: false - Connectors_get_connector_types_generativeai_response: - summary: A list of connector types for the `generativeAI` feature. + runtimeField: + script: + source: 'emit(doc["bar"].value)' + Machine_learning_APIs_mlSyncExample: + summary: Two anomaly detection jobs required synchronization in this example. value: - - id: .gen-ai - name: OpenAI - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - - generativeAIForObservability - - generativeAIForSearchPlayground - is_system_action_type: false - - id: .bedrock - name: AWS Bedrock - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - - generativeAIForObservability - - generativeAIForSearchPlayground - is_system_action_type: false - - id: .gemini - name: Google Gemini - enabled: true - enabled_in_config: true - enabled_in_license: true - minimum_license_required: enterprise - supported_feature_ids: - - generativeAIForSecurity - is_system_action_type: false - Data_views_get_data_views_response: - summary: The get all data views API returns a list of data views. + datafeedsAdded: {} + datafeedsRemoved: {} + savedObjectsCreated: + anomaly-detector: + myjob1: + success: true + myjob2: + success: true + savedObjectsDeleted: {} + Saved_objects_export_objects_request: + summary: Export a specific saved object. value: - data_view: - - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - namespaces: - - default - title: kibana_sample_data_ecommerce - typeMeta: {} - name: Kibana Sample Data eCommerce - - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - namespaces: - - default - title: kibana_sample_data_flights - name: Kibana Sample Data Flights + excludeExportDetails: true + includeReferencesDeep: false + objects: + - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + type: map + Saved_objects_export_objects_response: + summary: >- + The export objects API response contains a JSON record for each exported + object. + value: + attributes: + description: '' + layerListJSON: >- + [{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total + Requests by + Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web + logs + count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual + Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total + Requests and + Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web + logs + count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}] + mapStateJSON: >- + {"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}} + title: '[Logs] Total Requests and Bytes' + uiStateJSON: '{"isDarkMode":false}' + coreMigrationVersion: 8.8.0 + created_at: '2023-08-23T20:03:32.204Z' + id: de71f4f0-1902-11e9-919b-ffe5949a18d2 + managed: false + references: - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - namespaces: - - default - title: kibana_sample_data_logs - name: Kibana Sample Data Logs - Data_views_create_data_view_request: - summary: Create a data view with runtime fields. + name: layer_1_join_0_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_2_source_index_pattern + type: index-pattern + - id: 90943e30-9a47-11e8-b64d-95841ca0b247 + name: layer_3_source_index_pattern + type: index-pattern + type: map + typeMigrationVersion: 8.4.0 + updated_at: '2023-08-23T20:03:32.204Z' + version: WzEzLDFd + Saved_objects_import_objects_request: value: - data_view: - title: logstash-* - name: My Logstash data view - runtimeFieldMap: - runtime_shape_name: - type: keyword - script: - source: emit(doc['shape_name'].value) - Data_views_get_data_view_response: + file: file.ndjson + Saved_objects_import_objects_response: summary: >- - The get data view API returns a JSON object that contains information - about the data view. + The import objects API response indicates a successful import and the + objects are created. Since these objects are created as new copies, each + entry in the successResults array includes a destinationId attribute. value: - data_view: - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - version: WzUsMV0= - title: kibana_sample_data_ecommerce - timeFieldName: order_date - sourceFilters: [] - fields: - _id: - count: 0 - name: _id + success: true + successCount: 1 + successResults: + - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 + id: 90943e30-9a47-11e8-b64d-95841ca0b247 + managed: false + meta: + icon: indexPatternApp + title: Kibana Sample Data Logs + type: index-pattern + Saved_objects_key_rotation_response: + summary: Encryption key rotation using default parameters. + value: + failed: 0 + successful: 300 + total: 1000 + Saved_objects_resolve_missing_reference_request: + value: + file: file.ndjson + retries: + - id: my-pattern + overwrite: true + type: index-pattern + - destinationId: another-vis + id: my-vis + overwrite: true + type: visualization + - destinationId: yet-another-canvas + id: my-canvas + overwrite: true + type: canvas + - id: my-dashboard + type: dashboard + Saved_objects_resolve_missing_reference_response: + summary: Resolve missing reference errors. + value: + success: true + successCount: 3 + successResults: + - id: my-vis + meta: + icon: visualizeApp + title: Look at my visualization + type: visualization + - id: my-search + meta: + icon: searchApp + title: Look at my search + type: search + - id: my-dashboard + meta: + icon: dashboardApp + title: Look at my dashboard + type: dashboard + parameters: + Connectors_action_id: + description: An identifier for the action. + in: path + name: actionId + required: true + schema: + example: c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad + type: string + Connectors_connector_id: + description: An identifier for the connector. + in: path + name: connectorId + required: true + schema: + example: df770e30-8b8b-11ed-a780-3b746c987a81 + type: string + Connectors_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_field_name: + description: The name of the runtime field. + in: path + name: fieldName + required: true + schema: + example: hour_of_day + type: string + Data_views_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Data_views_view_id: + description: An identifier for the data view. + in: path + name: viewId + required: true + schema: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f + type: string + Machine_learning_APIs_simulateParam: + description: >- + When true, simulates the synchronization by returning only the list of + actions that would be performed. + example: 'true' + in: query + name: simulate + required: false + schema: + type: boolean + Saved_objects_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + Saved_objects_saved_object_id: + description: An identifier for the saved object. + in: path + name: id + required: true + schema: + type: string + Saved_objects_saved_object_type: + description: >- + Valid options include `visualization`, `dashboard`, `search`, + `index-pattern`, `config`. + in: path + name: type + required: true + schema: + type: string + SLOs_kbn_xsrf: + description: Cross-site request forgery protection + in: header + name: kbn-xsrf + required: true + schema: + type: string + SLOs_slo_id: + description: An identifier for the slo. + in: path + name: sloId + required: true + schema: + example: 9c235211-6834-11ea-a78c-6feb38a34414 + type: string + SLOs_space_id: + description: >- + An identifier for the space. If `/s/` and the identifier are omitted + from the path, the default space is used. + in: path + name: spaceId + required: true + schema: + example: default + type: string + responses: + Connectors_200_actions: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + $ref: '#/components/schemas/Connectors_action_response_properties' + description: Indicates a successful call. + Connectors_401: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + properties: + error: + enum: + - Unauthorized + example: Unauthorized + type: string + message: + type: string + statusCode: + enum: + - 401 + example: 401 + type: integer + title: Unauthorized response + type: object + description: Authorization information is missing or invalid. + Connectors_404: + content: + application/json; Elastic-Api-Version=2023-10-31: + schema: + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: >- + Saved object [action/baf33fc0-920c-11ed-b36a-874bd1548a00] not + found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + title: Not found response + type: object + description: Object is not found. + schemas: + Connectors_action_response_properties: + description: The properties vary depending on the action type. + properties: + actionTypeId: + type: string + config: + type: object + id: + type: string + isDeprecated: + description: Indicates whether the action type is deprecated. + type: boolean + isMissingSecrets: + description: Indicates whether secrets are missing for the action. + type: boolean + isPreconfigured: + description: Indicates whether it is a preconfigured action. + type: boolean + name: + type: string + title: Action response properties + type: object + Connectors_config_properties_bedrock: + description: Defines properties for connectors when type is `.bedrock`. + properties: + apiUrl: + description: The Amazon Bedrock request URL. + type: string + defaultModel: + default: 'anthropic.claude-3-5-sonnet-20240620-v1:0' + description: > + The generative artificial intelligence model for Amazon Bedrock to + use. Current support is for the Anthropic Claude models. + type: string + required: + - apiUrl + title: Connector request properties for an Amazon Bedrock connector + type: object + Connectors_config_properties_cases_webhook: + description: Defines properties for connectors when type is `.cases-webhook`. + type: object + properties: + createCommentJson: + description: > + A JSON payload sent to the create comment URL to create a case + comment. You can use variables to add Kibana Cases data to the + payload. The required variable is `case.comment`. Due to Mustache + template variables (the text enclosed in triple braces, for example, + `{{{case.title}}}`), the JSON is not validated when you create the + connector. The JSON is validated once the Mustache variables have + been placed when the REST method runs. Manually ensure that the JSON + is valid, disregarding the Mustache variables, so the later + validation will pass. + example: '{"body": {{{case.comment}}}}' + type: string + createCommentMethod: + default: put + description: > + The REST API HTTP request method to create a case comment in the + third-party system. Valid values are `patch`, `post`, and `put`. + enum: + - patch + - post + - put + type: string + createCommentUrl: + description: > + The REST API URL to create a case comment by ID in the third-party + system. You can use a variable to add the external system ID to the + URL. If you are using the `xpack.actions.allowedHosts setting`, add + the hostname to the allowed hosts. + example: 'https://example.com/issue/{{{external.system.id}}}/comment' + type: string + createIncidentJson: + description: > + A JSON payload sent to the create case URL to create a case. You can + use variables to add case data to the payload. Required variables + are `case.title` and `case.description`. Due to Mustache template + variables (which is the text enclosed in triple braces, for example, + `{{{case.title}}}`), the JSON is not validated when you create the + connector. The JSON is validated after the Mustache variables have + been placed when REST method runs. Manually ensure that the JSON is + valid to avoid future validation errors; disregard Mustache + variables during your review. + example: >- + {"fields": {"summary": {{{case.title}}},"description": + {{{case.description}}},"labels": {{{case.tags}}}}} + type: string + createIncidentMethod: + default: post + description: > + The REST API HTTP request method to create a case in the third-party + system. Valid values are `patch`, `post`, and `put`. + enum: + - patch + - post + - put + type: string + createIncidentResponseKey: + description: >- + The JSON key in the create external case response that contains the + case ID. + type: string + createIncidentUrl: + description: > + The REST API URL to create a case in the third-party system. If you + are using the `xpack.actions.allowedHosts` setting, add the hostname + to the allowed hosts. + type: string + getIncidentResponseExternalTitleKey: + description: >- + The JSON key in get external case response that contains the case + title. + type: string + getIncidentUrl: + description: > + The REST API URL to get the case by ID from the third-party system. + If you are using the `xpack.actions.allowedHosts` setting, add the + hostname to the allowed hosts. You can use a variable to add the + external system ID to the URL. Due to Mustache template variables + (the text enclosed in triple braces, for example, + `{{{case.title}}}`), the JSON is not validated when you create the + connector. The JSON is validated after the Mustache variables have + been placed when REST method runs. Manually ensure that the JSON is + valid, disregarding the Mustache variables, so the later validation + will pass. + example: 'https://example.com/issue/{{{external.system.id}}}' + type: string + hasAuth: + default: true + description: >- + If true, a username and password for login type authentication must + be provided. + type: boolean + headers: + description: > + A set of key-value pairs sent as headers with the request URLs for + the create case, update case, get case, and create comment methods. + type: string + updateIncidentJson: + description: > + The JSON payload sent to the update case URL to update the case. You + can use variables to add Kibana Cases data to the payload. Required + variables are `case.title` and `case.description`. Due to Mustache + template variables (which is the text enclosed in triple braces, for + example, `{{{case.title}}}`), the JSON is not validated when you + create the connector. The JSON is validated after the Mustache + variables have been placed when REST method runs. Manually ensure + that the JSON is valid to avoid future validation errors; disregard + Mustache variables during your review. + example: >- + {"fields": {"summary": {{{case.title}}},"description": + {{{case.description}}},"labels": {{{case.tags}}}}} + type: string + updateIncidentMethod: + default: put + description: > + The REST API HTTP request method to update the case in the + third-party system. Valid values are `patch`, `post`, and `put`. + enum: + - patch + - post + - put + type: string + updateIncidentUrl: + description: > + The REST API URL to update the case by ID in the third-party system. + You can use a variable to add the external system ID to the URL. If + you are using the `xpack.actions.allowedHosts` setting, add the + hostname to the allowed hosts. + example: 'https://example.com/issue/{{{external.system.ID}}}' + type: string + viewIncidentUrl: + description: > + The URL to view the case in the external system. You can use + variables to add the external system ID or external system title to + the URL. + example: >- + https://testing-jira.atlassian.net/browse/{{{external.system.title}}} + type: string + required: + - createIncidentJson + - createIncidentResponseKey + - createIncidentUrl + - getIncidentResponseExternalTitleKey + - getIncidentUrl + - updateIncidentJson + - updateIncidentUrl + - viewIncidentUrl + title: Connector request properties for Webhook - Case Management connector + Connectors_config_properties_d3security: + description: Defines properties for connectors when type is `.d3security`. + properties: + url: + description: > + The D3 Security API request URL. If you are using the + `xpack.actions.allowedHosts` setting, add the hostname to the + allowed hosts. + type: string + required: + - url + title: Connector request properties for a D3 Security connector + type: object + Connectors_config_properties_email: + description: Defines properties for connectors when type is `.email`. + type: object + properties: + clientId: + description: > + The client identifier, which is a part of OAuth 2.0 client + credentials authentication, in GUID format. If `service` is + `exchange_server`, this property is required. + nullable: true + type: string + from: + description: > + The from address for all emails sent by the connector. It must be + specified in `user@host-name` format. + type: string + hasAuth: + default: true + description: > + Specifies whether a user and password are required inside the + secrets configuration. + type: boolean + host: + description: > + The host name of the service provider. If the `service` is + `elastic_cloud` (for Elastic Cloud notifications) or one of + Nodemailer's well-known email service providers, this property is + ignored. If `service` is `other`, this property must be defined. + type: string + oauthTokenUrl: + nullable: true + type: string + port: + description: > + The port to connect to on the service provider. If the `service` is + `elastic_cloud` (for Elastic Cloud notifications) or one of + Nodemailer's well-known email service providers, this property is + ignored. If `service` is `other`, this property must be defined. + type: integer + secure: + description: > + Specifies whether the connection to the service provider will use + TLS. If the `service` is `elastic_cloud` (for Elastic Cloud + notifications) or one of Nodemailer's well-known email service + providers, this property is ignored. + type: boolean + service: + description: | + The name of the email service. + enum: + - elastic_cloud + - exchange_server + - gmail + - other + - outlook365 + - ses + type: string + tenantId: + description: > + The tenant identifier, which is part of OAuth 2.0 client credentials + authentication, in GUID format. If `service` is `exchange_server`, + this property is required. + nullable: true + type: string + required: + - from + title: Connector request properties for an email connector + Connectors_config_properties_gemini: + description: Defines properties for connectors when type is `.gemini`. + properties: + apiUrl: + description: The Google Gemini request URL. + type: string + defaultModel: + default: gemini-1.5-pro-001 + description: >- + The generative artificial intelligence model for Google Gemini to + use. + type: string + gcpProjectID: + description: The Google ProjectID that has Vertex AI endpoint enabled. + type: string + gcpRegion: + description: The GCP region where the Vertex AI endpoint enabled. + type: string + required: + - apiUrl + - gcpRegion + - gcpProjectID + title: Connector request properties for an Google Gemini connector + type: object + Connectors_config_properties_genai: + description: Defines properties for connectors when type is `.gen-ai`. + discriminator: + mapping: + Azure OpenAI: '#/components/schemas/Connectors_config_properties_genai_azure' + OpenAI: '#/components/schemas/Connectors_config_properties_genai_openai' + propertyName: apiProvider + oneOf: + - $ref: '#/components/schemas/Connectors_config_properties_genai_azure' + - $ref: '#/components/schemas/Connectors_config_properties_genai_openai' + title: Connector request properties for an OpenAI connector + Connectors_config_properties_genai_azure: + description: > + Defines properties for connectors when type is `.gen-ai` and the API + provider is `Azure OpenAI'. + properties: + apiProvider: + description: The OpenAI API provider. + enum: + - Azure OpenAI + type: string + apiUrl: + description: The OpenAI API endpoint. + type: string + required: + - apiProvider + - apiUrl + title: >- + Connector request properties for an OpenAI connector that uses Azure + OpenAI + type: object + Connectors_config_properties_genai_openai: + description: > + Defines properties for connectors when type is `.gen-ai` and the API + provider is `OpenAI'. + properties: + apiProvider: + description: The OpenAI API provider. + enum: + - OpenAI + type: string + apiUrl: + description: The OpenAI API endpoint. + type: string + defaultModel: + description: The default model to use for requests. + type: string + required: + - apiProvider + - apiUrl + title: Connector request properties for an OpenAI connector + type: object + Connectors_config_properties_index: + description: Defines properties for connectors when type is `.index`. + type: object + properties: + executionTimeField: + default: null + description: A field that indicates when the document was indexed. + nullable: true + type: string + index: + description: The Elasticsearch index to be written to. + type: string + refresh: + default: false + description: > + The refresh policy for the write request, which affects when changes + are made visible to search. Refer to the refresh setting for + Elasticsearch document APIs. + type: boolean + required: + - index + title: Connector request properties for an index connector + Connectors_config_properties_jira: + description: Defines properties for connectors when type is `.jira`. + type: object + properties: + apiUrl: + description: The Jira instance URL. + type: string + projectKey: + description: The Jira project key. + type: string + required: + - apiUrl + - projectKey + title: Connector request properties for a Jira connector + Connectors_config_properties_opsgenie: + description: Defines properties for connectors when type is `.opsgenie`. + type: object + properties: + apiUrl: + description: > + The Opsgenie URL. For example, `https://api.opsgenie.com` or + `https://api.eu.opsgenie.com`. If you are using the + `xpack.actions.allowedHosts` setting, add the hostname to the + allowed hosts. + type: string + required: + - apiUrl + title: Connector request properties for an Opsgenie connector + Connectors_config_properties_pagerduty: + description: Defines properties for connectors when type is `.pagerduty`. + properties: + apiUrl: + description: The PagerDuty event URL. + example: 'https://events.pagerduty.com/v2/enqueue' + nullable: true + type: string + title: Connector request properties for a PagerDuty connector + type: object + Connectors_config_properties_resilient: + description: Defines properties for connectors when type is `.resilient`. + type: object + properties: + apiUrl: + description: The IBM Resilient instance URL. + type: string + orgId: + description: The IBM Resilient organization ID. + type: string + required: + - apiUrl + - orgId + title: Connector request properties for a IBM Resilient connector + Connectors_config_properties_sentinelone: + description: Defines properties for connectors when type is `.sentinelone`. + type: object + properties: + url: + description: > + The SentinelOne tenant URL. If you are using the + `xpack.actions.allowedHosts` setting, add the hostname to the + allowed hosts. + type: string + required: + - url + title: Connector request properties for a SentinelOne connector + Connectors_config_properties_servicenow: + description: Defines properties for connectors when type is `.servicenow`. + type: object + properties: + apiUrl: + description: The ServiceNow instance URL. + type: string + clientId: + description: > + The client ID assigned to your OAuth application. This property is + required when `isOAuth` is `true`. + type: string + isOAuth: + default: false + description: > + The type of authentication to use. The default value is false, which + means basic authentication is used instead of open authorization + (OAuth). + type: boolean + jwtKeyId: + description: > + The key identifier assigned to the JWT verifier map of your OAuth + application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: > + The identifier to use for OAuth authentication. This identifier + should be the user field you selected when you created an OAuth JWT + API endpoint for external clients in your ServiceNow instance. For + example, if the selected user field is `Email`, the user identifier + should be the user's email address. This property is required when + `isOAuth` is `true`. + type: string + usesTableApi: + default: true + description: > + Determines whether the connector uses the Table API or the Import + Set API. This property is supported only for ServiceNow ITSM and + ServiceNow SecOps connectors. NOTE: If this property is set to + `false`, the Elastic application should be installed in ServiceNow. + type: boolean + required: + - apiUrl + title: Connector request properties for a ServiceNow ITSM connector + Connectors_config_properties_servicenow_itom: + description: Defines properties for connectors when type is `.servicenow`. + type: object + properties: + apiUrl: + description: The ServiceNow instance URL. + type: string + clientId: + description: > + The client ID assigned to your OAuth application. This property is + required when `isOAuth` is `true`. + type: string + isOAuth: + default: false + description: > + The type of authentication to use. The default value is false, which + means basic authentication is used instead of open authorization + (OAuth). + type: boolean + jwtKeyId: + description: > + The key identifier assigned to the JWT verifier map of your OAuth + application. This property is required when `isOAuth` is `true`. + type: string + userIdentifierValue: + description: > + The identifier to use for OAuth authentication. This identifier + should be the user field you selected when you created an OAuth JWT + API endpoint for external clients in your ServiceNow instance. For + example, if the selected user field is `Email`, the user identifier + should be the user's email address. This property is required when + `isOAuth` is `true`. + type: string + required: + - apiUrl + title: Connector request properties for a ServiceNow ITSM connector + Connectors_config_properties_slack_api: + description: Defines properties for connectors when type is `.slack_api`. + properties: + allowedChannels: + description: A list of valid Slack channels. + items: + maxItems: 25 + type: object + properties: + id: + description: The Slack channel ID. + example: C123ABC456 + minLength: 1 + type: string + name: + description: The Slack channel name. + minLength: 1 + type: string + required: + - id + - name + type: array + title: Connector request properties for a Slack connector + type: object + Connectors_config_properties_swimlane: + description: Defines properties for connectors when type is `.swimlane`. + type: object + properties: + apiUrl: + description: The Swimlane instance URL. + type: string + appId: + description: The Swimlane application ID. + type: string + connectorType: + description: >- + The type of connector. Valid values are `all`, `alerts`, and + `cases`. + enum: + - all + - alerts + - cases + type: string + mappings: + description: The field mapping. + properties: + alertIdConfig: + description: Mapping for the alert ID. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Alert identifier mapping + type: object + caseIdConfig: + description: Mapping for the case ID. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Case identifier mapping + type: object + caseNameConfig: + description: Mapping for the case name. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Case name mapping + type: object + commentsConfig: + description: Mapping for the case comments. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Case comment mapping + type: object + descriptionConfig: + description: Mapping for the case description. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Case description mapping + type: object + ruleNameConfig: + description: Mapping for the name of the alert's rule. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Rule name mapping + type: object + severityConfig: + description: Mapping for the severity. + properties: + fieldType: + description: The type of field in Swimlane. + type: string + id: + description: The identifier for the field in Swimlane. + type: string + key: + description: The key for the field in Swimlane. + type: string + name: + description: The name of the field in Swimlane. + type: string + required: + - fieldType + - id + - key + - name + title: Severity mapping + type: object + title: Connector mappings properties for a Swimlane connector + type: object + required: + - apiUrl + - appId + - connectorType + title: Connector request properties for a Swimlane connector + Connectors_config_properties_tines: + description: Defines properties for connectors when type is `.tines`. + properties: + url: + description: > + The Tines tenant URL. If you are using the + `xpack.actions.allowedHosts` setting, make sure this hostname is + added to the allowed hosts. + type: string + required: + - url + title: Connector request properties for a Tines connector + type: object + Connectors_config_properties_torq: + description: Defines properties for connectors when type is `.torq`. + properties: + webhookIntegrationUrl: + description: The endpoint URL of the Elastic Security integration in Torq. + type: string + required: + - webhookIntegrationUrl + title: Connector request properties for a Torq connector + type: object + Connectors_config_properties_webhook: + description: Defines properties for connectors when type is `.webhook`. + properties: + authType: + description: | + The type of authentication to use: basic, SSL, or none. + enum: + - webhook-authentication-basic + - webhook-authentication-ssl + nullable: true + type: string + ca: + description: > + A base64 encoded version of the certificate authority file that the + connector can trust to sign and validate certificates. This option + is available for all authentication types. + type: string + certType: + description: > + If the `authType` is `webhook-authentication-ssl`, specifies whether + the certificate authentication data is in a CRT and key file format + or a PFX file format. + enum: + - ssl-crt-key + - ssl-pfx + type: string + hasAuth: + description: > + If `true`, a user name and password must be provided for login type + authentication. + type: boolean + headers: + description: A set of key-value pairs sent as headers with the request. + nullable: true + type: object + method: + default: post + description: | + The HTTP request method, either `post` or `put`. + enum: + - post + - put + type: string + url: + description: > + The request URL. If you are using the `xpack.actions.allowedHosts` + setting, add the hostname to the allowed hosts. + type: string + verificationMode: + default: full + description: > + Controls the verification of certificates. Use `full` to validate + that the certificate has an issue date within the `not_before` and + `not_after` dates, chains to a trusted certificate authority (CA), + and has a hostname or IP address that matches the names within the + certificate. Use `certificate` to validate the certificate and + verify that it is signed by a trusted authority; this option does + not check the certificate hostname. Use `none` to skip certificate + validation. + enum: + - certificate + - full + - none + type: string + title: Connector request properties for a Webhook connector + type: object + Connectors_config_properties_xmatters: + description: Defines properties for connectors when type is `.xmatters`. + properties: + configUrl: + description: > + The request URL for the Elastic Alerts trigger in xMatters. It is + applicable only when `usesBasic` is `true`. + nullable: true + type: string + usesBasic: + default: true + description: >- + Specifies whether the connector uses HTTP basic authentication + (`true`) or URL authentication (`false`). + type: boolean + title: Connector request properties for an xMatters connector + type: object + Connectors_connector_response_properties: + description: The properties vary depending on the connector type. + discriminator: + mapping: + .bedrock: >- + #/components/schemas/Connectors_connector_response_properties_bedrock + .cases-webhook: >- + #/components/schemas/Connectors_connector_response_properties_cases_webhook + .d3security: >- + #/components/schemas/Connectors_connector_response_properties_d3security + .email: '#/components/schemas/Connectors_connector_response_properties_email' + .gemini: '#/components/schemas/Connectors_connector_response_properties_gemini' + .gen-ai: '#/components/schemas/Connectors_connector_response_properties_genai' + .index: '#/components/schemas/Connectors_connector_response_properties_index' + .jira: '#/components/schemas/Connectors_connector_response_properties_jira' + .opsgenie: >- + #/components/schemas/Connectors_connector_response_properties_opsgenie + .pagerduty: >- + #/components/schemas/Connectors_connector_response_properties_pagerduty + .resilient: >- + #/components/schemas/Connectors_connector_response_properties_resilient + .sentinelone: >- + #/components/schemas/Connectors_connector_response_properties_sentinelone + .server-log: >- + #/components/schemas/Connectors_connector_response_properties_serverlog + .servicenow: >- + #/components/schemas/Connectors_connector_response_properties_servicenow + .servicenow-itom: >- + #/components/schemas/Connectors_connector_response_properties_servicenow_itom + .servicenow-sir: >- + #/components/schemas/Connectors_connector_response_properties_servicenow_sir + .slack: >- + #/components/schemas/Connectors_connector_response_properties_slack_webhook + .slack_api: >- + #/components/schemas/Connectors_connector_response_properties_slack_api + .swimlane: >- + #/components/schemas/Connectors_connector_response_properties_swimlane + .teams: '#/components/schemas/Connectors_connector_response_properties_teams' + .tines: '#/components/schemas/Connectors_connector_response_properties_tines' + .torq: '#/components/schemas/Connectors_connector_response_properties_torq' + .webhook: >- + #/components/schemas/Connectors_connector_response_properties_webhook + .xmatters: >- + #/components/schemas/Connectors_connector_response_properties_xmatters + propertyName: connector_type_id + oneOf: + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_bedrock + - $ref: '#/components/schemas/Connectors_connector_response_properties_gemini' + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_cases_webhook + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_d3security + - $ref: '#/components/schemas/Connectors_connector_response_properties_email' + - $ref: '#/components/schemas/Connectors_connector_response_properties_genai' + - $ref: '#/components/schemas/Connectors_connector_response_properties_index' + - $ref: '#/components/schemas/Connectors_connector_response_properties_jira' + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_opsgenie + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_pagerduty + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_resilient + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_sentinelone + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_serverlog + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_servicenow + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_servicenow_itom + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_servicenow_sir + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_slack_api + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_slack_webhook + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_swimlane + - $ref: '#/components/schemas/Connectors_connector_response_properties_teams' + - $ref: '#/components/schemas/Connectors_connector_response_properties_tines' + - $ref: '#/components/schemas/Connectors_connector_response_properties_torq' + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_webhook + - $ref: >- + #/components/schemas/Connectors_connector_response_properties_xmatters + title: Connector response properties + Connectors_connector_response_properties_bedrock: + title: Connector response properties for an Amazon Bedrock connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_bedrock' + connector_type_id: + description: The type of connector. + enum: + - .bedrock + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + required: + - config + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_cases_webhook: + title: Connector request properties for a Webhook - Case Management connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_cases_webhook' + connector_type_id: + description: The type of connector. + enum: + - .cases-webhook + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_d3security: + title: Connector response properties for a D3 Security connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_d3security' + connector_type_id: + description: The type of connector. + enum: + - .d3security + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_email: + title: Connector response properties for an email connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_email' + connector_type_id: + description: The type of connector. + enum: + - .email + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_gemini: + title: Connector response properties for a Google Gemini connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_gemini' + connector_type_id: + description: The type of connector. + enum: + - .gemini + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_genai: + title: Connector response properties for an OpenAI connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_genai' + connector_type_id: + description: The type of connector. + enum: + - .gen-ai + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_index: + title: Connector response properties for an index connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_index' + connector_type_id: + description: The type of connector. + enum: + - .index + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_jira: + title: Connector response properties for a Jira connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_jira' + connector_type_id: + description: The type of connector. + enum: + - .jira + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_opsgenie: + title: Connector response properties for an Opsgenie connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_opsgenie' + connector_type_id: + description: The type of connector. + enum: + - .opsgenie + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_pagerduty: + title: Connector response properties for a PagerDuty connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_pagerduty' + connector_type_id: + description: The type of connector. + enum: + - .pagerduty + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_resilient: + title: Connector response properties for a IBM Resilient connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_resilient' + connector_type_id: + description: The type of connector. + enum: + - .resilient + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_sentinelone: + title: Connector response properties for a SentinelOne connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_sentinelone' + connector_type_id: + description: The type of connector. + enum: + - .sentinelone + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_serverlog: + title: Connector response properties for a server log connector + type: object + properties: + config: + nullable: true + type: object + connector_type_id: + description: The type of connector. + enum: + - .server-log + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_servicenow: + title: Connector response properties for a ServiceNow ITSM connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow' + connector_type_id: + description: The type of connector. + enum: + - .servicenow + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_servicenow_itom: + title: Connector response properties for a ServiceNow ITOM connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow_itom' + connector_type_id: + description: The type of connector. + enum: + - .servicenow-itom + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_servicenow_sir: + title: Connector response properties for a ServiceNow SecOps connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow' + connector_type_id: + description: The type of connector. + enum: + - .servicenow-sir + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_slack_api: + title: Connector response properties for a Slack connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_slack_api' + connector_type_id: + description: The type of connector. + enum: + - .slack_api + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_slack_webhook: + title: Connector response properties for a Slack connector + type: object + properties: + connector_type_id: + description: The type of connector. + enum: + - .slack + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_swimlane: + title: Connector response properties for a Swimlane connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_swimlane' + connector_type_id: + description: The type of connector. + enum: + - .swimlane + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_teams: + title: Connector response properties for a Microsoft Teams connector + type: object + properties: + config: + type: object + connector_type_id: + description: The type of connector. + enum: + - .teams + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_tines: + title: Connector response properties for a Tines connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_tines' + connector_type_id: + description: The type of connector. + enum: + - .tines + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_torq: + title: Connector response properties for a Torq connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_torq' + connector_type_id: + description: The type of connector. + enum: + - .torq + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_webhook: + title: Connector response properties for a Webhook connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_webhook' + connector_type_id: + description: The type of connector. + enum: + - .webhook + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_response_properties_xmatters: + title: Connector response properties for an xMatters connector + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_xmatters' + connector_type_id: + description: The type of connector. + enum: + - .xmatters + type: string + id: + description: The identifier for the connector. + type: string + is_deprecated: + $ref: '#/components/schemas/Connectors_is_deprecated' + is_missing_secrets: + $ref: '#/components/schemas/Connectors_is_missing_secrets' + is_preconfigured: + $ref: '#/components/schemas/Connectors_is_preconfigured' + is_system_action: + $ref: '#/components/schemas/Connectors_is_system_action' + name: + description: The display name for the connector. + type: string + referenced_by_count: + $ref: '#/components/schemas/Connectors_referenced_by_count' + required: + - connector_type_id + - id + - is_deprecated + - is_preconfigured + - name + Connectors_connector_types: + description: >- + The type of connector. For example, `.email`, `.index`, `.jira`, + `.opsgenie`, or `.server-log`. + enum: + - .bedrock + - .gemini + - .cases-webhook + - .d3security + - .email + - .gen-ai + - .index + - .jira + - .opsgenie + - .pagerduty + - .resilient + - .sentinelone + - .servicenow + - .servicenow-itom + - .servicenow-sir + - .server-log + - .slack + - .slack_api + - .swimlane + - .teams + - .tines + - .torq + - .webhook + - .xmatters + example: .server-log + title: Connector types + type: string + Connectors_create_connector_request: + description: The properties vary depending on the connector type. + discriminator: + mapping: + .bedrock: '#/components/schemas/Connectors_create_connector_request_bedrock' + .cases-webhook: >- + #/components/schemas/Connectors_create_connector_request_cases_webhook + .d3security: '#/components/schemas/Connectors_create_connector_request_d3security' + .email: '#/components/schemas/Connectors_create_connector_request_email' + .gemini: '#/components/schemas/Connectors_create_connector_request_gemini' + .gen-ai: '#/components/schemas/Connectors_create_connector_request_genai' + .index: '#/components/schemas/Connectors_create_connector_request_index' + .jira: '#/components/schemas/Connectors_create_connector_request_jira' + .opsgenie: '#/components/schemas/Connectors_create_connector_request_opsgenie' + .pagerduty: '#/components/schemas/Connectors_create_connector_request_pagerduty' + .resilient: '#/components/schemas/Connectors_create_connector_request_resilient' + .sentinelone: '#/components/schemas/Connectors_create_connector_request_sentinelone' + .server-log: '#/components/schemas/Connectors_create_connector_request_serverlog' + .servicenow: '#/components/schemas/Connectors_create_connector_request_servicenow' + .servicenow-itom: >- + #/components/schemas/Connectors_create_connector_request_servicenow_itom + .servicenow-sir: >- + #/components/schemas/Connectors_create_connector_request_servicenow_sir + .slack: >- + #/components/schemas/Connectors_create_connector_request_slack_webhook + .slack_api: '#/components/schemas/Connectors_create_connector_request_slack_api' + .swimlane: '#/components/schemas/Connectors_create_connector_request_swimlane' + .teams: '#/components/schemas/Connectors_create_connector_request_teams' + .tines: '#/components/schemas/Connectors_create_connector_request_tines' + .torq: '#/components/schemas/Connectors_create_connector_request_torq' + .webhook: '#/components/schemas/Connectors_create_connector_request_webhook' + .xmatters: '#/components/schemas/Connectors_create_connector_request_xmatters' + propertyName: connector_type_id + oneOf: + - $ref: '#/components/schemas/Connectors_create_connector_request_bedrock' + - $ref: '#/components/schemas/Connectors_create_connector_request_gemini' + - $ref: >- + #/components/schemas/Connectors_create_connector_request_cases_webhook + - $ref: '#/components/schemas/Connectors_create_connector_request_d3security' + - $ref: '#/components/schemas/Connectors_create_connector_request_email' + - $ref: '#/components/schemas/Connectors_create_connector_request_genai' + - $ref: '#/components/schemas/Connectors_create_connector_request_index' + - $ref: '#/components/schemas/Connectors_create_connector_request_jira' + - $ref: '#/components/schemas/Connectors_create_connector_request_opsgenie' + - $ref: '#/components/schemas/Connectors_create_connector_request_pagerduty' + - $ref: '#/components/schemas/Connectors_create_connector_request_resilient' + - $ref: '#/components/schemas/Connectors_create_connector_request_sentinelone' + - $ref: '#/components/schemas/Connectors_create_connector_request_serverlog' + - $ref: '#/components/schemas/Connectors_create_connector_request_servicenow' + - $ref: >- + #/components/schemas/Connectors_create_connector_request_servicenow_itom + - $ref: >- + #/components/schemas/Connectors_create_connector_request_servicenow_sir + - $ref: '#/components/schemas/Connectors_create_connector_request_slack_api' + - $ref: >- + #/components/schemas/Connectors_create_connector_request_slack_webhook + - $ref: '#/components/schemas/Connectors_create_connector_request_swimlane' + - $ref: '#/components/schemas/Connectors_create_connector_request_teams' + - $ref: '#/components/schemas/Connectors_create_connector_request_tines' + - $ref: '#/components/schemas/Connectors_create_connector_request_torq' + - $ref: '#/components/schemas/Connectors_create_connector_request_webhook' + - $ref: '#/components/schemas/Connectors_create_connector_request_xmatters' + title: Create connector request body properties + Connectors_create_connector_request_bedrock: + description: >- + The Amazon Bedrock connector uses axios to send a POST request to Amazon + Bedrock. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_bedrock' + connector_type_id: + description: The type of connector. + enum: + - .bedrock + example: .bedrock + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_bedrock' + required: + - config + - connector_type_id + - name + - secrets + title: Create Amazon Bedrock connector request + type: object + Connectors_create_connector_request_cases_webhook: + description: > + The Webhook - Case Management connector uses axios to send POST, PUT, + and GET requests to a case management RESTful API web service. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_cases_webhook' + connector_type_id: + description: The type of connector. + enum: + - .cases-webhook + example: .cases-webhook + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_cases_webhook' + required: + - config + - connector_type_id + - name + title: Create Webhook - Case Managment connector request + type: object + Connectors_create_connector_request_d3security: + description: > + The connector uses axios to send a POST request to a D3 Security + endpoint. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_d3security' + connector_type_id: + description: The type of connector. + enum: + - .d3security + example: .d3security + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_d3security' + required: + - config + - connector_type_id + - name + - secrets + title: Create D3 Security connector request + type: object + Connectors_create_connector_request_email: + description: > + The email connector uses the SMTP protocol to send mail messages, using + an integration of Nodemailer. An exception is Microsoft Exchange, which + uses HTTP protocol for sending emails, Send mail. Email message text is + sent as both plain text and html text. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_email' + connector_type_id: + description: The type of connector. + enum: + - .email + example: .email + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_email' + required: + - config + - connector_type_id + - name + - secrets + title: Create email connector request + type: object + Connectors_create_connector_request_gemini: + description: >- + The Google Gemini connector uses axios to send a POST request to Google + Gemini. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_gemini' + connector_type_id: + description: The type of connector. + enum: + - .gemini + example: .gemini + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_gemini' + required: + - config + - connector_type_id + - name + - secrets + title: Create Google Gemini connector request + type: object + Connectors_create_connector_request_genai: + description: > + The OpenAI connector uses axios to send a POST request to either OpenAI + or Azure OpenAPI. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_genai' + connector_type_id: + description: The type of connector. + enum: + - .gen-ai + example: .gen-ai + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_genai' + required: + - config + - connector_type_id + - name + - secrets + title: Create OpenAI connector request + type: object + Connectors_create_connector_request_index: + description: The index connector indexes a document into Elasticsearch. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_index' + connector_type_id: + description: The type of connector. + enum: + - .index + example: .index + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + required: + - config + - connector_type_id + - name + title: Create index connector request + type: object + Connectors_create_connector_request_jira: + description: The Jira connector uses the REST API v2 to create Jira issues. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_jira' + connector_type_id: + description: The type of connector. + enum: + - .jira + example: .jira + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_jira' + required: + - config + - connector_type_id + - name + - secrets + title: Create Jira connector request + type: object + Connectors_create_connector_request_opsgenie: + description: The Opsgenie connector uses the Opsgenie alert API. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_opsgenie' + connector_type_id: + description: The type of connector. + enum: + - .opsgenie + example: .opsgenie + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_opsgenie' + required: + - config + - connector_type_id + - name + - secrets + title: Create Opsgenie connector request + type: object + Connectors_create_connector_request_pagerduty: + description: > + The PagerDuty connector uses the v2 Events API to trigger, acknowledge, + and resolve PagerDuty alerts. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_pagerduty' + connector_type_id: + description: The type of connector. + enum: + - .pagerduty + example: .pagerduty + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_pagerduty' + required: + - config + - connector_type_id + - name + - secrets + title: Create PagerDuty connector request + type: object + Connectors_create_connector_request_resilient: + description: >- + The IBM Resilient connector uses the RESILIENT REST v2 to create IBM + Resilient incidents. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_resilient' + connector_type_id: + description: The type of connector. + enum: + - .resilient + example: .resilient + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_resilient' + required: + - config + - connector_type_id + - name + - secrets + title: Create IBM Resilient connector request + type: object + Connectors_create_connector_request_sentinelone: + description: > + The SentinelOne connector communicates with SentinelOne Management + Console via REST API. This functionality is in technical preview and may + be changed or removed in a future release. Elastic will work to fix any + issues, but features in technical preview are not subject to the support + SLA of official GA features. + title: Create SentinelOne connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_sentinelone' + connector_type_id: + description: The type of connector. + enum: + - .sentinelone + example: .sentinelone + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_sentinelone' + required: + - config + - connector_type_id + - name + - secrets + x-technical-preview: true + Connectors_create_connector_request_serverlog: + description: This connector writes an entry to the Kibana server log. + properties: + connector_type_id: + description: The type of connector. + enum: + - .server-log + example: .server-log + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + required: + - connector_type_id + - name + title: Create server log connector request + type: object + Connectors_create_connector_request_servicenow: + description: > + The ServiceNow ITSM connector uses the import set API to create + ServiceNow incidents. You can use the connector for rule actions and + cases. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow' + connector_type_id: + description: The type of connector. + enum: + - .servicenow + example: .servicenow + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' + required: + - config + - connector_type_id + - name + - secrets + title: Create ServiceNow ITSM connector request + type: object + Connectors_create_connector_request_servicenow_itom: + description: > + The ServiceNow ITOM connector uses the event API to create ServiceNow + events. You can use the connector for rule actions. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow_itom' + connector_type_id: + description: The type of connector. + enum: + - .servicenow-itom + example: .servicenow-itom + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' + required: + - config + - connector_type_id + - name + - secrets + title: Create ServiceNow ITOM connector request + type: object + Connectors_create_connector_request_servicenow_sir: + description: > + The ServiceNow SecOps connector uses the import set API to create + ServiceNow security incidents. You can use the connector for rule + actions and cases. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow' + connector_type_id: + description: The type of connector. + enum: + - .servicenow-sir + example: .servicenow-sir + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' + required: + - config + - connector_type_id + - name + - secrets + title: Create ServiceNow SecOps connector request + type: object + Connectors_create_connector_request_slack_api: + description: The Slack connector uses an API method to send Slack messages. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_slack_api' + connector_type_id: + description: The type of connector. + enum: + - .slack_api + example: .slack_api + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_slack_api' + required: + - connector_type_id + - name + - secrets + title: Create Slack connector request + type: object + Connectors_create_connector_request_slack_webhook: + description: The Slack connector uses Slack Incoming Webhooks. + properties: + connector_type_id: + description: The type of connector. + enum: + - .slack + example: .slack + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_slack_webhook' + required: + - connector_type_id + - name + - secrets + title: Create Slack connector request + type: object + Connectors_create_connector_request_swimlane: + description: >- + The Swimlane connector uses the Swimlane REST API to create Swimlane + records. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_swimlane' + connector_type_id: + description: The type of connector. + enum: + - .swimlane + example: .swimlane + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_swimlane' + required: + - config + - connector_type_id + - name + - secrets + title: Create Swimlane connector request + type: object + Connectors_create_connector_request_teams: + description: The Microsoft Teams connector uses Incoming Webhooks. + properties: + connector_type_id: + description: The type of connector. + enum: + - .teams + example: .teams + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_teams' + required: + - connector_type_id + - name + - secrets + title: Create Microsoft Teams connector request + type: object + Connectors_create_connector_request_tines: + description: > + The Tines connector uses Tines Webhook actions to send events via POST + request. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_tines' + connector_type_id: + description: The type of connector. + enum: + - .tines + example: .tines + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_tines' + required: + - config + - connector_type_id + - name + - secrets + title: Create Tines connector request + type: object + Connectors_create_connector_request_torq: + description: > + The Torq connector uses a Torq webhook to trigger workflows with Kibana + actions. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_torq' + connector_type_id: + description: The type of connector. + enum: + - .torq + example: .torq + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_torq' + required: + - config + - connector_type_id + - name + - secrets + title: Create Torq connector request + type: object + Connectors_create_connector_request_webhook: + description: > + The Webhook connector uses axios to send a POST or PUT request to a web + service. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_webhook' + connector_type_id: + description: The type of connector. + enum: + - .webhook + example: .webhook + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_webhook' + required: + - config + - connector_type_id + - name + - secrets + title: Create Webhook connector request + type: object + Connectors_create_connector_request_xmatters: + description: > + The xMatters connector uses the xMatters Workflow for Elastic to send + actionable alerts to on-call xMatters resources. + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_xmatters' + connector_type_id: + description: The type of connector. + enum: + - .xmatters + example: .xmatters + type: string + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_xmatters' + required: + - config + - connector_type_id + - name + - secrets + title: Create xMatters connector request + type: object + Connectors_features: + description: | + The feature that uses the connector. + enum: + - alerting + - cases + - generativeAIForSecurity + - generativeAIForObservability + - generativeAIForSearchPlayground + - siem + - uptime + type: string + Connectors_is_deprecated: + description: Indicates whether the connector type is deprecated. + example: false + type: boolean + Connectors_is_missing_secrets: + description: >- + Indicates whether secrets are missing for the connector. Secrets + configuration properties vary depending on the connector type. + example: false + type: boolean + Connectors_is_preconfigured: + description: > + Indicates whether it is a preconfigured connector. If true, the `config` + and `is_missing_secrets` properties are omitted from the response. + example: false + type: boolean + Connectors_is_system_action: + description: Indicates whether the connector is used for system actions. + example: false + type: boolean + Connectors_referenced_by_count: + description: > + Indicates the number of saved objects that reference the connector. If + `is_preconfigured` is true, this value is not calculated. This property + is returned only by the get all connectors API. + example: 2 + type: integer + Connectors_run_connector_params_acknowledge_resolve_pagerduty: + description: Test an action that acknowledges or resolves a PagerDuty alert. + properties: + dedupKey: + description: The deduplication key for the PagerDuty alert. + maxLength: 255 + type: string + eventAction: + description: The type of event. + enum: + - acknowledge + - resolve + type: string + required: + - dedupKey + - eventAction + title: PagerDuty connector parameters + type: object + Connectors_run_connector_params_documents: + description: Test an action that indexes a document into Elasticsearch. + properties: + documents: + description: The documents in JSON format for index connectors. + items: + additionalProperties: true + type: object + type: array + required: + - documents + title: Index connector parameters + type: object + Connectors_run_connector_params_message_email: + anyOf: + - required: + - bcc + - message + - subject + - required: + - cc + - message + - subject + - required: + - to + - message + - subject + description: > + Test an action that sends an email message. There must be at least one + recipient in `to`, `cc`, or `bcc`. + properties: + bcc: + description: > + A list of "blind carbon copy" email addresses. Addresses can be + specified in `user@host-name` format or in name `` + format + items: + type: string + type: array + cc: + description: > + A list of "carbon copy" email addresses. Addresses can be specified + in `user@host-name` format or in name `` format + items: + type: string + type: array + message: + description: The email message text. Markdown format is supported. + type: string + subject: + description: The subject line of the email. + type: string + to: + description: > + A list of email addresses. Addresses can be specified in + `user@host-name` format or in name `` format. + items: + type: string + type: array + title: Email connector parameters + type: object + Connectors_run_connector_params_message_serverlog: + description: Test an action that writes an entry to the Kibana server log. + properties: + level: + default: info + description: The log level of the message for server log connectors. + enum: + - debug + - error + - fatal + - info + - trace + - warn + type: string + message: + description: The message for server log connectors. + type: string + required: + - message + title: Server log connector parameters + type: object + Connectors_run_connector_params_message_slack: + description: > + Test an action that sends a message to Slack. It is applicable only when + the connector type is `.slack`. + properties: + message: + description: >- + The Slack message text, which cannot contain Markdown, images, or + other advanced formatting. + type: string + required: + - message + title: Slack connector parameters + type: object + Connectors_run_connector_params_trigger_pagerduty: + description: Test an action that triggers a PagerDuty alert. + properties: + class: + description: The class or type of the event. + example: cpu load + type: string + component: + description: >- + The component of the source machine that is responsible for the + event. + example: eth0 + type: string + customDetails: + description: Additional details to add to the event. + type: object + dedupKey: + description: > + All actions sharing this key will be associated with the same + PagerDuty alert. This value is used to correlate trigger and + resolution. + maxLength: 255 + type: string + eventAction: + description: The type of event. + enum: + - trigger + type: string + group: + description: The logical grouping of components of a service. + example: app-stack + type: string + links: + description: A list of links to add to the event. + items: + type: object + properties: + href: + description: The URL for the link. + type: string + text: + description: A plain text description of the purpose of the link. + type: string + type: array + severity: + default: info + description: The severity of the event on the affected system. + enum: + - critical + - error + - info + - warning + type: string + source: + description: > + The affected system, such as a hostname or fully qualified domain + name. Defaults to the Kibana saved object id of the action. + type: string + summary: + description: A summery of the event. + maxLength: 1024 + type: string + timestamp: + description: >- + An ISO-8601 timestamp that indicates when the event was detected or + generated. + format: date-time + type: string + required: + - eventAction + title: PagerDuty connector parameters + type: object + Connectors_run_connector_request: + description: The properties vary depending on the connector type. + properties: + params: + oneOf: + - $ref: >- + #/components/schemas/Connectors_run_connector_params_acknowledge_resolve_pagerduty + - $ref: '#/components/schemas/Connectors_run_connector_params_documents' + - $ref: >- + #/components/schemas/Connectors_run_connector_params_message_email + - $ref: >- + #/components/schemas/Connectors_run_connector_params_message_serverlog + - $ref: >- + #/components/schemas/Connectors_run_connector_params_message_slack + - $ref: >- + #/components/schemas/Connectors_run_connector_params_trigger_pagerduty + - description: Test an action that involves a subaction. + discriminator: + mapping: + addEvent: >- + #/components/schemas/Connectors_run_connector_subaction_addevent + closeAlert: >- + #/components/schemas/Connectors_run_connector_subaction_closealert + closeIncident: >- + #/components/schemas/Connectors_run_connector_subaction_closeincident + createAlert: >- + #/components/schemas/Connectors_run_connector_subaction_createalert + fieldsByIssueType: >- + #/components/schemas/Connectors_run_connector_subaction_fieldsbyissuetype + getChoices: >- + #/components/schemas/Connectors_run_connector_subaction_getchoices + getFields: >- + #/components/schemas/Connectors_run_connector_subaction_getfields + getIncident: >- + #/components/schemas/Connectors_run_connector_subaction_getincident + issue: >- + #/components/schemas/Connectors_run_connector_subaction_issue + issues: >- + #/components/schemas/Connectors_run_connector_subaction_issues + issueTypes: >- + #/components/schemas/Connectors_run_connector_subaction_issuetypes + pushToService: >- + #/components/schemas/Connectors_run_connector_subaction_pushtoservice + propertyName: subAction + oneOf: + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_addevent + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_closealert + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_closeincident + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_createalert + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_fieldsbyissuetype + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_getchoices + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_getfields + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_getincident + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_issue + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_issues + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_issuetypes + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_postmessage + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_pushtoservice + - $ref: >- + #/components/schemas/Connectors_run_connector_subaction_validchannelid + title: Subaction parameters + required: + - params + title: Run connector request body properties + type: object + Connectors_run_connector_subaction_addevent: + description: The `addEvent` subaction for ServiceNow ITOM connectors. + title: The addEvent subaction + type: object + properties: + subAction: + description: The action to test. + enum: + - addEvent + type: string + subActionParams: + description: The set of configuration properties for the action. + type: object + properties: + additional_info: + description: Additional information about the event. + type: string + description: + description: The details about the event. + type: string + event_class: + description: A specific instance of the source. + type: string + message_key: + description: >- + All actions sharing this key are associated with the same + ServiceNow alert. The default value is `:`. + type: string + metric_name: + description: The name of the metric. + type: string + node: + description: The host that the event was triggered for. + type: string + resource: + description: The name of the resource. + type: string + severity: + description: The severity of the event. + type: string + source: + description: The name of the event source type. + type: string + time_of_event: + description: The time of the event. + type: string + type: + description: The type of event. + type: string + required: + - subAction + Connectors_run_connector_subaction_closealert: + description: The `closeAlert` subaction for Opsgenie connectors. + title: The closeAlert subaction + type: object + properties: + subAction: + description: The action to test. + enum: + - closeAlert + type: string + subActionParams: + type: object + properties: + alias: + description: >- + The unique identifier used for alert deduplication in Opsgenie. + The alias must match the value used when creating the alert. + type: string + note: + description: Additional information for the alert. + type: string + source: + description: The display name for the source of the alert. + type: string + user: + description: The display name for the owner. + type: string + required: + - alias + required: + - subAction + - subActionParams + Connectors_run_connector_subaction_closeincident: + description: The `closeIncident` subaction for ServiceNow ITSM connectors. + title: The closeIncident subaction + type: object + properties: + subAction: + description: The action to test. + enum: + - closeIncident + type: string + subActionParams: + type: object + properties: + incident: + anyOf: + - required: + - correlation_id + - required: + - externalId + type: object + properties: + correlation_id: + default: '{{rule.id}}:{{alert.id}}' + description: > + An identifier that is assigned to the incident when it is + created by the connector. NOTE: If you use the default value + and the rule generates multiple alerts that use the same + alert IDs, the latest open incident for this correlation ID + is closed unless you specify the external ID. + maxLength: 100 + nullable: true + type: string + externalId: + description: >- + The unique identifier (`incidentId`) for the incident in + ServiceNow. + nullable: true + type: string + required: + - incident + required: + - subAction + - subActionParams + Connectors_run_connector_subaction_createalert: + description: The `createAlert` subaction for Opsgenie connectors. + title: The createAlert subaction + type: object + properties: + subAction: + description: The action to test. + enum: + - createAlert + type: string + subActionParams: + type: object + properties: + actions: + description: The custom actions available to the alert. + items: + type: string + type: array + alias: + description: The unique identifier used for alert deduplication in Opsgenie. + type: string + description: + description: >- + A description that provides detailed information about the + alert. + type: string + details: + additionalProperties: true + description: The custom properties of the alert. + example: + key1: value1 + key2: value2 + type: object + entity: + description: >- + The domain of the alert. For example, the application or server + name. + type: string + message: + description: The alert message. + type: string + note: + description: Additional information for the alert. + type: string + priority: + description: The priority level for the alert. + enum: + - P1 + - P2 + - P3 + - P4 + - P5 + type: string + responders: + description: > + The entities to receive notifications about the alert. If `type` + is `user`, either `id` or `username` is required. If `type` is + `team`, either `id` or `name` is required. + items: + type: object + properties: + id: + description: The identifier for the entity. + type: string + name: + description: The name of the entity. + type: string + type: + description: 'The type of responders, in this case `escalation`.' + enum: + - escalation + - schedule + - team + - user + type: string + username: + description: A valid email address for the user. + type: string + type: array + source: + description: The display name for the source of the alert. + type: string + tags: + description: The tags for the alert. + items: + type: string + type: array + user: + description: The display name for the owner. + type: string + visibleTo: + description: >- + The teams and users that the alert will be visible to without + sending a notification. Only one of `id`, `name`, or `username` + is required. + items: + type: object + properties: + id: + description: The identifier for the entity. + type: string + name: + description: The name of the entity. + type: string + type: + description: Valid values are `team` and `user`. + enum: + - team + - user + type: string + username: + description: >- + The user name. This property is required only when the + `type` is `user`. + type: string + required: + - type + type: array + required: + - message + required: + - subAction + - subActionParams + Connectors_run_connector_subaction_fieldsbyissuetype: + description: The `fieldsByIssueType` subaction for Jira connectors. + title: The fieldsByIssueType subaction + type: object + properties: + subAction: + description: The action to test. + enum: + - fieldsByIssueType + type: string + subActionParams: + type: object + properties: + id: + description: The Jira issue type identifier. + example: 10024 + type: string + required: + - id + required: + - subAction + - subActionParams + Connectors_run_connector_subaction_getchoices: + description: >- + The `getChoices` subaction for ServiceNow ITOM, ServiceNow ITSM, and + ServiceNow SecOps connectors. + title: The getChoices subaction + type: object + properties: + subAction: + description: The action to test. + enum: + - getChoices + type: string + subActionParams: + description: The set of configuration properties for the action. + type: object + properties: + fields: + description: An array of fields. + items: + type: string + type: array + required: + - fields + required: + - subAction + - subActionParams + Connectors_run_connector_subaction_getfields: + description: >- + The `getFields` subaction for Jira, ServiceNow ITSM, and ServiceNow + SecOps connectors. + title: The getFields subaction + type: object + properties: + subAction: + description: The action to test. + enum: + - getFields + type: string + required: + - subAction + Connectors_run_connector_subaction_getincident: + description: >- + The `getIncident` subaction for Jira, ServiceNow ITSM, and ServiceNow + SecOps connectors. + properties: + subAction: + description: The action to test. + enum: + - getIncident + type: string + subActionParams: + type: object + properties: + externalId: + description: >- + The Jira, ServiceNow ITSM, or ServiceNow SecOps issue + identifier. + example: 71778 + type: string + required: + - externalId + required: + - subAction + - subActionParams + title: The getIncident subaction + type: object + Connectors_run_connector_subaction_issue: + description: The `issue` subaction for Jira connectors. + title: The issue subaction + type: object + properties: + subAction: + description: The action to test. + enum: + - issue + type: string + subActionParams: + type: object + properties: + id: + description: The Jira issue identifier. + example: 71778 + type: string + required: + - id + required: + - subAction + Connectors_run_connector_subaction_issues: + description: The `issues` subaction for Jira connectors. + title: The issues subaction + type: object + properties: + subAction: + description: The action to test. + enum: + - issues + type: string + subActionParams: + type: object + properties: + title: + description: The title of the Jira issue. type: string - esTypes: - - _id - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - _index: - count: 0 - name: _index + required: + - title + required: + - subAction + - subActionParams + Connectors_run_connector_subaction_issuetypes: + description: The `issueTypes` subaction for Jira connectors. + title: The issueTypes subaction + type: object + properties: + subAction: + description: The action to test. + enum: + - issueTypes + type: string + required: + - subAction + Connectors_run_connector_subaction_postmessage: + description: > + Test an action that sends a message to Slack. It is applicable only when + the connector type is `.slack_api`. + properties: + subAction: + description: The action to test. + enum: + - postMessage + type: string + subActionParams: + description: The set of configuration properties for the action. + type: object + properties: + channelIds: + description: > + The Slack channel identifier, which must be one of the + `allowedChannels` in the connector configuration. + items: + type: string + maxItems: 1 + type: array + channels: + deprecated: true + description: | + The name of a channel that your Slack app has access to. + items: + type: string + maxItems: 1 + type: array + text: + description: > + The Slack message text. If it is a Slack webhook connector, the + text cannot contain Markdown, images, or other advanced + formatting. If it is a Slack web API connector, it can contain + either plain text or block kit messages. + minLength: 1 type: string - esTypes: - - _index - scripted: false - searchable: true - aggregatable: true - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - _score: - count: 0 - name: _score - type: number - scripted: false - searchable: false - aggregatable: false - readFromDocValues: false - format: - id: number - shortDotsEnable: false - isMapped: true - _source: - count: 0 - name: _source - type: _source - esTypes: - - _source - scripted: false - searchable: false - aggregatable: false - readFromDocValues: false - format: - id: _source - shortDotsEnable: false - isMapped: true - category: - count: 0 - name: category + required: + - subAction + - subActionParams + title: The postMessage subaction + type: object + Connectors_run_connector_subaction_pushtoservice: + description: >- + The `pushToService` subaction for Jira, ServiceNow ITSM, ServiceNow + SecOps, Swimlane, and Webhook - Case Management connectors. + title: The pushToService subaction + type: object + properties: + subAction: + description: The action to test. + enum: + - pushToService + type: string + subActionParams: + description: The set of configuration properties for the action. + type: object + properties: + comments: + description: >- + Additional information that is sent to Jira, ServiceNow ITSM, + ServiceNow SecOps, or Swimlane. + items: + type: object + properties: + comment: + description: >- + A comment related to the incident. For example, describe + how to troubleshoot the issue. + type: string + commentId: + description: A unique identifier for the comment. + type: integer + type: array + incident: + description: >- + Information necessary to create or update a Jira, ServiceNow + ITSM, ServiveNow SecOps, or Swimlane incident. + type: object + properties: + alertId: + description: The alert identifier for Swimlane connectors. + type: string + caseId: + description: >- + The case identifier for the incident for Swimlane + connectors. + type: string + caseName: + description: The case name for the incident for Swimlane connectors. + type: string + category: + description: >- + The category of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. + type: string + correlation_display: + description: >- + A descriptive label of the alert for correlation purposes + for ServiceNow ITSM and ServiceNow SecOps connectors. + type: string + correlation_id: + description: > + The correlation identifier for the security incident for + ServiceNow ITSM and ServiveNow SecOps connectors. Connectors + using the same correlation ID are associated with the same + ServiceNow incident. This value determines whether a new + ServiceNow incident is created or an existing one is + updated. Modifying this value is optional; if not modified, + the rule ID and alert ID are combined as `{{ruleID}}:{{alert + ID}}` to form the correlation ID value in ServiceNow. The + maximum character length for this value is 100 characters. + NOTE: Using the default configuration of `{{ruleID}}:{{alert + ID}}` ensures that ServiceNow creates a separate incident + record for every generated alert that uses a unique alert + ID. If the rule generates multiple alerts that use the same + alert IDs, ServiceNow creates and continually updates a + single incident record for the alert. + type: string + description: + description: >- + The description of the incident for Jira, ServiceNow ITSM, + ServiceNow SecOps, Swimlane, and Webhook - Case Management + connectors. + type: string + dest_ip: + description: > + A list of destination IP addresses related to the security + incident for ServiceNow SecOps connectors. The IPs are added + as observables to the security incident. + oneOf: + - type: string + - items: + type: string + type: array + externalId: + description: > + The Jira, ServiceNow ITSM, or ServiceNow SecOps issue + identifier. If present, the incident is updated. Otherwise, + a new incident is created. + type: string + id: + description: >- + The external case identifier for Webhook - Case Management + connectors. + type: string + impact: + description: The impact of the incident for ServiceNow ITSM connectors. + type: string + issueType: + description: >- + The type of incident for Jira connectors. For example, + 10006. To obtain the list of valid values, set `subAction` + to `issueTypes`. + type: integer + labels: + description: > + The labels for the incident for Jira connectors. NOTE: + Labels cannot contain spaces. + items: + type: string + type: array + malware_hash: + description: >- + A list of malware hashes related to the security incident + for ServiceNow SecOps connectors. The hashes are added as + observables to the security incident. + oneOf: + - type: string + - items: + type: string + type: array + malware_url: + description: >- + A list of malware URLs related to the security incident for + ServiceNow SecOps connectors. The URLs are added as + observables to the security incident. + oneOf: + - type: string + - items: + type: string + type: array + type: string + otherFields: + additionalProperties: true + description: > + Custom field identifiers and their values for Jira + connectors. + maxProperties: 20 + type: object + parent: + description: >- + The ID or key of the parent issue for Jira connectors. + Applies only to `Sub-task` types of issues. + type: string + priority: + description: >- + The priority of the incident in Jira and ServiceNow SecOps + connectors. + type: string + ruleName: + description: The rule name for Swimlane connectors. + type: string + severity: + description: >- + The severity of the incident for ServiceNow ITSM and + Swimlane connectors. + type: string + short_description: + description: > + A short description of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. It is used for searching the + contents of the knowledge base. + type: string + source_ip: + description: >- + A list of source IP addresses related to the security + incident for ServiceNow SecOps connectors. The IPs are added + as observables to the security incident. + oneOf: + - type: string + - items: + type: string + type: array + status: + description: >- + The status of the incident for Webhook - Case Management + connectors. + type: string + subcategory: + description: >- + The subcategory of the incident for ServiceNow ITSM and + ServiceNow SecOps connectors. + type: string + summary: + description: A summary of the incident for Jira connectors. + type: string + tags: + description: A list of tags for Webhook - Case Management connectors. + items: + type: string + type: array + title: + description: > + A title for the incident for Jira and Webhook - Case + Management connectors. It is used for searching the contents + of the knowledge base. + type: string + urgency: + description: The urgency of the incident for ServiceNow ITSM connectors. + type: string + required: + - subAction + - subActionParams + Connectors_run_connector_subaction_validchannelid: + description: > + Retrieves information about a valid Slack channel identifier. It is + applicable only when the connector type is `.slack_api`. + properties: + subAction: + description: The action to test. + enum: + - validChannelId + type: string + subActionParams: + type: object + properties: + channelId: + description: The Slack channel identifier. + example: C123ABC456 type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - category.keyword: - count: 0 - name: category.keyword + required: + - channelId + required: + - subAction + - subActionParams + title: The validChannelId subaction + type: object + Connectors_secrets_properties_bedrock: + description: Defines secrets for connectors when type is `.bedrock`. + properties: + accessKey: + description: The AWS access key for authentication. + type: string + secret: + description: The AWS secret for authentication. + type: string + required: + - accessKey + - secret + title: Connector secrets properties for an Amazon Bedrock connector + type: object + Connectors_secrets_properties_cases_webhook: + title: Connector secrets properties for Webhook - Case Management connector + type: object + properties: + password: + description: >- + The password for HTTP basic authentication. If `hasAuth` is set to + `true`, this property is required. + type: string + user: + description: >- + The username for HTTP basic authentication. If `hasAuth` is set to + `true`, this property is required. + type: string + Connectors_secrets_properties_d3security: + description: Defines secrets for connectors when type is `.d3security`. + type: object + properties: + token: + description: The D3 Security token. + type: string + required: + - token + title: Connector secrets properties for a D3 Security connector + Connectors_secrets_properties_email: + description: Defines secrets for connectors when type is `.email`. + properties: + clientSecret: + description: > + The Microsoft Exchange Client secret for OAuth 2.0 client + credentials authentication. It must be URL-encoded. If `service` is + `exchange_server`, this property is required. + type: string + password: + description: > + The password for HTTP basic authentication. If `hasAuth` is set to + `true`, this property is required. + type: string + user: + description: > + The username for HTTP basic authentication. If `hasAuth` is set to + `true`, this property is required. + type: string + title: Connector secrets properties for an email connector + type: object + Connectors_secrets_properties_gemini: + description: Defines secrets for connectors when type is `.gemini`. + properties: + credentialsJSON: + description: >- + The service account credentials JSON file. The service account + should have Vertex AI user IAM role assigned to it. + type: string + required: + - credentialsJSON + title: Connector secrets properties for a Google Gemini connector + type: object + Connectors_secrets_properties_genai: + description: Defines secrets for connectors when type is `.gen-ai`. + properties: + apiKey: + description: The OpenAI API key. + type: string + title: Connector secrets properties for an OpenAI connector + type: object + Connectors_secrets_properties_jira: + description: Defines secrets for connectors when type is `.jira`. + type: object + properties: + apiToken: + description: The Jira API authentication token for HTTP basic authentication. + type: string + email: + description: The account email for HTTP Basic authentication. + type: string + required: + - apiToken + - email + title: Connector secrets properties for a Jira connector + Connectors_secrets_properties_opsgenie: + description: Defines secrets for connectors when type is `.opsgenie`. + type: object + properties: + apiKey: + description: The Opsgenie API authentication key for HTTP Basic authentication. + type: string + required: + - apiKey + title: Connector secrets properties for an Opsgenie connector + Connectors_secrets_properties_pagerduty: + description: Defines secrets for connectors when type is `.pagerduty`. + properties: + routingKey: + description: > + A 32 character PagerDuty Integration Key for an integration on a + service. + type: string + required: + - routingKey + title: Connector secrets properties for a PagerDuty connector + type: object + Connectors_secrets_properties_resilient: + description: Defines secrets for connectors when type is `.resilient`. + type: object + properties: + apiKeyId: + description: The authentication key ID for HTTP Basic authentication. + type: string + apiKeySecret: + description: The authentication key secret for HTTP Basic authentication. + type: string + required: + - apiKeyId + - apiKeySecret + title: Connector secrets properties for IBM Resilient connector + Connectors_secrets_properties_sentinelone: + description: Defines secrets for connectors when type is `.sentinelone`. + properties: + token: + description: The A SentinelOne API token. + type: string + required: + - token + title: Connector secrets properties for a SentinelOne connector + type: object + Connectors_secrets_properties_servicenow: + description: >- + Defines secrets for connectors when type is `.servicenow`, + `.servicenow-sir`, or `.servicenow-itom`. + properties: + clientSecret: + description: >- + The client secret assigned to your OAuth application. This property + is required when `isOAuth` is `true`. + type: string + password: + description: >- + The password for HTTP basic authentication. This property is + required when `isOAuth` is `false`. + type: string + privateKey: + description: >- + The RSA private key that you created for use in ServiceNow. This + property is required when `isOAuth` is `true`. + type: string + privateKeyPassword: + description: >- + The password for the RSA private key. This property is required when + `isOAuth` is `true` and you set a password on your private key. + type: string + username: + description: >- + The username for HTTP basic authentication. This property is + required when `isOAuth` is `false`. + type: string + title: >- + Connector secrets properties for ServiceNow ITOM, ServiceNow ITSM, and + ServiceNow SecOps connectors + type: object + Connectors_secrets_properties_slack_api: + description: Defines secrets for connectors when type is `.slack`. + type: object + properties: + token: + description: Slack bot user OAuth token. + type: string + required: + - token + title: Connector secrets properties for a Web API Slack connector + Connectors_secrets_properties_slack_webhook: + description: Defines secrets for connectors when type is `.slack`. + type: object + properties: + webhookUrl: + description: Slack webhook url. + type: string + required: + - webhookUrl + title: Connector secrets properties for a Webhook Slack connector + Connectors_secrets_properties_swimlane: + description: Defines secrets for connectors when type is `.swimlane`. + properties: + apiToken: + description: Swimlane API authentication token. + type: string + title: Connector secrets properties for a Swimlane connector + type: object + Connectors_secrets_properties_teams: + description: Defines secrets for connectors when type is `.teams`. + properties: + webhookUrl: + description: > + The URL of the incoming webhook. If you are using the + `xpack.actions.allowedHosts` setting, add the hostname to the + allowed hosts. + type: string + required: + - webhookUrl + title: Connector secrets properties for a Microsoft Teams connector + type: object + Connectors_secrets_properties_tines: + description: Defines secrets for connectors when type is `.tines`. + properties: + email: + description: The email used to sign in to Tines. + type: string + token: + description: The Tines API token. + type: string + required: + - email + - token + title: Connector secrets properties for a Tines connector + type: object + Connectors_secrets_properties_torq: + description: Defines secrets for connectors when type is `.torq`. + properties: + token: + description: The secret of the webhook authentication header. + type: string + required: + - token + title: Connector secrets properties for a Torq connector + type: object + Connectors_secrets_properties_webhook: + description: Defines secrets for connectors when type is `.webhook`. + properties: + crt: + description: >- + If `authType` is `webhook-authentication-ssl` and `certType` is + `ssl-crt-key`, it is a base64 encoded version of the CRT or CERT + file. + type: string + key: + description: >- + If `authType` is `webhook-authentication-ssl` and `certType` is + `ssl-crt-key`, it is a base64 encoded version of the KEY file. + type: string + password: + description: > + The password for HTTP basic authentication or the passphrase for the + SSL certificate files. If `hasAuth` is set to `true` and `authType` + is `webhook-authentication-basic`, this property is required. + type: string + pfx: + description: >- + If `authType` is `webhook-authentication-ssl` and `certType` is + `ssl-pfx`, it is a base64 encoded version of the PFX or P12 file. + type: string + user: + description: > + The username for HTTP basic authentication. If `hasAuth` is set to + `true` and `authType` is `webhook-authentication-basic`, this + property is required. + type: string + title: Connector secrets properties for a Webhook connector + type: object + Connectors_secrets_properties_xmatters: + description: Defines secrets for connectors when type is `.xmatters`. + properties: + password: + description: > + A user name for HTTP basic authentication. It is applicable only + when `usesBasic` is `true`. + type: string + secretsUrl: + description: > + The request URL for the Elastic Alerts trigger in xMatters with the + API key included in the URL. It is applicable only when `usesBasic` + is `false`. + type: string + user: + description: > + A password for HTTP basic authentication. It is applicable only when + `usesBasic` is `true`. + type: string + title: Connector secrets properties for an xMatters connector + type: object + Connectors_update_connector_request: + description: The properties vary depending on the connector type. + oneOf: + - $ref: '#/components/schemas/Connectors_update_connector_request_bedrock' + - $ref: '#/components/schemas/Connectors_update_connector_request_gemini' + - $ref: >- + #/components/schemas/Connectors_update_connector_request_cases_webhook + - $ref: '#/components/schemas/Connectors_update_connector_request_d3security' + - $ref: '#/components/schemas/Connectors_update_connector_request_email' + - $ref: '#/components/schemas/Connectors_create_connector_request_genai' + - $ref: '#/components/schemas/Connectors_update_connector_request_index' + - $ref: '#/components/schemas/Connectors_update_connector_request_jira' + - $ref: '#/components/schemas/Connectors_update_connector_request_opsgenie' + - $ref: '#/components/schemas/Connectors_update_connector_request_pagerduty' + - $ref: '#/components/schemas/Connectors_update_connector_request_resilient' + - $ref: '#/components/schemas/Connectors_update_connector_request_sentinelone' + - $ref: '#/components/schemas/Connectors_update_connector_request_serverlog' + - $ref: '#/components/schemas/Connectors_update_connector_request_servicenow' + - $ref: >- + #/components/schemas/Connectors_update_connector_request_servicenow_itom + - $ref: '#/components/schemas/Connectors_update_connector_request_slack_api' + - $ref: >- + #/components/schemas/Connectors_update_connector_request_slack_webhook + - $ref: '#/components/schemas/Connectors_update_connector_request_swimlane' + - $ref: '#/components/schemas/Connectors_update_connector_request_teams' + - $ref: '#/components/schemas/Connectors_update_connector_request_tines' + - $ref: '#/components/schemas/Connectors_update_connector_request_torq' + - $ref: '#/components/schemas/Connectors_update_connector_request_webhook' + - $ref: '#/components/schemas/Connectors_update_connector_request_xmatters' + title: Update connector request body properties + Connectors_update_connector_request_bedrock: + title: Update Amazon Bedrock connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_bedrock' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_bedrock' + required: + - config + - name + Connectors_update_connector_request_cases_webhook: + title: Update Webhook - Case Managment connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_cases_webhook' + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_cases_webhook' + required: + - config + - name + Connectors_update_connector_request_d3security: + title: Update D3 Security connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_d3security' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_d3security' + required: + - config + - name + - secrets + Connectors_update_connector_request_email: + title: Update email connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_email' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_email' + required: + - config + - name + Connectors_update_connector_request_gemini: + title: Update Google Gemini connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_gemini' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_gemini' + required: + - config + - name + Connectors_update_connector_request_index: + title: Update index connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_index' + name: + description: The display name for the connector. + type: string + required: + - config + - name + Connectors_update_connector_request_jira: + title: Update Jira connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_jira' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_jira' + required: + - config + - name + - secrets + Connectors_update_connector_request_opsgenie: + title: Update Opsgenie connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_opsgenie' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_opsgenie' + required: + - config + - name + - secrets + Connectors_update_connector_request_pagerduty: + title: Update PagerDuty connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_pagerduty' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_pagerduty' + required: + - config + - name + - secrets + Connectors_update_connector_request_resilient: + title: Update IBM Resilient connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_resilient' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_resilient' + required: + - config + - name + - secrets + Connectors_update_connector_request_sentinelone: + title: Update SentinelOne connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_sentinelone' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_sentinelone' + required: + - config + - name + - secrets + Connectors_update_connector_request_serverlog: + title: Update server log connector request + type: object + properties: + name: + description: The display name for the connector. + type: string + required: + - name + Connectors_update_connector_request_servicenow: + title: Update ServiceNow ITSM connector or ServiceNow SecOps request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' + required: + - config + - name + - secrets + Connectors_update_connector_request_servicenow_itom: + title: Create ServiceNow ITOM connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_servicenow_itom' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_servicenow' + required: + - config + - name + - secrets + Connectors_update_connector_request_slack_api: + title: Update Slack connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_slack_api' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_slack_api' + required: + - name + - secrets + Connectors_update_connector_request_slack_webhook: + title: Update Slack connector request + type: object + properties: + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_slack_webhook' + required: + - name + - secrets + Connectors_update_connector_request_swimlane: + title: Update Swimlane connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_swimlane' + name: + description: The display name for the connector. + example: my-connector + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_swimlane' + required: + - config + - name + - secrets + Connectors_update_connector_request_teams: + title: Update Microsoft Teams connector request + type: object + properties: + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_teams' + required: + - name + - secrets + Connectors_update_connector_request_tines: + title: Update Tines connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_tines' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_tines' + required: + - config + - name + - secrets + Connectors_update_connector_request_torq: + title: Update Torq connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_torq' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_torq' + required: + - config + - name + - secrets + Connectors_update_connector_request_webhook: + title: Update Webhook connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_webhook' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_webhook' + required: + - config + - name + - secrets + Connectors_update_connector_request_xmatters: + title: Update xMatters connector request + type: object + properties: + config: + $ref: '#/components/schemas/Connectors_config_properties_xmatters' + name: + description: The display name for the connector. + type: string + secrets: + $ref: '#/components/schemas/Connectors_secrets_properties_xmatters' + required: + - config + - name + - secrets + Data_views_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + Data_views_404_response: + type: object + properties: + error: + enum: + - Not Found + example: Not Found + type: string + message: + example: >- + Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] + not found + type: string + statusCode: + enum: + - 404 + example: 404 + type: integer + Data_views_allownoindex: + description: Allows the data view saved object to exist before the data is available. + type: boolean + Data_views_create_data_view_request_object: + title: Create data view request + type: object + properties: + data_view: + description: The data view object. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: category - format: - id: string - shortDotsEnable: false - isMapped: true - currency: - count: 0 - name: currency + name: + description: The data view name. type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - customer_birth_date: - count: 0 - name: customer_birth_date - type: date - esTypes: - - date - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: date - shortDotsEnable: false - isMapped: true - customer_first_name: - count: 0 - name: customer_first_name + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + version: type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - customer_first_name.keyword: - count: 0 - name: customer_first_name.keyword + required: + - title + override: + default: false + description: >- + Override an existing data view if a data view with the provided + title already exists. + type: boolean + required: + - data_view + Data_views_data_view_response_object: + title: Data view response properties + type: object + properties: + data_view: + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldAttrs: + additionalProperties: + $ref: '#/components/schemas/Data_views_fieldattrs' + type: object + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + id: + example: ff959d40-b880-11e8-a6d9-e546fe2bba5f type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: customer_first_name - format: - id: string - shortDotsEnable: false - isMapped: true - customer_full_name: - count: 0 - name: customer_full_name + name: + description: The data view name. type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - customer_full_name.keyword: - count: 0 - name: customer_full_name.keyword + namespaces: + $ref: '#/components/schemas/Data_views_namespaces' + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta_response' + version: + example: WzQ2LDJd type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: customer_full_name - format: - id: string - shortDotsEnable: false - isMapped: true - customer_gender: - count: 0 - name: customer_gender + Data_views_fieldattrs: + description: A map of field attributes by field name. + type: object + properties: + count: + description: Popularity count for the field. + type: integer + customDescription: + description: Custom description for the field. + maxLength: 300 + type: string + customLabel: + description: Custom label for the field. + type: string + Data_views_fieldformats: + description: A map of field formats by field name. + type: object + Data_views_namespaces: + description: >- + An array of space identifiers for sharing the data view between multiple + spaces. + items: + default: default + type: string + type: array + Data_views_runtimefieldmap: + description: A map of runtime field definitions by field name. + type: object + properties: + script: + type: object + properties: + source: + description: Script for the runtime field. type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - customer_id: - count: 0 - name: customer_id + type: + description: Mapping type of the runtime field. + type: string + required: + - script + - type + Data_views_sourcefilters: + description: The array of field names you want to filter out in Discover. + items: + type: object + properties: + value: + type: string + required: + - value + type: array + Data_views_swap_data_view_request_object: + title: Data view reference swap request + type: object + properties: + delete: + description: Deletes referenced saved object if all references are removed. + type: boolean + forId: + description: Limit the affected saved objects to one or more by identifier. + oneOf: + - type: string + - items: + type: string + type: array + forType: + description: Limit the affected saved objects by type. + type: string + fromId: + description: The saved object reference to change. + type: string + fromType: + description: > + Specify the type of the saved object reference to alter. The default + value is `index-pattern` for data views. + type: string + toId: + description: New saved object reference value to replace the old value. + type: string + required: + - fromId + - toId + Data_views_timefieldname: + description: 'The timestamp field name, which you use for time-based data views.' + type: string + Data_views_title: + description: >- + Comma-separated list of data streams, indices, and aliases that you want + to search. Supports wildcards (`*`). + type: string + Data_views_type: + description: 'When set to `rollup`, identifies the rollup data views.' + type: string + Data_views_typemeta: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + required: + - aggs + - params + Data_views_typemeta_response: + description: >- + When you use rollup indices, contains the field list for the rollup data + view API endpoints. + nullable: true + type: object + properties: + aggs: + description: A map of rollup restrictions by aggregation type and field name. + type: object + params: + description: Properties for retrieving rollup fields. + type: object + Data_views_update_data_view_request_object: + title: Update data view request + type: object + properties: + data_view: + description: > + The data view properties you want to update. Only the specified + properties are updated in the data view. Unspecified fields stay as + they are persisted. + type: object + properties: + allowNoIndex: + $ref: '#/components/schemas/Data_views_allownoindex' + fieldFormats: + $ref: '#/components/schemas/Data_views_fieldformats' + fields: + type: object + name: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - customer_last_name: - count: 0 - name: customer_last_name + runtimeFieldMap: + additionalProperties: + $ref: '#/components/schemas/Data_views_runtimefieldmap' + type: object + sourceFilters: + $ref: '#/components/schemas/Data_views_sourcefilters' + timeFieldName: + $ref: '#/components/schemas/Data_views_timefieldname' + title: + $ref: '#/components/schemas/Data_views_title' + type: + $ref: '#/components/schemas/Data_views_type' + typeMeta: + $ref: '#/components/schemas/Data_views_typemeta' + refresh_fields: + default: false + description: Reloads the data view fields after the data view is updated. + type: boolean + required: + - data_view + Kibana_HTTP_APIs_core_status_redactedResponse: + additionalProperties: false + description: A minimal representation of Kibana's operational status. + type: object + properties: + status: + additionalProperties: false + type: object + properties: + overall: + additionalProperties: false + type: object + properties: + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + required: + - level + required: + - overall + required: + - status + Kibana_HTTP_APIs_core_status_response: + additionalProperties: false + description: >- + Kibana's operational status as well as a detailed breakdown of plugin + statuses indication of various loads (like event loop utilization and + network traffic) at time of request. + type: object + properties: + metrics: + additionalProperties: false + description: Metric groups collected by Kibana. + type: object + properties: + collection_interval_in_millis: + description: The interval at which metrics should be collected. + type: number + elasticsearch_client: + additionalProperties: false + description: Current network metrics of Kibana's Elasticsearch client. + type: object + properties: + totalActiveSockets: + description: Count of network sockets currently in use. + type: number + totalIdleSockets: + description: Count of network sockets currently idle. + type: number + totalQueuedRequests: + description: Count of requests not yet assigned to sockets. + type: number + required: + - totalActiveSockets + - totalIdleSockets + - totalQueuedRequests + last_updated: + description: The time metrics were collected. type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - customer_last_name.keyword: - count: 0 - name: customer_last_name.keyword + required: + - elasticsearch_client + - last_updated + - collection_interval_in_millis + name: + description: Kibana instance name. + type: string + status: + additionalProperties: false + type: object + properties: + core: + additionalProperties: false + description: Statuses of core Kibana services. + type: object + properties: + elasticsearch: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: >- + An unstructured set of extra metadata about this + service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + savedObjects: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: >- + An unstructured set of extra metadata about this + service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + required: + - elasticsearch + - savedObjects + overall: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: Service status levels as human and machine readable values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + plugins: + additionalProperties: + additionalProperties: false + type: object + properties: + detail: + description: Human readable detail of the service status. + type: string + documentationUrl: + description: A URL to further documentation regarding this service. + type: string + level: + description: >- + Service status levels as human and machine readable + values. + enum: + - available + - degraded + - unavailable + - critical + type: string + meta: + additionalProperties: {} + description: An unstructured set of extra metadata about this service. + type: object + summary: + description: A human readable summary of the service status. + type: string + required: + - level + - summary + - meta + description: A dynamic mapping of plugin ID to plugin status. + type: object + required: + - overall + - core + - plugins + uuid: + description: >- + Unique, generated Kibana instance UUID. This UUID should persist + even if the Kibana process restarts. + type: string + version: + additionalProperties: false + type: object + properties: + build_date: + description: The date and time of this build. type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: customer_last_name - format: - id: string - shortDotsEnable: false - isMapped: true - customer_phone: - count: 0 - name: customer_phone + build_flavor: + description: >- + The build flavour determines configuration and behavior of + Kibana. On premise users will almost always run the + "traditional" flavour, while other flavours are reserved for + Elastic-specific use cases. + enum: + - serverless + - traditional type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - day_of_week: - count: 0 - name: day_of_week + build_hash: + description: >- + A unique hash value representing the git commit of this Kibana + build. type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - day_of_week_i: - count: 0 - name: day_of_week_i + build_number: + description: >- + A monotonically increasing number, each subsequent build will + have a higher number. type: number - esTypes: - - integer - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - email: - count: 0 - name: email - type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - event.dataset: - count: 0 - name: event.dataset + build_snapshot: + description: Whether this build is a snapshot build. + type: boolean + number: + description: A semantic version number. type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - geoip.city_name: - count: 0 - name: geoip.city_name + required: + - number + - build_hash + - build_number + - build_snapshot + - build_flavor + - build_date + required: + - name + - uuid + - version + - status + - metrics + Machine_learning_APIs_mlSync200Response: + properties: + datafeedsAdded: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: >- + If a saved object for an anomaly detection job is missing a datafeed + identifier, it is added when you run the sync machine learning saved + objects API. + type: object + datafeedsRemoved: + additionalProperties: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' + description: >- + If a saved object for an anomaly detection job references a datafeed + that no longer exists, it is deleted when you run the sync machine + learning saved objects API. + type: object + savedObjectsCreated: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated + savedObjectsDeleted: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted + title: Successful sync API response + type: object + Machine_learning_APIs_mlSync4xxResponse: + properties: + error: + example: Unauthorized + type: string + message: + type: string + statusCode: + example: 401 + type: integer + title: Unsuccessful sync API response + type: object + Machine_learning_APIs_mlSyncResponseAnomalyDetectors: + description: >- + The sync machine learning saved objects API response contains this + object when there are anomaly detection jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for anomaly detection jobs + type: object + Machine_learning_APIs_mlSyncResponseDatafeeds: + description: >- + The sync machine learning saved objects API response contains this + object when there are datafeeds affected by the synchronization. There + is an object for each relevant datafeed, which contains the + synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for datafeeds + type: object + Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: + description: >- + The sync machine learning saved objects API response contains this + object when there are data frame analytics jobs affected by the + synchronization. There is an object for each relevant job, which + contains the synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for data frame analytics jobs + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: + description: >- + If saved objects are missing for machine learning jobs or trained + models, they are created when you run the sync machine learning saved + objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If saved objects are missing for anomaly detection jobs, they are + created. + type: object + data-frame-analytics: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If saved objects are missing for data frame analytics jobs, they are + created. + type: object + trained-model: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: 'If saved objects are missing for trained models, they are created.' + type: object + title: Sync API response for created saved objects + type: object + Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: + description: >- + If saved objects exist for machine learning jobs or trained models that + no longer exist, they are deleted when you run the sync machine learning + saved objects API. + properties: + anomaly-detector: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors + description: >- + If there are saved objects exist for nonexistent anomaly detection + jobs, they are deleted. + type: object + data-frame-analytics: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics + description: >- + If there are saved objects exist for nonexistent data frame + analytics jobs, they are deleted. + type: object + trained-model: + additionalProperties: + $ref: >- + #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels + description: >- + If there are saved objects exist for nonexistent trained models, + they are deleted. + type: object + title: Sync API response for deleted saved objects + type: object + Machine_learning_APIs_mlSyncResponseSuccess: + description: The success or failure of the synchronization. + type: boolean + Machine_learning_APIs_mlSyncResponseTrainedModels: + description: >- + The sync machine learning saved objects API response contains this + object when there are trained models affected by the synchronization. + There is an object for each relevant trained model, which contains the + synchronization status. + properties: + success: + $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' + title: Sync API response for trained models + type: object + Saved_objects_400_response: + title: Bad request + type: object + properties: + error: + enum: + - Bad Request + type: string + message: + type: string + statusCode: + enum: + - 400 + type: integer + required: + - error + - message + - statusCode + Saved_objects_attributes: + description: > + The data that you want to create. WARNING: When you create saved + objects, attributes are not validated, which allows you to pass + arbitrary and ill-formed data into the API that can break Kibana. Make + sure any data that you send to the API is properly formed. + type: object + Saved_objects_initial_namespaces: + description: > + Identifiers for the spaces in which this object is created. If this is + provided, the object is created only in the explicitly defined spaces. + If this is not provided, the object is created in the current space + (default behavior). For shareable object types (registered with + `namespaceType: 'multiple'`), this option can be used to specify one or + more spaces, including the "All spaces" identifier ('*'). For isolated + object types (registered with `namespaceType: 'single'` or + `namespaceType: 'multiple-isolated'`), this option can only be used to + specify a single space, and the "All spaces" identifier ('*') is not + allowed. For global object types (`registered with `namespaceType: + agnostic`), this option cannot be used. + type: array + Saved_objects_references: + description: > + Objects with `name`, `id`, and `type` properties that describe the other + saved objects that this object references. Use `name` in attributes to + refer to the other saved object, but never the `id`, which can update + automatically during migrations or import and export. + type: array + Security_AI_Assistant_API_AnonymizationFieldCreateProps: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + field: + type: string + required: + - field + Security_AI_Assistant_API_AnonymizationFieldDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_AI_Assistant_API_AnonymizationFieldResponse: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + createdAt: + type: string + createdBy: + type: string + field: + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + namespace: + description: Kibana space + type: string + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: + type: string + updatedBy: + type: string + required: + - id + - field + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: + enum: + - ANONYMIZATION_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason + required: + - id + - skip_reason + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: + type: object + properties: + anonymization_fields_count: + type: integer + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError + type: array + results: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults + summary: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + required: + - results + - summary + message: + type: string + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: + type: object + properties: + created: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + deleted: + items: + type: string + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult + type: array + updated: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_AnonymizationFieldUpdateProps: + type: object + properties: + allowed: + type: boolean + anonymized: + type: boolean + id: + type: string + required: + - id + Security_AI_Assistant_API_ApiConfig: + type: object + properties: + actionTypeId: + description: action type id + type: string + connectorId: + description: connector id + type: string + defaultSystemPromptId: + description: defaultSystemPromptId + type: string + model: + description: model + type: string + provider: + $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' + description: Provider + required: + - connectorId + - actionTypeId + Security_AI_Assistant_API_BulkCrudActionSummary: + type: object + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_AI_Assistant_API_ChatCompleteProps: + type: object + properties: + connectorId: + type: string + conversationId: + type: string + isStream: + type: boolean + langSmithApiKey: + type: string + langSmithProject: + type: string + messages: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' + type: array + model: + type: string + persist: + type: boolean + promptId: + type: string + responseLanguage: + type: string + required: + - messages + - persist + - connectorId + Security_AI_Assistant_API_ChatMessage: + description: AI assistant message. + type: object + properties: + content: + description: Message content. + type: string + data: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' + description: ECS object to attach to the context of the message. + fields_to_anonymize: + items: + type: string + type: array + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' + description: Message role. + required: + - role + Security_AI_Assistant_API_ChatMessageRole: + description: Message role. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_ConversationCategory: + description: The conversation category. + enum: + - assistant + - insights + type: string + Security_AI_Assistant_API_ConversationConfidence: + description: The conversation confidence. + enum: + - low + - medium + - high + type: string + Security_AI_Assistant_API_ConversationCreateProps: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + description: The conversation id. + type: string + isDefault: + description: Is default conversation. + type: boolean + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + title: + description: The conversation title. + type: string + required: + - title + Security_AI_Assistant_API_ConversationResponse: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + createdAt: + description: The last time conversation was updated. + type: string + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + isDefault: + description: Is default conversation. + type: boolean + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + namespace: + description: Kibana space + type: string + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + title: + description: The conversation title. + type: string + updatedAt: + description: The last time conversation was updated. + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - title + - createdAt + - users + - namespace + - category + Security_AI_Assistant_API_ConversationSummary: + type: object + properties: + confidence: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_ConversationConfidence + description: >- + How confident you are about this being a correct and useful + learning. + content: + description: Summary text of the conversation over time. + type: string + public: + description: Define if summary is marked as publicly available. + type: boolean + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The timestamp summary was updated. + Security_AI_Assistant_API_ConversationUpdateProps: + type: object + properties: + apiConfig: + $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' + description: LLM API configuration. + category: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' + description: The conversation category. + excludeFromLastConversationStorage: + description: excludeFromLastConversationStorage. + type: boolean + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + messages: + description: The conversation messages. + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_Message' + type: array + replacements: + $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' + summary: + $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' + title: + description: The conversation title. + type: string + required: + - id + Security_AI_Assistant_API_FindAnonymizationFieldsSortField: + enum: + - created_at + - anonymized + - allowed + - field + - updated_at + type: string + Security_AI_Assistant_API_FindConversationsSortField: + enum: + - created_at + - is_default + - title + - updated_at + type: string + Security_AI_Assistant_API_FindPromptsSortField: + enum: + - created_at + - is_default + - name + - updated_at + type: string + Security_AI_Assistant_API_Message: + description: AI assistant conversation message. + type: object + properties: + content: + description: Message content. + type: string + isError: + description: Is error message. + type: boolean + reader: + $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' + description: Message content. + role: + $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' + description: Message role. + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + description: The timestamp message was sent or received. + traceData: + $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' + description: trace Data + required: + - timestamp + - content + - role + Security_AI_Assistant_API_MessageData: + additionalProperties: true + type: object + Security_AI_Assistant_API_MessageRole: + description: Message role. + enum: + - system + - user + - assistant + type: string + Security_AI_Assistant_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_AI_Assistant_API_NormalizedAnonymizationFieldError: + type: object + properties: + anonymization_fields: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError + type: array + err_code: + type: string + message: + type: string + status_code: + type: integer + required: + - message + - status_code + - anonymization_fields + Security_AI_Assistant_API_NormalizedPromptError: + type: object + properties: + err_code: + type: string + message: + type: string + prompts: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError + type: array + status_code: + type: integer + required: + - message + - status_code + - prompts + Security_AI_Assistant_API_PromptCreateProps: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + name: + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + required: + - name + - content + - promptType + Security_AI_Assistant_API_PromptDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_AI_Assistant_API_PromptResponse: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + createdAt: + type: string + createdBy: + type: string + id: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + name: + type: string + namespace: + description: Kibana space + type: string + promptType: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' + timestamp: + $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' + updatedAt: + type: string + updatedBy: + type: string + users: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_User' + type: array + required: + - id + - name + - promptType + - content + Security_AI_Assistant_API_PromptsBulkActionSkipReason: + enum: + - PROMPT_FIELD_NOT_MODIFIED + type: string + Security_AI_Assistant_API_PromptsBulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason + required: + - id + - skip_reason + Security_AI_Assistant_API_PromptsBulkCrudActionResponse: + type: object + properties: + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError + type: array + results: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults + summary: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary + required: + - results + - summary + message: + type: string + prompts_count: + type: integer + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_AI_Assistant_API_PromptsBulkCrudActionResults: + type: object + properties: + created: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + deleted: + items: + type: string + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult + type: array + updated: + items: + $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_AI_Assistant_API_PromptType: + description: Prompt type + enum: + - system + - quick + type: string + Security_AI_Assistant_API_PromptUpdateProps: + type: object + properties: + categories: + items: + type: string + type: array + color: + type: string + consumer: + type: string + content: + type: string + id: + type: string + isDefault: + type: boolean + isNewConversationDefault: + type: boolean + required: + - id + Security_AI_Assistant_API_Provider: + description: Provider + enum: + - OpenAI + - Azure OpenAI + type: string + Security_AI_Assistant_API_Reader: + additionalProperties: true + type: object + Security_AI_Assistant_API_Replacements: + additionalProperties: + type: string + description: Replacements object used to anonymize/deanomymize messsages + type: object + Security_AI_Assistant_API_SortOrder: + enum: + - asc + - desc + type: string + Security_AI_Assistant_API_TraceData: + description: trace Data + type: object + properties: + traceId: + description: 'Could be any string, not necessarily a UUID' + type: string + transactionId: + description: 'Could be any string, not necessarily a UUID' + type: string + Security_AI_Assistant_API_User: + description: 'Could be any string, not necessarily a UUID' + type: object + properties: + id: + description: User id + type: string + name: + description: User name + type: string + Security_Solution_Detections_API_AlertAssignees: + type: object + properties: + add: + description: A list of users ids to assign. + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + remove: + description: A list of users ids to unassign. + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + required: + - add + - remove + Security_Solution_Detections_API_AlertIds: + description: A list of alerts ids. + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + minItems: 1 + type: array + Security_Solution_Detections_API_AlertsIndex: + deprecated: true + description: (deprecated) Has no effect. + type: string + Security_Solution_Detections_API_AlertsIndexMigrationError: + type: object + properties: + error: + type: object + properties: + message: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - geoip.continent_name: - count: 0 - name: geoip.continent_name + status_code: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - geoip.country_iso_code: - count: 0 - name: geoip.country_iso_code + required: + - message + - status_code + index: + type: string + required: + - index + - error + Security_Solution_Detections_API_AlertsIndexMigrationSuccess: + type: object + properties: + index: + type: string + migration_id: + type: string + migration_index: + type: string + required: + - index + - migration_id + - migration_index + Security_Solution_Detections_API_AlertsIndexNamespace: + description: Has no effect. + type: string + Security_Solution_Detections_API_AlertsReindexOptions: + type: object + properties: + requests_per_second: + minimum: 1 + type: integer + size: + minimum: 1 + type: integer + slices: + minimum: 1 + type: integer + Security_Solution_Detections_API_AlertsSort: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsSortCombinations + - items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsSortCombinations + type: array + Security_Solution_Detections_API_AlertsSortCombinations: + anyOf: + - type: string + - additionalProperties: true + type: object + Security_Solution_Detections_API_AlertStatus: + enum: + - open + - closed + - acknowledged + - in-progress + type: string + Security_Solution_Detections_API_AlertSuppression: + type: object + properties: + duration: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionDuration + group_by: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionGroupBy + missing_fields_strategy: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionMissingFieldsStrategy + required: + - group_by + Security_Solution_Detections_API_AlertSuppressionDuration: + type: object + properties: + unit: + enum: + - s + - m + - h + type: string + value: + minimum: 1 + type: integer + required: + - value + - unit + Security_Solution_Detections_API_AlertSuppressionGroupBy: + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Solution_Detections_API_AlertSuppressionMissingFieldsStrategy: + description: >- + Describes how alerts will be generated for documents with missing + suppress by fields: + + doNotSuppress - per each document a separate alert will be created + + suppress - only alert will be created per suppress by bucket + enum: + - doNotSuppress + - suppress + type: string + Security_Solution_Detections_API_AlertTag: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + Security_Solution_Detections_API_AlertTags: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertTag' + type: array + Security_Solution_Detections_API_AlertVersion: + type: object + properties: + count: + type: integer + version: + type: integer + required: + - version + - count + Security_Solution_Detections_API_AnomalyThreshold: + description: Anomaly threshold + minimum: 0 + type: integer + Security_Solution_Detections_API_BuildingBlockType: + description: >- + Determines if the rule acts as a building block. By default, + building-block alerts are not displayed in the UI. These rules are used + as a foundation for other rules that do generate alerts. Its value must + be default. + type: string + Security_Solution_Detections_API_BulkActionEditPayload: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadTags + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadIndexPatterns + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadInvestigationFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadTimeline + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadRuleActions + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayloadSchedule + Security_Solution_Detections_API_BulkActionEditPayloadIndexPatterns: + type: object + properties: + overwrite_data_views: + type: boolean + type: + enum: + - add_index_patterns + - delete_index_patterns + - set_index_patterns + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadInvestigationFields: + type: object + properties: + type: + enum: + - add_investigation_fields + - delete_investigation_fields + - set_investigation_fields + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadRuleActions: + type: object + properties: + type: + enum: + - add_rule_actions + - set_rule_actions + type: string + value: + type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NormalizedRuleAction + type: array + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThrottleForBulkActions + required: + - actions + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadSchedule: + type: object + properties: + type: + enum: + - set_schedule + type: string + value: + type: object + properties: + interval: + description: >- + Interval in which the rule runs. For example, `"1h"` means the + rule runs every hour. + example: 1h + pattern: '^[1-9]\d*[smh]$' type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - geoip.location: - count: 0 - name: geoip.location - type: geo_point - esTypes: - - geo_point - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: geo_point - params: - transform: wkt - shortDotsEnable: false - isMapped: true - geoip.region_name: - count: 0 - name: geoip.region_name + lookback: + description: Lookback time for the rule + example: 1h + pattern: '^[1-9]\d*[smh]$' type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - manufacturer: - count: 0 - name: manufacturer + required: + - interval + - lookback + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadTags: + type: object + properties: + type: + enum: + - add_tags + - delete_tags + - set_tags + type: string + value: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleTagArray' + required: + - type + - value + Security_Solution_Detections_API_BulkActionEditPayloadTimeline: + type: object + properties: + type: + enum: + - set_timeline + type: string + value: + type: object + properties: + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + required: + - timeline_id + - timeline_title + required: + - type + - value + Security_Solution_Detections_API_BulkActionsDryRunErrCode: + enum: + - IMMUTABLE + - MACHINE_LEARNING_AUTH + - MACHINE_LEARNING_INDEX_PATTERN + - ESQL_INDEX_PATTERN + - MANUAL_RULE_RUN_FEATURE + - MANUAL_RULE_RUN_DISABLED_RULE + type: string + Security_Solution_Detections_API_BulkActionSkipResult: + type: object + properties: + id: + type: string + name: + type: string + skip_reason: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditSkipReason + required: + - id + - skip_reason + Security_Solution_Detections_API_BulkCrudRulesResponse: + items: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + - $ref: '#/components/schemas/Security_Solution_Detections_API_ErrorSchema' + type: array + Security_Solution_Detections_API_BulkDeleteRules: + type: object + properties: + action: + enum: + - delete + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkDisableRules: + type: object + properties: + action: + enum: + - disable + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkDuplicateRules: + type: object + properties: + action: + enum: + - duplicate + type: string + duplicate: + type: object + properties: + include_exceptions: + description: Whether to copy exceptions from the original rule + type: boolean + include_expired_exceptions: + description: Whether to copy expired exceptions from the original rule + type: boolean + required: + - include_exceptions + - include_expired_exceptions + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkEditActionResponse: + type: object + properties: + attributes: + type: object + properties: + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NormalizedRuleError + type: array + results: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditActionResults + summary: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkEditActionSummary + required: + - results + - summary + message: + type: string + rules_count: + type: integer + status_code: + type: integer + success: + type: boolean + required: + - attributes + Security_Solution_Detections_API_BulkEditActionResults: + type: object + properties: + created: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + type: array + deleted: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + type: array + skipped: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionSkipResult + type: array + updated: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleResponse' + type: array + required: + - updated + - created + - deleted + - skipped + Security_Solution_Detections_API_BulkEditActionSummary: + type: object + properties: + failed: + type: integer + skipped: + type: integer + succeeded: + type: integer + total: + type: integer + required: + - failed + - skipped + - succeeded + - total + Security_Solution_Detections_API_BulkEditRules: + type: object + properties: + action: + enum: + - edit + type: string + edit: + description: Array of objects containing the edit operations + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionEditPayload + minItems: 1 + type: array + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + - edit + Security_Solution_Detections_API_BulkEditSkipReason: + enum: + - RULE_NOT_MODIFIED + type: string + Security_Solution_Detections_API_BulkEnableRules: + type: object + properties: + action: + enum: + - enable + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkExportActionResponse: + type: string + Security_Solution_Detections_API_BulkExportRules: + type: object + properties: + action: + enum: + - export + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + required: + - action + Security_Solution_Detections_API_BulkManualRuleRun: + type: object + properties: + action: + enum: + - run + type: string + ids: + description: Array of rule IDs + items: + type: string + minItems: 1 + type: array + query: + description: Query to filter rules + type: string + run: + type: object + properties: + end_date: + description: End date of the manual rule run type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - manufacturer.keyword: - count: 0 - name: manufacturer.keyword + start_date: + description: Start date of the manual rule run type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: manufacturer - format: - id: string - shortDotsEnable: false - isMapped: true - order_date: - count: 0 - name: order_date - type: date - esTypes: - - date - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: date - shortDotsEnable: false - isMapped: true - order_id: - count: 0 - name: order_id + required: + - start_date + required: + - action + - run + Security_Solution_Detections_API_ConcurrentSearches: + minimum: 1 + type: integer + Security_Solution_Detections_API_DataViewId: + type: string + Security_Solution_Detections_API_DefaultParams: + type: object + properties: + command: + enum: + - isolate + type: string + comment: + type: string + required: + - command + Security_Solution_Detections_API_EcsMapping: + additionalProperties: + type: object + properties: + field: + type: string + value: + oneOf: + - type: string + - items: + type: string + type: array + type: object + Security_Solution_Detections_API_EndpointResponseAction: + type: object + properties: + action_type_id: + enum: + - .endpoint + type: string + params: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_DefaultParams + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ProcessesParams + required: + - action_type_id + - params + Security_Solution_Detections_API_EqlOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + event_category_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EventCategoryOverride + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + tiebreaker_field: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TiebreakerField + timestamp_field: + $ref: '#/components/schemas/Security_Solution_Detections_API_TimestampField' + Security_Solution_Detections_API_EqlQueryLanguage: + enum: + - eql + type: string + Security_Solution_Detections_API_EqlRequiredFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlQueryLanguage + description: Query language to use + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: EQL query to execute + type: + description: Rule type + enum: + - eql + type: string + required: + - type + - query + - language + Security_Solution_Detections_API_EqlRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleResponseFields + Security_Solution_Detections_API_EqlRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlOptionalFields + Security_Solution_Detections_API_EqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateFields + Security_Solution_Detections_API_EqlRulePatchFields: + allOf: + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlQueryLanguage + description: Query language to use + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: EQL query to execute + type: + description: Rule type + enum: + - eql type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - products._id: - count: 0 - name: products._id + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlOptionalFields + Security_Solution_Detections_API_EqlRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRulePatchFields + Security_Solution_Detections_API_EqlRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlOptionalFields + Security_Solution_Detections_API_EqlRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateFields + Security_Solution_Detections_API_ErrorSchema: + additionalProperties: false + type: object + properties: + error: + type: object + properties: + message: type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - products._id.keyword: - count: 0 - name: products._id.keyword + status_code: + minimum: 400 + type: integer + required: + - status_code + - message + id: + type: string + item_id: + minLength: 1 + type: string + list_id: + minLength: 1 + type: string + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + required: + - error + Security_Solution_Detections_API_EsqlQueryLanguage: + enum: + - esql + type: string + Security_Solution_Detections_API_EsqlRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleResponseFields + Security_Solution_Detections_API_EsqlRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleRequiredFields + Security_Solution_Detections_API_EsqlRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateFields + Security_Solution_Detections_API_EsqlRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + Security_Solution_Detections_API_EsqlRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlQueryLanguage + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: ESQL query to execute + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + type: + description: Rule type + enum: + - esql + type: string + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleOptionalFields + Security_Solution_Detections_API_EsqlRuleRequiredFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlQueryLanguage + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + description: ESQL query to execute + type: + description: Rule type + enum: + - esql + type: string + required: + - type + - language + - query + Security_Solution_Detections_API_EsqlRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleRequiredFields + Security_Solution_Detections_API_EsqlRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateFields + Security_Solution_Detections_API_EventCategoryOverride: + type: string + Security_Solution_Detections_API_ExceptionListType: + description: The exception type + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Solution_Detections_API_ExternalRuleSource: + description: >- + Type of rule source for externally sourced rules, i.e. rules that have + an external source, such as the Elastic Prebuilt rules repo. + type: object + properties: + is_customized: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsExternalRuleCustomized + type: + enum: + - external + type: string + required: + - type + - is_customized + Security_Solution_Detections_API_FindRulesSortField: + enum: + - created_at + - createdAt + - enabled + - execution_summary.last_execution.date + - execution_summary.last_execution.metrics.execution_gap_duration_s + - execution_summary.last_execution.metrics.total_indexing_duration_ms + - execution_summary.last_execution.metrics.total_search_duration_ms + - execution_summary.last_execution.status + - name + - risk_score + - riskScore + - severity + - updated_at + - updatedAt + type: string + Security_Solution_Detections_API_HistoryWindowStart: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + Security_Solution_Detections_API_IndexMigrationStatus: + type: object + properties: + index: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + is_outdated: + type: boolean + migrations: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MigrationStatus + type: array + signal_versions: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertVersion' + type: array + version: + type: integer + required: + - index + - version + - signal_versions + - migrations + - is_outdated + Security_Solution_Detections_API_IndexPatternArray: + items: + type: string + type: array + Security_Solution_Detections_API_InternalRuleSource: + description: >- + Type of rule source for internally sourced rules, i.e. created within + the Kibana apps. + type: object + properties: + type: + enum: + - internal + type: string + required: + - type + Security_Solution_Detections_API_InvestigationFields: + description: > + Schema for fields relating to investigation fields. These are user + defined fields we use to highlight + + in various features in the UI such as alert details flyout and + exceptions auto-population from alert. + + Added in PR #163235 + + Right now we only have a single field but anticipate adding more related + fields to store various + + configuration states such as `override` - where a user might say if they + want only these fields to + + display, or if they want these fields + the fields we select. When + expanding this field, it may look + + something like: + + ```typescript + + const investigationFields = z.object({ + field_names: NonEmptyArray(NonEmptyString), + override: z.boolean().optional(), + }); + + ``` + type: object + properties: + field_names: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + minItems: 1 + type: array + required: + - field_names + Security_Solution_Detections_API_InvestigationGuide: + description: Notes to help investigate alerts produced by the rule. + type: string + Security_Solution_Detections_API_IsExternalRuleCustomized: + description: >- + Determines whether an external/prebuilt rule has been customized by the + user (i.e. any of its fields have been modified and diverged from the + base value). + type: boolean + Security_Solution_Detections_API_IsRuleEnabled: + description: Determines whether the rule is enabled. + type: boolean + Security_Solution_Detections_API_IsRuleImmutable: + deprecated: true + description: >- + This field determines whether the rule is a prebuilt Elastic rule. It + will be replaced with the `rule_source` field. + type: boolean + Security_Solution_Detections_API_ItemsPerSearch: + minimum: 1 + type: integer + Security_Solution_Detections_API_KqlQueryLanguage: + enum: + - kuery + - lucene + type: string + Security_Solution_Detections_API_MachineLearningJobId: + description: Machine learning job ID + oneOf: + - type: string + - items: + type: string + minItems: 1 + type: array + Security_Solution_Detections_API_MachineLearningRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleResponseFields + Security_Solution_Detections_API_MachineLearningRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleOptionalFields + Security_Solution_Detections_API_MachineLearningRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateFields + Security_Solution_Detections_API_MachineLearningRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + Security_Solution_Detections_API_MachineLearningRulePatchFields: + allOf: + - type: object + properties: + anomaly_threshold: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AnomalyThreshold + machine_learning_job_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningJobId + type: + description: Rule type + enum: + - machine_learning type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: products._id - format: - id: string - shortDotsEnable: false - isMapped: true - products.base_price: - count: 0 - name: products.base_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - products.base_unit_price: - count: 0 - name: products.base_unit_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - products.category: - count: 0 - name: products.category + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleOptionalFields + Security_Solution_Detections_API_MachineLearningRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRulePatchFields + Security_Solution_Detections_API_MachineLearningRuleRequiredFields: + type: object + properties: + anomaly_threshold: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AnomalyThreshold + machine_learning_job_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningJobId + type: + description: Rule type + enum: + - machine_learning + type: string + required: + - type + - machine_learning_job_id + - anomaly_threshold + Security_Solution_Detections_API_MachineLearningRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleOptionalFields + Security_Solution_Detections_API_MachineLearningRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateFields + Security_Solution_Detections_API_MaxSignals: + minimum: 1 + type: integer + Security_Solution_Detections_API_MigrationCleanupResult: + type: object + properties: + destinationIndex: + type: string + error: + type: object + properties: + message: type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - products.category.keyword: - count: 0 - name: products.category.keyword + status_code: + type: integer + required: + - message + - status_code + id: + type: string + sourceIndex: + type: string + status: + enum: + - success + - failure + - pending + type: string + updated: + format: date-time + type: string + version: + type: string + required: + - id + - destinationIndex + - status + - sourceIndex + - version + - updated + Security_Solution_Detections_API_MigrationFinalizationResult: + type: object + properties: + completed: + type: boolean + destinationIndex: + type: string + error: + type: object + properties: + message: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: products.category - format: - id: string - shortDotsEnable: false - isMapped: true - products.created_on: - count: 0 - name: products.created_on - type: date - esTypes: - - date - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: date - shortDotsEnable: false - isMapped: true - products.discount_amount: - count: 0 - name: products.discount_amount - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - products.discount_percentage: - count: 0 - name: products.discount_percentage - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - products.manufacturer: - count: 1 - name: products.manufacturer + status_code: + type: integer + required: + - message + - status_code + id: + type: string + sourceIndex: + type: string + status: + enum: + - success + - failure + - pending + type: string + updated: + format: date-time + type: string + version: + type: string + required: + - id + - completed + - destinationIndex + - status + - sourceIndex + - version + - updated + Security_Solution_Detections_API_MigrationStatus: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + status: + enum: + - success + - failure + - pending + type: string + updated: + format: date-time + type: string + version: + type: integer + required: + - id + - status + - version + - updated + Security_Solution_Detections_API_NewTermsFields: + items: + type: string + maxItems: 3 + minItems: 1 + type: array + Security_Solution_Detections_API_NewTermsRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleResponseFields + Security_Solution_Detections_API_NewTermsRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleDefaultableFields + Security_Solution_Detections_API_NewTermsRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateFields + Security_Solution_Detections_API_NewTermsRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_NewTermsRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + Security_Solution_Detections_API_NewTermsRulePatchFields: + allOf: + - type: object + properties: + history_window_start: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_HistoryWindowStart + new_terms_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsFields + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - products.manufacturer.keyword: - count: 0 - name: products.manufacturer.keyword + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleDefaultableFields + Security_Solution_Detections_API_NewTermsRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRulePatchFields + Security_Solution_Detections_API_NewTermsRuleRequiredFields: + type: object + properties: + history_window_start: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_HistoryWindowStart + new_terms_fields: + $ref: '#/components/schemas/Security_Solution_Detections_API_NewTermsFields' + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + type: + description: Rule type + enum: + - new_terms + type: string + required: + - type + - query + - new_terms_fields + - history_window_start + Security_Solution_Detections_API_NewTermsRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_NewTermsRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateFields + Security_Solution_Detections_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Detections_API_NormalizedRuleAction: + additionalProperties: false + type: object + properties: + alerts_filter: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionAlertsFilter + frequency: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionFrequency + group: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionGroup + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleActionId' + params: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionParams + required: + - id + - params + Security_Solution_Detections_API_NormalizedRuleError: + type: object + properties: + err_code: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BulkActionsDryRunErrCode + message: + type: string + rules: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDetailsInError + type: array + status_code: + type: integer + required: + - message + - status_code + - rules + Security_Solution_Detections_API_OsqueryParams: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Solution_Detections_API_EcsMapping' + pack_id: + type: string + queries: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_OsqueryQuery' + type: array + query: + type: string + saved_query_id: + type: string + timeout: + type: number + Security_Solution_Detections_API_OsqueryQuery: + type: object + properties: + ecs_mapping: + $ref: '#/components/schemas/Security_Solution_Detections_API_EcsMapping' + id: + description: Query ID + type: string + platform: + type: string + query: + description: Query to run + type: string + removed: + type: boolean + snapshot: + type: boolean + version: + description: Query version + type: string + required: + - id + - query + Security_Solution_Detections_API_OsqueryResponseAction: + type: object + properties: + action_type_id: + enum: + - .osquery + type: string + params: + $ref: '#/components/schemas/Security_Solution_Detections_API_OsqueryParams' + required: + - action_type_id + - params + Security_Solution_Detections_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Detections_API_ProcessesParams: + type: object + properties: + command: + enum: + - kill-process + - suspend-process + type: string + comment: + type: string + config: + type: object + properties: + field: + description: Field to use instead of process.pid type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: products.manufacturer - format: - id: string - shortDotsEnable: false - isMapped: true - products.min_price: - count: 0 - name: products.min_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - products.price: - count: 1 - name: products.price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - products.product_id: - count: 0 - name: products.product_id - type: number - esTypes: - - long - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - products.product_name: - count: 1 - name: products.product_name + overwrite: + default: true + description: Whether to overwrite field with process.pid + type: boolean + required: + - field + required: + - command + - config + Security_Solution_Detections_API_QueryRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleResponseFields + Security_Solution_Detections_API_QueryRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleDefaultableFields + Security_Solution_Detections_API_QueryRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateFields + Security_Solution_Detections_API_QueryRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + Security_Solution_Detections_API_QueryRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + Security_Solution_Detections_API_QueryRulePatchFields: + allOf: + - type: object + properties: + type: + description: Rule type + enum: + - query type: string - esTypes: - - text - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - products.product_name.keyword: - count: 0 - name: products.product_name.keyword + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleDefaultableFields + Security_Solution_Detections_API_QueryRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRulePatchFields + Security_Solution_Detections_API_QueryRuleRequiredFields: + type: object + properties: + type: + description: Rule type + enum: + - query + type: string + required: + - type + Security_Solution_Detections_API_QueryRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + required: + - query + - language + Security_Solution_Detections_API_QueryRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateFields + Security_Solution_Detections_API_RelatedIntegration: + description: > + Related integration is a potential dependency of a rule. It's assumed + that if the user installs + + one of the related integrations of a rule, the rule might start to work + properly because it will + + have source events (generated by this integration) potentially matching + the rule's query. + + + NOTE: Proper work is not guaranteed, because a related integration, if + installed, can be + + configured differently or generate data that is not necessarily relevant + for this rule. + + + Related integration is a combination of a Fleet package and (optionally) + one of the + + package's "integrations" that this package contains. It is represented + by 3 properties: + + + - `package`: name of the package (required, unique id) + + - `version`: version of the package (required, semver-compatible) + + - `integration`: name of the integration of this package (optional, id + within the package) + + + There are Fleet packages like `windows` that contain only one + integration; in this case, + + `integration` should be unspecified. There are also packages like `aws` + and `azure` that contain + + several integrations; in this case, `integration` should be specified. + + + @example + + const x: RelatedIntegration = { + package: 'windows', + version: '1.5.x', + }; + + + @example + + const x: RelatedIntegration = { + package: 'azure', + version: '~1.1.6', + integration: 'activitylogs', + }; + type: object + properties: + integration: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + package: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + version: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + required: + - package + - version + Security_Solution_Detections_API_RelatedIntegrationArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegration + type: array + Security_Solution_Detections_API_RequiredField: + description: > + Describes an Elasticsearch field that is needed for the rule to + function. + + + Almost all types of Security rules check source event documents for a + match to some kind of + + query or filter. If a document has certain field with certain values, + then it's a match and + + the rule will generate an alert. + + + Required field is an event field that must be present in the source + indices of a given rule. + + + @example + + const standardEcsField: RequiredField = { + name: 'event.action', + type: 'keyword', + ecs: true, + }; + + + @example + + const nonEcsField: RequiredField = { + name: 'winlog.event_data.AttributeLDAPDisplayName', + type: 'keyword', + ecs: false, + }; + type: object + properties: + ecs: + description: Whether the field is an ECS field + type: boolean + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Name of an Elasticsearch field + type: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Type of the Elasticsearch field + required: + - name + - type + - ecs + Security_Solution_Detections_API_RequiredFieldArray: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_RequiredField' + type: array + Security_Solution_Detections_API_RequiredFieldInput: + description: >- + Input parameters to create a RequiredField. Does not include the `ecs` + field, because `ecs` is calculated on the backend based on the field + name and type. + type: object + properties: + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Name of an Elasticsearch field + type: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: Type of an Elasticsearch field + required: + - name + - type + Security_Solution_Detections_API_ResponseAction: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_OsqueryResponseAction + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EndpointResponseAction + Security_Solution_Detections_API_ResponseFields: + type: object + properties: + created_at: + format: date-time + type: string + created_by: + type: string + execution_summary: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionSummary + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleObjectId' + immutable: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleImmutable + required_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldArray + revision: + minimum: 0 + type: integer + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_source: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleSource' + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - rule_id + - immutable + - updated_at + - updated_by + - created_at + - created_by + - revision + - related_integrations + - required_fields + Security_Solution_Detections_API_RiskScore: + description: Risk score (0 to 100) + maximum: 100 + minimum: 0 + type: integer + Security_Solution_Detections_API_RiskScoreMapping: + description: >- + Overrides generated alerts' risk_score with a value from the source + event + items: + type: object + properties: + field: + type: string + operator: + enum: + - equals + type: string + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + value: + type: string + required: + - field + - operator + - value + type: array + Security_Solution_Detections_API_RuleAction: + type: object + properties: + action_type_id: + description: The action type used for sending notifications. + type: string + alerts_filter: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionAlertsFilter + frequency: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionFrequency + group: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionGroup + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleActionId' + params: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionParams + uuid: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + required: + - action_type_id + - id + - params + Security_Solution_Detections_API_RuleActionAlertsFilter: + additionalProperties: true + type: object + Security_Solution_Detections_API_RuleActionFrequency: + description: >- + The action frequency defines when the action runs (for example, only on + rule execution or at specific time intervals). + type: object + properties: + notifyWhen: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionNotifyWhen + summary: + description: >- + Action summary indicates whether we will send a summary notification + about all the generate alerts or notification per individual alert + type: boolean + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + nullable: true + required: + - summary + - notifyWhen + - throttle + Security_Solution_Detections_API_RuleActionGroup: + description: >- + Optionally groups actions by use cases. Use `default` for alert + notifications. + type: string + Security_Solution_Detections_API_RuleActionId: + description: The connector ID. + type: string + Security_Solution_Detections_API_RuleActionNotifyWhen: + description: >- + The condition for throttling the notification: `onActionGroupChange`, + `onActiveAlert`, or `onThrottleInterval` + enum: + - onActiveAlert + - onThrottleInterval + - onActionGroupChange + type: string + Security_Solution_Detections_API_RuleActionParams: + additionalProperties: true + description: >- + Object containing the allowed connector fields, which varies according + to the connector type. + type: object + Security_Solution_Detections_API_RuleActionThrottle: + description: Defines how often rule actions are taken. + oneOf: + - enum: + - no_actions + - rule + type: string + - description: 'Time interval in seconds, minutes, hours, or days.' + example: 1h + pattern: '^[1-9]\d*[smhd]$' + type: string + Security_Solution_Detections_API_RuleAuthorArray: + items: + type: string + type: array + Security_Solution_Detections_API_RuleCreateProps: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleCreateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleCreateProps + discriminator: + propertyName: type + Security_Solution_Detections_API_RuleDescription: + minLength: 1 + type: string + Security_Solution_Detections_API_RuleDetailsInError: + type: object + properties: + id: + type: string + name: + type: string + required: + - id + Security_Solution_Detections_API_RuleExceptionList: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: ID of the exception container + list_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + description: List ID of the exception container + namespace_type: + description: Determines the exceptions validity in rule's Kibana space + enum: + - agnostic + - single + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ExceptionListType + required: + - id + - list_id + - type + - namespace_type + Security_Solution_Detections_API_RuleExecutionMetrics: + type: object + properties: + execution_gap_duration_s: + description: Duration in seconds of execution gap + minimum: 0 + type: integer + total_enrichment_duration_ms: + description: >- + Total time spent enriching documents during current rule execution + cycle + minimum: 0 + type: integer + total_indexing_duration_ms: + description: >- + Total time spent indexing documents during current rule execution + cycle + minimum: 0 + type: integer + total_search_duration_ms: + description: >- + Total time spent performing ES searches as measured by Kibana; + includes network latency and time spent serializing/deserializing + request/response + minimum: 0 + type: integer + Security_Solution_Detections_API_RuleExecutionStatus: + description: >- + Custom execution status of Security rules that is different from the + status used in the Alerting Framework. We merge our custom status with + the Framework's status to determine the resulting status of a rule. + + - going to run - @deprecated Replaced by the 'running' status but left + for backwards compatibility with rule execution events already written + to Event Log in the prior versions of Kibana. Don't use when writing + rule status changes. + + - running - Rule execution started but not reached any intermediate or + final status. + + - partial failure - Rule can partially fail for various reasons either + in the middle of an execution (in this case we update its status right + away) or in the end of it. So currently this status can be both + intermediate and final at the same time. A typical reason for a partial + failure: not all the indices that the rule searches over actually exist. + + - failed - Rule failed to execute due to unhandled exception or a reason + defined in the business logic of its executor function. + + - succeeded - Rule executed successfully without any issues. Note: this + status is just an indication of a rule's "health". The rule might or + might not generate any alerts despite of it. + enum: + - going to run + - running + - partial failure + - failed + - succeeded + type: string + Security_Solution_Detections_API_RuleExecutionStatusOrder: + type: integer + Security_Solution_Detections_API_RuleExecutionSummary: + type: object + properties: + last_execution: + type: object + properties: + date: + description: Date of the last execution + format: date-time type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - subType: - multi: - parent: products.product_name - format: - id: string - shortDotsEnable: false - isMapped: true - products.quantity: - count: 0 - name: products.quantity - type: number - esTypes: - - integer - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - products.sku: - count: 0 - name: products.sku + message: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - products.tax_amount: - count: 0 - name: products.tax_amount - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - products.taxful_price: - count: 0 - name: products.taxful_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - products.taxless_price: - count: 0 - name: products.taxless_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - products.unit_discount_amount: - count: 0 - name: products.unit_discount_amount - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - sku: - count: 0 - name: sku + metrics: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionMetrics + status: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionStatus + description: Status of the last execution + status_order: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExecutionStatusOrder + required: + - date + - status + - status_order + - message + - metrics + required: + - last_execution + Security_Solution_Detections_API_RuleFalsePositiveArray: + items: + type: string + type: array + Security_Solution_Detections_API_RuleFilterArray: + items: {} + type: array + Security_Solution_Detections_API_RuleInterval: + description: >- + Frequency of rule execution, using a date math range. For example, "1h" + means the rule runs every hour. Defaults to 5m (5 minutes). + type: string + Security_Solution_Detections_API_RuleIntervalFrom: + description: >- + Time from which data is analyzed each time the rule runs, using a date + math range. For example, now-4200s means the rule analyzes data from 70 + minutes before its start time. Defaults to now-6m (analyzes data from 6 + minutes before the start time). + format: date-math + type: string + Security_Solution_Detections_API_RuleIntervalTo: + type: string + Security_Solution_Detections_API_RuleLicense: + description: The rule's license. + type: string + Security_Solution_Detections_API_RuleMetadata: + additionalProperties: true + type: object + Security_Solution_Detections_API_RuleName: + minLength: 1 + type: string + Security_Solution_Detections_API_RuleNameOverride: + description: Sets the source field for the alert's signal.rule.name value + type: string + Security_Solution_Detections_API_RuleObjectId: + $ref: '#/components/schemas/Security_Solution_Detections_API_UUID' + Security_Solution_Detections_API_RulePatchProps: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRulePatchProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRulePatchProps + Security_Solution_Detections_API_RulePreviewLogs: + type: object + properties: + duration: + description: Execution duration in milliseconds + type: integer + errors: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + startedAt: + $ref: '#/components/schemas/Security_Solution_Detections_API_NonEmptyString' + warnings: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: array + required: + - errors + - warnings + - duration + Security_Solution_Detections_API_RulePreviewParams: + type: object + properties: + invocationCount: + type: integer + timeframeEnd: + format: date-time + type: string + required: + - invocationCount + - timeframeEnd + Security_Solution_Detections_API_RuleQuery: + type: string + Security_Solution_Detections_API_RuleReferenceArray: + items: + type: string + type: array + Security_Solution_Detections_API_RuleResponse: + anyOf: + - $ref: '#/components/schemas/Security_Solution_Detections_API_EqlRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_QueryRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_ThresholdRule' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRule + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRule + - $ref: '#/components/schemas/Security_Solution_Detections_API_NewTermsRule' + - $ref: '#/components/schemas/Security_Solution_Detections_API_EsqlRule' + discriminator: + propertyName: type + Security_Solution_Detections_API_RuleSignatureId: + description: 'Could be any string, not necessarily a UUID' + type: string + Security_Solution_Detections_API_RuleSource: + description: >- + Discriminated union that determines whether the rule is internally + sourced (created within the Kibana app) or has an external source, such + as the Elastic Prebuilt rules repo. + discriminator: + propertyName: type + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ExternalRuleSource + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_InternalRuleSource + Security_Solution_Detections_API_RuleTagArray: + description: >- + String array containing words and phrases to help categorize, filter, + and search rules. Defaults to an empty array. + items: + type: string + type: array + Security_Solution_Detections_API_RuleUpdateProps: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EqlRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_QueryRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_MachineLearningRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_NewTermsRuleUpdateProps + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_EsqlRuleUpdateProps + discriminator: + propertyName: type + Security_Solution_Detections_API_RuleVersion: + description: The rule's version number. + minimum: 1 + type: integer + Security_Solution_Detections_API_SavedObjectResolveAliasPurpose: + enum: + - savedObjectConversion + - savedObjectImport + type: string + Security_Solution_Detections_API_SavedObjectResolveAliasTargetId: + type: string + Security_Solution_Detections_API_SavedObjectResolveOutcome: + enum: + - exactMatch + - aliasMatch + - conflict + type: string + Security_Solution_Detections_API_SavedQueryId: + type: string + Security_Solution_Detections_API_SavedQueryRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleResponseFields + Security_Solution_Detections_API_SavedQueryRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleDefaultableFields + Security_Solution_Detections_API_SavedQueryRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateFields + Security_Solution_Detections_API_SavedQueryRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_SavedQueryRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + response_actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ResponseAction + type: array + Security_Solution_Detections_API_SavedQueryRulePatchFields: + allOf: + - type: object + properties: + saved_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryId + type: + description: Rule type + enum: + - saved_query + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleDefaultableFields + Security_Solution_Detections_API_SavedQueryRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRulePatchFields + Security_Solution_Detections_API_SavedQueryRuleRequiredFields: + type: object + properties: + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + type: + description: Rule type + enum: + - saved_query + type: string + required: + - type + - saved_id + Security_Solution_Detections_API_SavedQueryRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_SavedQueryRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedQueryRuleCreateFields + Security_Solution_Detections_API_SetAlertsStatusByIds: + type: object + properties: + signal_ids: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + minItems: 1 + type: array + status: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertStatus' + required: + - signal_ids + - status + Security_Solution_Detections_API_SetAlertsStatusByQuery: + type: object + properties: + conflicts: + default: abort + enum: + - abort + - proceed + type: string + query: + additionalProperties: true + type: object + status: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertStatus' + required: + - query + - status + Security_Solution_Detections_API_SetAlertTags: + type: object + properties: + tags_to_add: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertTags' + tags_to_remove: + $ref: '#/components/schemas/Security_Solution_Detections_API_AlertTags' + required: + - tags_to_add + - tags_to_remove + Security_Solution_Detections_API_SetupGuide: + type: string + Security_Solution_Detections_API_Severity: + description: Severity of the rule + enum: + - low + - medium + - high + - critical + type: string + Security_Solution_Detections_API_SeverityMapping: + description: Overrides generated alerts' severity with values from the source event + items: + type: object + properties: + field: + type: string + operator: + enum: + - equals + type: string + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + value: + type: string + required: + - field + - operator + - severity + - value + type: array + Security_Solution_Detections_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Detections_API_SkippedAlertsIndexMigration: + type: object + properties: + index: + type: string + required: + - index + Security_Solution_Detections_API_SortOrder: + enum: + - asc + - desc + type: string + Security_Solution_Detections_API_Threat: + type: object + properties: + framework: + description: Relevant attack framework + type: string + tactic: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatTactic' + technique: + description: Array containing information on the attack techniques (optional) + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatTechnique + type: array + required: + - framework + - tactic + Security_Solution_Detections_API_ThreatArray: + items: + $ref: '#/components/schemas/Security_Solution_Detections_API_Threat' + type: array + Security_Solution_Detections_API_ThreatFilters: + items: + description: >- + Query and filter context array used to filter documents from the + Elasticsearch index containing the threat values + type: array + Security_Solution_Detections_API_ThreatIndex: + items: + type: string + type: array + Security_Solution_Detections_API_ThreatIndicatorPath: + description: >- + Defines the path to the threat indicator in the indicator documents + (optional) + type: string + Security_Solution_Detections_API_ThreatMapping: + items: + type: object + properties: + entries: + items: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + type: + enum: + - mapping + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_NonEmptyString + required: + - field + - type + - value + type: array + required: + - entries + minItems: 1 + type: array + Security_Solution_Detections_API_ThreatMatchRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleResponseFields + Security_Solution_Detections_API_ThreatMatchRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleDefaultableFields + Security_Solution_Detections_API_ThreatMatchRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateFields + Security_Solution_Detections_API_ThreatMatchRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_ThreatMatchRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppression + concurrent_searches: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ConcurrentSearches + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + items_per_search: + $ref: '#/components/schemas/Security_Solution_Detections_API_ItemsPerSearch' + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + threat_filters: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatFilters' + threat_indicator_path: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatIndicatorPath + threat_language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_ThreatMatchRulePatchFields: + allOf: + - type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threat_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatIndex + threat_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMapping + threat_query: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatQuery + type: + description: Rule type + enum: + - threat_match type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - taxful_total_price: - count: 0 - name: taxful_total_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.[00] - shortDotsEnable: false - isMapped: true - taxless_total_price: - count: 0 - name: taxless_total_price - type: number - esTypes: - - half_float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.00 - shortDotsEnable: false - isMapped: true - total_quantity: - count: 1 - name: total_quantity - type: number - esTypes: - - integer - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - total_unique_products: - count: 0 - name: total_unique_products - type: number - esTypes: - - integer - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleDefaultableFields + Security_Solution_Detections_API_ThreatMatchRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRulePatchFields + Security_Solution_Detections_API_ThreatMatchRuleRequiredFields: + type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threat_index: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatIndex' + threat_mapping: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatMapping' + threat_query: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThreatQuery' + type: + description: Rule type + enum: + - threat_match + type: string + required: + - type + - query + - threat_query + - threat_mapping + - threat_index + Security_Solution_Detections_API_ThreatMatchRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_ThreatMatchRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatMatchRuleCreateFields + Security_Solution_Detections_API_ThreatQuery: + description: Query to run + type: string + Security_Solution_Detections_API_ThreatSubtechnique: + type: object + properties: + id: + description: Subtechnique ID + type: string + name: + description: Subtechnique name + type: string + reference: + description: Subtechnique reference + type: string + required: + - id + - name + - reference + Security_Solution_Detections_API_ThreatTactic: + type: object + properties: + id: + description: Tactic ID + type: string + name: + description: Tactic name + type: string + reference: + description: Tactic reference + type: string + required: + - id + - name + - reference + Security_Solution_Detections_API_ThreatTechnique: + type: object + properties: + id: + description: Technique ID + type: string + name: + description: Technique name + type: string + reference: + description: Technique reference + type: string + subtechnique: + description: Array containing more specific information on the attack technique + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatSubtechnique + type: array + required: + - id + - name + - reference + Security_Solution_Detections_API_Threshold: + type: object + properties: + cardinality: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdCardinality + field: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThresholdField' + value: + $ref: '#/components/schemas/Security_Solution_Detections_API_ThresholdValue' + required: + - field + - value + Security_Solution_Detections_API_ThresholdAlertSuppression: + type: object + properties: + duration: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertSuppressionDuration + required: + - duration + Security_Solution_Detections_API_ThresholdCardinality: + items: + type: object + properties: + field: + type: string + value: + minimum: 0 + type: integer + required: + - field + - value + type: array + Security_Solution_Detections_API_ThresholdField: + description: Field to aggregate on + oneOf: + - type: string + - items: + type: string + type: array + Security_Solution_Detections_API_ThresholdRule: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - version + - tags + - enabled + - risk_score_mapping + - severity_mapping + - interval + - from + - to + - actions + - exceptions_list + - author + - false_positives + - references + - max_signals + - threat + - setup + - related_integrations + - required_fields + - $ref: '#/components/schemas/Security_Solution_Detections_API_ResponseFields' + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleResponseFields + Security_Solution_Detections_API_ThresholdRuleCreateFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleDefaultableFields + Security_Solution_Detections_API_ThresholdRuleCreateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateFields + Security_Solution_Detections_API_ThresholdRuleDefaultableFields: + type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + Security_Solution_Detections_API_ThresholdRuleOptionalFields: + type: object + properties: + alert_suppression: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdAlertSuppression + data_view_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_DataViewId' + filters: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFilterArray + index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IndexPatternArray + saved_id: + $ref: '#/components/schemas/Security_Solution_Detections_API_SavedQueryId' + Security_Solution_Detections_API_ThresholdRulePatchFields: + allOf: + - type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Solution_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold + type: string + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleOptionalFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleDefaultableFields + Security_Solution_Detections_API_ThresholdRulePatchProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRulePatchFields + Security_Solution_Detections_API_ThresholdRuleRequiredFields: + type: object + properties: + query: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleQuery' + threshold: + $ref: '#/components/schemas/Security_Solution_Detections_API_Threshold' + type: + description: Rule type + enum: + - threshold + type: string + required: + - type + - query + - threshold + Security_Solution_Detections_API_ThresholdRuleResponseFields: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleRequiredFields + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleOptionalFields + - type: object + properties: + language: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_KqlQueryLanguage + required: + - language + Security_Solution_Detections_API_ThresholdRuleUpdateProps: + allOf: + - type: object + properties: + actions: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAction + type: array + alias_purpose: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasPurpose + alias_target_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveAliasTargetId + author: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleAuthorArray + building_block_type: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_BuildingBlockType + description: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleDescription + enabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_IsRuleEnabled + exceptions_list: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleExceptionList + type: array + false_positives: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleFalsePositiveArray + from: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalFrom + id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleObjectId + interval: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleInterval + investigation_fields: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationFields + license: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleLicense + max_signals: + $ref: '#/components/schemas/Security_Solution_Detections_API_MaxSignals' + meta: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleMetadata + name: + $ref: '#/components/schemas/Security_Solution_Detections_API_RuleName' + namespace: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndexNamespace + note: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_InvestigationGuide + outcome: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SavedObjectResolveOutcome + output_index: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_AlertsIndex + references: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleReferenceArray + related_integrations: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RelatedIntegrationArray + required_fields: + items: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RequiredFieldInput + type: array + risk_score: + $ref: '#/components/schemas/Security_Solution_Detections_API_RiskScore' + risk_score_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RiskScoreMapping + rule_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleSignatureId + rule_name_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleNameOverride + setup: + $ref: '#/components/schemas/Security_Solution_Detections_API_SetupGuide' + severity: + $ref: '#/components/schemas/Security_Solution_Detections_API_Severity' + severity_mapping: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_SeverityMapping + tags: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleTagArray + threat: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThreatArray + throttle: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleActionThrottle + timeline_id: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateId + timeline_title: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimelineTemplateTitle + timestamp_override: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverride + timestamp_override_fallback_disabled: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_TimestampOverrideFallbackDisabled + to: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleIntervalTo + version: + $ref: >- + #/components/schemas/Security_Solution_Detections_API_RuleVersion + required: + - name + - description + - risk_score + - severity + - $ref: >- + #/components/schemas/Security_Solution_Detections_API_ThresholdRuleCreateFields + Security_Solution_Detections_API_ThresholdValue: + description: Threshold value + minimum: 1 + type: integer + Security_Solution_Detections_API_ThrottleForBulkActions: + description: >- + The condition for throttling the notification: 'rule', 'no_actions', or + time duration + enum: + - rule + - 1h + - 1d + - 7d + type: string + Security_Solution_Detections_API_TiebreakerField: + description: Sets a secondary field for sorting events + type: string + Security_Solution_Detections_API_TimelineTemplateId: + description: Timeline template ID + type: string + Security_Solution_Detections_API_TimelineTemplateTitle: + description: Timeline template title + type: string + Security_Solution_Detections_API_TimestampField: + description: Contains the event timestamp used for sorting a sequence of events + type: string + Security_Solution_Detections_API_TimestampOverride: + description: Sets the time field used to query indices + type: string + Security_Solution_Detections_API_TimestampOverrideFallbackDisabled: + description: Disables the fallback to the event's @timestamp field + type: boolean + Security_Solution_Detections_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Solution_Detections_API_WarningSchema: + type: object + properties: + actionPath: + type: string + buttonLabel: + type: string + message: + type: string + type: + type: string + required: + - type + - message + - actionPath + Security_Solution_Endpoint_Exceptions_API_EndpointList: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionList + - additionalProperties: false + type: object + Security_Solution_Endpoint_Exceptions_API_EndpointListItem: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItem + Security_Solution_Endpoint_Exceptions_API_ExceptionList: + type: object + properties: + _version: + type: string + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListId + immutable: + type: boolean + list_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListType + updated_at: + format: date-time + type: string + updated_by: + type: string + version: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListVersion + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Endpoint_Exceptions_API_ExceptionListDescription: + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListHumanId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + description: 'Human readable string identifier, e.g. `trusted-linux-processes`' + Security_Solution_Endpoint_Exceptions_API_ExceptionListId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItem: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId + item_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + created_at: + format: date-time + type: string + created_by: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + updated_at: + format: date-time + type: string + updated_by: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + required: + - id + - comment + - created_at + - created_by + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemComment + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemDescription: + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntry + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + list: + type: object + properties: + id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ListId type: - count: 0 - name: type - type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - user: - count: 0 - name: user - type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - typeMeta: {} - fieldFormats: - taxful_total_price: - id: number - params: - pattern: $0,0.[00] - products.price: - id: number - params: - pattern: $0,0.00 - taxless_total_price: - id: number - params: - pattern: $0,0.00 - products.taxless_price: - id: number - params: - pattern: $0,0.00 - products.taxful_price: - id: number - params: - pattern: $0,0.00 - products.min_price: - id: number - params: - pattern: $0,0.00 - products.base_unit_price: - id: number - params: - pattern: $0,0.00 - products.base_price: - id: number - params: - pattern: $0,0.00 - runtimeFieldMap: {} - fieldAttrs: - products.manufacturer: - count: 1 - products.price: - count: 1 - products.product_name: - count: 1 - total_quantity: - count: 1 - allowNoIndex: false - name: Kibana Sample Data eCommerce - namespaces: - - default - Data_views_update_data_view_request: - summary: Update some properties for a data view. - value: - data_view: - title: kibana_sample_data_ecommerce - timeFieldName: order_date - allowNoIndex: false - name: Kibana Sample Data eCommerce - refresh_fields: true - Data_views_update_field_metadata_request: - summary: Update metadata for multiple fields. - value: - fields: - field1: - count: 123 - customLabel: Field 1 label - field2: - customLabel: Field 2 label - customDescription: Field 2 description - Data_views_create_runtime_field_request: - summary: Create a runtime field. - value: - name: runtimeFoo - runtimeField: - type: long - script: - source: emit(doc["foo"].value) - Data_views_get_runtime_field_response: - summary: >- - The get runtime field API returns a JSON object that contains - information about the runtime field (`hour_of_day`) and the data view - (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). - value: - fields: - - count: 0 - name: hour_of_day - type: number - esTypes: - - long - scripted: false - searchable: true - aggregatable: true - readFromDocValues: false - shortDotsEnable: false - runtimeField: - type: long - script: - source: emit(doc['timestamp'].value.getHour()); - data_view: - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - version: WzM2LDJd - title: kibana_sample_data_flights - timeFieldName: timestamp - sourceFilters: [] - fields: - hour_of_day: - count: 0 - name: hour_of_day - type: number - esTypes: - - long - scripted: false - searchable: true - aggregatable: true - readFromDocValues: false - format: - id: number - params: - pattern: '00' - shortDotsEnable: false - runtimeField: - type: long - script: - source: emit(doc['timestamp'].value.getHour()); - AvgTicketPrice: - count: 0 - name: AvgTicketPrice - type: number - esTypes: - - float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - params: - pattern: $0,0.[00] - shortDotsEnable: false - isMapped: true - Cancelled: - count: 0 - name: Cancelled - type: boolean - esTypes: - - boolean - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: boolean - shortDotsEnable: false - isMapped: true - Carrier: - count: 0 - name: Carrier - type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - Dest: - count: 0 - name: Dest - type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - DestAirportID: - count: 0 - name: DestAirportID + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ListType + required: + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + required: + - type + - field + - value + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + minItems: 1 + type: array + required: + - type + - field + - value + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + operator: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - wildcard + type: string + value: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + required: + - type + - field + - value + - operator + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 + type: array + field: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + type: + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryExists + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemHumanId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemName: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemTags: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListMeta: + additionalProperties: true + type: object + Security_Solution_Endpoint_Exceptions_API_ExceptionListName: + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListOsType: + enum: + - linux + - macos + - windows + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListTags: + items: + type: string + type: array + Security_Solution_Endpoint_Exceptions_API_ExceptionListType: + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Solution_Endpoint_Exceptions_API_ExceptionListVersion: + minimum: 1 + type: integer + Security_Solution_Endpoint_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Solution_Endpoint_Exceptions_API_FindEndpointListItemsFilter: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ListId: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Exceptions_API_NonEmptyString + Security_Solution_Endpoint_Exceptions_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Solution_Endpoint_Exceptions_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Endpoint_Exceptions_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Endpoint_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Endpoint_Management_API_ActionLogRequestQuery: + type: object + properties: + end_date: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndDate + page: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Page' + page_size: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PageSize + start_date: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_StartDate + Security_Solution_Endpoint_Management_API_ActionStateSuccessResponse: + type: object + properties: + body: + type: object + properties: + data: + type: object + properties: + canEncrypt: + type: boolean + required: + - data + required: + - body + Security_Solution_Endpoint_Management_API_ActionStatusSuccessResponse: + type: object + properties: + body: + type: object + properties: + data: + type: object + properties: + agent_id: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentId + pending_actions: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionsSchema + required: + - agent_id + - pending_actions + required: + - data + required: + - body + Security_Solution_Endpoint_Management_API_AgentId: + description: Agent ID + type: string + Security_Solution_Endpoint_Management_API_AgentIds: + minLength: 1 + oneOf: + - items: + minLength: 1 + type: string + maxItems: 50 + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_AgentTypes: + enum: + - endpoint + - sentinel_one + - crowdstrike + type: string + Security_Solution_Endpoint_Management_API_AlertIds: + description: A list of alerts ids. + items: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NonEmptyString + minItems: 1 + type: array + Security_Solution_Endpoint_Management_API_CaseIds: + description: Case IDs to be updated (cannot contain empty strings) + items: + minLength: 1 + type: string + minItems: 1 + type: array + Security_Solution_Endpoint_Management_API_Command: + description: The command to be executed (cannot be an empty string) + enum: + - isolate + - unisolate + - kill-process + - suspend-process + - running-processes + - get-file + - execute + - upload + - scan + minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_Commands: + items: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Command' + type: array + Security_Solution_Endpoint_Management_API_Comment: + description: Optional comment + type: string + Security_Solution_Endpoint_Management_API_EndDate: + description: End date + type: string + Security_Solution_Endpoint_Management_API_EndpointIds: + description: List of endpoint IDs (cannot contain empty strings) + items: + minLength: 1 + type: string + minItems: 1 + type: array + Security_Solution_Endpoint_Management_API_ExecuteRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + command: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Command + timeout: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Timeout + required: + - command + required: + - parameters + Security_Solution_Endpoint_Management_API_GetEndpointActionListRouteQuery: + type: object + properties: + agentIds: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentIds + agentTypes: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + commands: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Commands + endDate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndDate + page: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Page' + pageSize: + default: 10 + description: Number of items per page + maximum: 10000 + minimum: 1 + type: integer + startDate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_StartDate + types: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Types' + userIds: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_UserIds + withOutputs: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_WithOutputs + Security_Solution_Endpoint_Management_API_GetFileRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: + type: string + required: + - path + required: + - parameters + Security_Solution_Endpoint_Management_API_GetProcessesRouteRequestBody: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NoParametersRequestSchema + Security_Solution_Endpoint_Management_API_IsolateRouteRequestBody: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NoParametersRequestSchema + Security_Solution_Endpoint_Management_API_KillOrSuspendActionSchema: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + oneOf: + - type: object + properties: + pid: + minimum: 1 + type: integer + - type: object + properties: + entity_id: + minLength: 1 + type: string + required: + - parameters + Security_Solution_Endpoint_Management_API_ListRequestQuery: + type: object + properties: + hostStatuses: + items: + enum: + - healthy + - offline + - updating + - inactive + - unenrolled + type: string + type: array + kuery: + nullable: true + type: string + page: + default: 0 + description: Page number + minimum: 0 + type: integer + pageSize: + default: 10 + description: Number of items per page + maximum: 10000 + minimum: 1 + type: integer + sortDirection: + enum: + - asc + - desc + nullable: true + type: string + sortField: + enum: + - enrolled_at + - metadata.host.hostname + - host_status + - metadata.Endpoint.policy.applied.name + - metadata.Endpoint.policy.applied.status + - metadata.host.os.name + - metadata.host.ip + - metadata.agent.version + - last_checkin + type: string + required: + - hostStatuses + Security_Solution_Endpoint_Management_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Endpoint_Management_API_NoParametersRequestSchema: + type: object + properties: + body: + type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + required: + - body + Security_Solution_Endpoint_Management_API_Page: + default: 1 + description: Page number + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_PageSize: + default: 10 + description: Number of items per page + maximum: 100 + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_Parameters: + description: Optional parameters object + type: object + Security_Solution_Endpoint_Management_API_PendingActionDataType: + type: integer + Security_Solution_Endpoint_Management_API_PendingActionsSchema: + oneOf: + - type: object + properties: + execute: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + get-file: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + isolate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + kill-process: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + running-processes: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + scan: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + suspend-process: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + unisolate: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + upload: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_PendingActionDataType + - additionalProperties: true + type: object + Security_Solution_Endpoint_Management_API_ProtectionUpdatesNoteResponse: + type: object + properties: + note: + type: string + Security_Solution_Endpoint_Management_API_ScanRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + parameters: + type: object + properties: + path: + type: string + required: + - path + required: + - parameters + Security_Solution_Endpoint_Management_API_StartDate: + description: Start date + type: string + Security_Solution_Endpoint_Management_API_SuccessResponse: + type: object + properties: {} + Security_Solution_Endpoint_Management_API_Timeout: + description: The maximum timeout value in milliseconds (optional) + minimum: 1 + type: integer + Security_Solution_Endpoint_Management_API_Type: + description: Type of response action + enum: + - automated + - manual + type: string + Security_Solution_Endpoint_Management_API_Types: + description: List of types of response actions + items: + $ref: '#/components/schemas/Security_Solution_Endpoint_Management_API_Type' + maxLength: 2 + minLength: 1 + type: array + Security_Solution_Endpoint_Management_API_UnisolateRouteRequestBody: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_NoParametersRequestSchema + Security_Solution_Endpoint_Management_API_UploadRouteRequestBody: + allOf: + - type: object + properties: + agent_type: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AgentTypes + alert_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_AlertIds + case_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_CaseIds + comment: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Comment + endpoint_ids: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_EndpointIds + parameters: + $ref: >- + #/components/schemas/Security_Solution_Endpoint_Management_API_Parameters + required: + - endpoint_ids + - type: object + properties: + file: + format: binary type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - DestCityName: - count: 0 - name: DestCityName + parameters: + type: object + properties: + overwrite: + default: false + type: boolean + required: + - parameters + - file + Security_Solution_Endpoint_Management_API_UserIds: + description: User IDs + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Solution_Endpoint_Management_API_WithOutputs: + description: Shows detailed outputs for an action response + oneOf: + - items: + minLength: 1 + type: string + minItems: 1 + type: array + - minLength: 1 + type: string + Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: + type: object + properties: + index: + type: integer + message: + type: string + required: + - message + - index + Security_Solution_Entity_Analytics_API_AssetCriticalityBulkUploadStats: + type: object + properties: + failed: + type: integer + successful: + type: integer + total: + type: integer + required: + - successful + - failed + - total + Security_Solution_Entity_Analytics_API_AssetCriticalityLevel: + description: The criticality level of the asset. + enum: + - low_impact + - medium_impact + - high_impact + - extreme_impact + type: string + Security_Solution_Entity_Analytics_API_AssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord + - type: object + properties: + '@timestamp': + description: The time the record was created or updated. + example: '2017-07-21T17:32:28Z' + format: date-time type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - DestCountry: - count: 0 - name: DestCountry + required: + - '@timestamp' + Security_Solution_Entity_Analytics_API_AssetCriticalityRecordIdParts: + type: object + properties: + id_field: + $ref: '#/components/schemas/Security_Solution_Entity_Analytics_API_IdField' + description: The field representing the ID. + example: host.name + id_value: + description: The ID value of the asset. + type: string + required: + - id_value + - id_field + Security_Solution_Entity_Analytics_API_CreateAssetCriticalityRecord: + allOf: + - $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityRecordIdParts + - type: object + properties: + criticality_level: + $ref: >- + #/components/schemas/Security_Solution_Entity_Analytics_API_AssetCriticalityLevel + required: + - criticality_level + Security_Solution_Entity_Analytics_API_IdField: + enum: + - host.name + - user.name + type: string + Security_Solution_Exceptions_API_CreateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - comment + Security_Solution_Exceptions_API_CreateExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateExceptionListItemComment + type: array + Security_Solution_Exceptions_API_CreateRuleExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - comment + Security_Solution_Exceptions_API_CreateRuleExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateRuleExceptionListItemComment + type: array + Security_Solution_Exceptions_API_CreateRuleExceptionListItemProps: + type: object + properties: + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_CreateRuleExceptionListItemCommentArray + default: [] + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + default: single + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + default: [] + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + default: [] + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + required: + - type + - name + - description + - entries + Security_Solution_Exceptions_API_ExceptionList: + type: object + properties: + _version: + type: string + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListDescription + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + immutable: + type: boolean + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListType + updated_at: + format: date-time + type: string + updated_by: + type: string + version: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListVersion + required: + - id + - list_id + - type + - name + - description + - immutable + - namespace_type + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Exceptions_API_ExceptionListDescription: + type: string + Security_Solution_Exceptions_API_ExceptionListHumanId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + description: 'Human readable string identifier, e.g. `trusted-linux-processes`' + Security_Solution_Exceptions_API_ExceptionListId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItem: + type: object + properties: + _version: + type: string + comments: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemCommentArray + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemDescription + entries: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryArray + expire_time: + format: date-time + type: string + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemId + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + meta: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemMeta + name: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemName + namespace_type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionNamespaceType + os_types: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray + tags: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemTags + tie_breaker_id: + type: string + type: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemType + updated_at: + format: date-time + type: string + updated_by: + type: string + required: + - id + - item_id + - list_id + - type + - name + - description + - entries + - namespace_type + - comments + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Exceptions_API_ExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + created_at: + format: date-time + type: string + created_by: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + updated_at: + format: date-time + type: string + updated_by: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - id + - comment + - created_at + - created_by + Security_Solution_Exceptions_API_ExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemComment + type: array + Security_Solution_Exceptions_API_ExceptionListItemDescription: + type: string + Security_Solution_Exceptions_API_ExceptionListItemEntry: + anyOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryList + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryExists + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryNested + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatchWildcard + discriminator: + propertyName: type + Security_Solution_Exceptions_API_ExceptionListItemEntryArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntry + type: array + Security_Solution_Exceptions_API_ExceptionListItemEntryExists: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - exists + type: string + required: + - type + - field + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryList: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + list: + type: object + properties: + id: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_ListId' + type: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_ListType' + required: + - id + - type + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - list + type: string + required: + - type + - field + - list + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryMatch: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match + type: string + value: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryMatchAny: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - match_any + type: string + value: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_NonEmptyString + minItems: 1 + type: array + required: + - type + - field + - value + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryMatchWildcard: + type: object + properties: + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + operator: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryOperator + type: + enum: + - wildcard + type: string + value: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - type + - field + - value + - operator + Security_Solution_Exceptions_API_ExceptionListItemEntryNested: + type: object + properties: + entries: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryNestedEntryItem + minItems: 1 + type: array + field: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + type: + enum: + - nested + type: string + required: + - type + - field + - entries + Security_Solution_Exceptions_API_ExceptionListItemEntryNestedEntryItem: + oneOf: + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatch + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryMatchAny + - $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemEntryExists + Security_Solution_Exceptions_API_ExceptionListItemEntryOperator: + enum: + - excluded + - included + type: string + Security_Solution_Exceptions_API_ExceptionListItemHumanId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItemId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItemMeta: + additionalProperties: true + type: object + Security_Solution_Exceptions_API_ExceptionListItemName: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ExceptionListItemOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Exceptions_API_ExceptionListItemTags: + items: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + type: array + Security_Solution_Exceptions_API_ExceptionListItemType: + enum: + - simple + type: string + Security_Solution_Exceptions_API_ExceptionListMeta: + additionalProperties: true + type: object + Security_Solution_Exceptions_API_ExceptionListName: + type: string + Security_Solution_Exceptions_API_ExceptionListOsType: + enum: + - linux + - macos + - windows + type: string + Security_Solution_Exceptions_API_ExceptionListOsTypeArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListOsType + type: array + Security_Solution_Exceptions_API_ExceptionListsImportBulkError: + type: object + properties: + error: + type: object + properties: + message: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - DestLocation: - count: 0 - name: DestLocation - type: geo_point - esTypes: - - geo_point - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: geo_point - params: - transform: wkt - shortDotsEnable: false - isMapped: true - DestRegion: - count: 0 - name: DestRegion + status_code: + type: integer + required: + - status_code + - message + id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListId + item_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListItemHumanId + list_id: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListHumanId + required: + - error + Security_Solution_Exceptions_API_ExceptionListsImportBulkErrorArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_ExceptionListsImportBulkError + type: array + Security_Solution_Exceptions_API_ExceptionListTags: + items: + type: string + type: array + Security_Solution_Exceptions_API_ExceptionListType: + enum: + - detection + - rule_default + - endpoint + - endpoint_trusted_apps + - endpoint_events + - endpoint_host_isolation_exceptions + - endpoint_blocklists + type: string + Security_Solution_Exceptions_API_ExceptionListVersion: + minimum: 1 + type: integer + Security_Solution_Exceptions_API_ExceptionNamespaceType: + description: > + Determines whether the exception container is available in all Kibana + spaces or just the space + + in which it is created, where: + + + - `single`: Only available in the Kibana space in which it is created. + + - `agnostic`: Available in all Kibana spaces. + enum: + - agnostic + - single + type: string + Security_Solution_Exceptions_API_FindExceptionListItemsFilter: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_FindExceptionListsFilter: + type: string + Security_Solution_Exceptions_API_ListId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + Security_Solution_Exceptions_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Solution_Exceptions_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Exceptions_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Exceptions_API_RuleId: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_UUID' + Security_Solution_Exceptions_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Exceptions_API_UpdateExceptionListItemComment: + type: object + properties: + comment: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + id: + $ref: '#/components/schemas/Security_Solution_Exceptions_API_NonEmptyString' + required: + - comment + Security_Solution_Exceptions_API_UpdateExceptionListItemCommentArray: + items: + $ref: >- + #/components/schemas/Security_Solution_Exceptions_API_UpdateExceptionListItemComment + type: array + Security_Solution_Exceptions_API_UUID: + description: A universally unique identifier + format: uuid + type: string + Security_Solution_Lists_API_FindListItemsCursor: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_FindListItemsFilter: + type: string + Security_Solution_Lists_API_FindListsCursor: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_FindListsFilter: + type: string + Security_Solution_Lists_API_List: + type: object + properties: + _version: + type: string + '@timestamp': + format: date-time + type: string + created_at: + format: date-time + type: string + created_by: + type: string + description: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListDescription' + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + immutable: + type: boolean + meta: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListMetadata' + name: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListName' + serializer: + type: string + tie_breaker_id: + type: string + type: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + updated_at: + format: date-time + type: string + updated_by: + type: string + version: + minimum: 1 + type: integer + required: + - id + - type + - name + - description + - immutable + - version + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Lists_API_ListDescription: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListId: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListItem: + type: object + properties: + _version: + type: string + '@timestamp': + format: date-time + type: string + created_at: + format: date-time + type: string + created_by: + type: string + deserializer: + type: string + id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemId' + list_id: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListId' + meta: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemMetadata' + serializer: + type: string + tie_breaker_id: + type: string + type: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListType' + updated_at: + format: date-time + type: string + updated_by: + type: string + value: + $ref: '#/components/schemas/Security_Solution_Lists_API_ListItemValue' + required: + - id + - type + - list_id + - value + - tie_breaker_id + - created_at + - created_by + - updated_at + - updated_by + Security_Solution_Lists_API_ListItemId: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListItemMetadata: + additionalProperties: true + type: object + Security_Solution_Lists_API_ListItemPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Solution_Lists_API_ListItemValue: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListMetadata: + additionalProperties: true + type: object + Security_Solution_Lists_API_ListName: + $ref: '#/components/schemas/Security_Solution_Lists_API_NonEmptyString' + Security_Solution_Lists_API_ListPrivileges: + type: object + properties: + application: + additionalProperties: + type: boolean + type: object + cluster: + additionalProperties: + type: boolean + type: object + has_all_requested: + type: boolean + index: + additionalProperties: + additionalProperties: + type: boolean + type: object + type: object + username: + type: string + required: + - username + - has_all_requested + - cluster + - index + - application + Security_Solution_Lists_API_ListType: + enum: + - binary + - boolean + - byte + - date + - date_nanos + - date_range + - double + - double_range + - float + - float_range + - geo_point + - geo_shape + - half_float + - integer + - integer_range + - ip + - ip_range + - keyword + - long + - long_range + - shape + - short + - text + type: string + Security_Solution_Lists_API_NonEmptyString: + description: A string that is not empty and does not contain only whitespace + minLength: 1 + pattern: ^(?! *$).+$ + type: string + Security_Solution_Lists_API_PlatformErrorResponse: + type: object + properties: + error: + type: string + message: + type: string + statusCode: + type: integer + required: + - statusCode + - error + - message + Security_Solution_Lists_API_SiemErrorResponse: + type: object + properties: + message: + type: string + status_code: + type: integer + required: + - status_code + - message + Security_Solution_Osquery_API_ArrayQueries: + items: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ArrayQueriesItem' + type: array + Security_Solution_Osquery_API_ArrayQueriesItem: + type: object + properties: + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PlatformOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Query' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_CreateLiveQueryRequestBody: + type: object + properties: + agent_all: + type: boolean + agent_ids: + items: + type: string + type: array + agent_platforms: + items: + type: string + type: array + agent_policy_ids: + items: + type: string + type: array + alert_ids: + items: + type: string + type: array + case_ids: + items: + type: string + type: array + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + event_ids: + items: + type: string + type: array + metadata: + nullable: true + type: object + pack_id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackIdOrUndefined' + queries: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ArrayQueries' + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_QueryOrUndefined' + saved_query_id: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SavedQueryIdOrUndefined + Security_Solution_Osquery_API_CreatePacksRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + enabled: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_EnabledOrUndefined + name: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackName' + policy_ids: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PolicyIdsOrUndefined + queries: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Shards' + Security_Solution_Osquery_API_CreateSavedQueryRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + interval: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Interval' + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_QueryOrUndefined' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_DefaultSuccessResponse: + type: object + properties: {} + Security_Solution_Osquery_API_Description: + type: string + Security_Solution_Osquery_API_DescriptionOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Description' + nullable: true + Security_Solution_Osquery_API_ECSMapping: + additionalProperties: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ECSMappingItem' + type: object + Security_Solution_Osquery_API_ECSMappingItem: + type: object + properties: + field: + type: string + value: + oneOf: + - type: string + - items: + type: string + type: array + Security_Solution_Osquery_API_ECSMappingOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ECSMapping' + nullable: true + Security_Solution_Osquery_API_Enabled: + type: boolean + Security_Solution_Osquery_API_EnabledOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Enabled' + nullable: true + Security_Solution_Osquery_API_FindLiveQueryRequestQuery: + type: object + properties: + kuery: + $ref: '#/components/schemas/Security_Solution_Osquery_API_KueryOrUndefined' + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_FindPacksRequestQuery: + type: object + properties: + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_FindSavedQueryRequestQuery: + type: object + properties: + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_GetLiveQueryResultsRequestQuery: + type: object + properties: + kuery: + $ref: '#/components/schemas/Security_Solution_Osquery_API_KueryOrUndefined' + page: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PageOrUndefined' + pageSize: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PageSizeOrUndefined + sort: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SortOrUndefined' + sortOrder: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SortOrderOrUndefined + Security_Solution_Osquery_API_Id: + type: string + Security_Solution_Osquery_API_Interval: + type: string + Security_Solution_Osquery_API_IntervalOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Interval' + nullable: true + Security_Solution_Osquery_API_KueryOrUndefined: + nullable: true + type: string + Security_Solution_Osquery_API_ObjectQueries: + additionalProperties: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ObjectQueriesItem' + type: object + Security_Solution_Osquery_API_ObjectQueriesItem: + type: object + properties: + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Id' + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PlatformOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Query' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + saved_query_id: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SavedQueryIdOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_PackId: + type: string + Security_Solution_Osquery_API_PackIdOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + nullable: true + Security_Solution_Osquery_API_PackName: + type: string + Security_Solution_Osquery_API_PageOrUndefined: + nullable: true + type: integer + Security_Solution_Osquery_API_PageSizeOrUndefined: + nullable: true + type: integer + Security_Solution_Osquery_API_Platform: + type: string + Security_Solution_Osquery_API_PlatformOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Platform' + nullable: true + Security_Solution_Osquery_API_PolicyIds: + items: + type: string + type: array + Security_Solution_Osquery_API_PolicyIdsOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PolicyIds' + nullable: true + Security_Solution_Osquery_API_Query: + type: string + Security_Solution_Osquery_API_QueryOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Query' + nullable: true + Security_Solution_Osquery_API_Removed: + type: boolean + Security_Solution_Osquery_API_RemovedOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Removed' + nullable: true + Security_Solution_Osquery_API_SavedQueryId: + type: string + Security_Solution_Osquery_API_SavedQueryIdOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + nullable: true + Security_Solution_Osquery_API_Shards: + additionalProperties: + type: number + type: object + Security_Solution_Osquery_API_Snapshot: + type: boolean + Security_Solution_Osquery_API_SnapshotOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Snapshot' + nullable: true + Security_Solution_Osquery_API_SortOrderOrUndefined: + oneOf: + - nullable: true + type: string + - enum: + - asc + - desc + Security_Solution_Osquery_API_SortOrUndefined: + nullable: true + type: string + Security_Solution_Osquery_API_UpdatePacksRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + enabled: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_EnabledOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_PackId' + policy_ids: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_PolicyIdsOrUndefined + queries: + $ref: '#/components/schemas/Security_Solution_Osquery_API_ObjectQueries' + shards: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Shards' + Security_Solution_Osquery_API_UpdateSavedQueryRequestBody: + type: object + properties: + description: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + ecs_mapping: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_ECSMappingOrUndefined + id: + $ref: '#/components/schemas/Security_Solution_Osquery_API_SavedQueryId' + interval: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_IntervalOrUndefined + platform: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_DescriptionOrUndefined + query: + $ref: '#/components/schemas/Security_Solution_Osquery_API_QueryOrUndefined' + removed: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_RemovedOrUndefined + snapshot: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_SnapshotOrUndefined + version: + $ref: >- + #/components/schemas/Security_Solution_Osquery_API_VersionOrUndefined + Security_Solution_Osquery_API_Version: + type: string + Security_Solution_Osquery_API_VersionOrUndefined: + $ref: '#/components/schemas/Security_Solution_Osquery_API_Version' + nullable: true + Security_Solution_Timeline_API_BareNote: + type: object + properties: + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + eventId: + nullable: true + type: string + note: + nullable: true + type: string + timelineId: + nullable: true + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + required: + - timelineId + Security_Solution_Timeline_API_ColumnHeaderResult: + type: object + properties: + aggregatable: + type: boolean + category: + type: string + columnHeaderType: + type: string + description: + type: string + example: + oneOf: + - type: string + - type: number + id: + type: string + indexes: + items: + type: string + type: array + name: + type: string + placeholder: + type: string + searchable: + type: boolean + type: + type: string + Security_Solution_Timeline_API_DataProviderQueryMatch: + type: object + properties: + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Solution_Timeline_API_QueryMatchResult' + Security_Solution_Timeline_API_DataProviderResult: + type: object + properties: + and: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_DataProviderQueryMatch + nullable: true + type: array + enabled: + nullable: true + type: boolean + excluded: + nullable: true + type: boolean + id: + nullable: true + type: string + kqlQuery: + nullable: true + type: string + name: + nullable: true + type: string + queryMatch: + $ref: '#/components/schemas/Security_Solution_Timeline_API_QueryMatchResult' + nullable: true + type: + $ref: '#/components/schemas/Security_Solution_Timeline_API_DataProviderType' + nullable: true + Security_Solution_Timeline_API_DataProviderType: + description: >- + The type of data provider to create. Valid values are `default` and + `template`. + enum: + - default + - template + type: string + Security_Solution_Timeline_API_DocumentIds: + oneOf: + - items: + type: string + type: array + - type: string + Security_Solution_Timeline_API_FavoriteTimelineResponse: + type: object + properties: + code: + nullable: true + type: number + favorite: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FavoriteTimelineResult + type: array + message: + nullable: true + type: string + savedObjectId: + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + version: + type: string + required: + - savedObjectId + - version + Security_Solution_Timeline_API_FavoriteTimelineResult: + type: object + properties: + favoriteDate: + nullable: true + type: number + fullName: + nullable: true + type: string + userName: + nullable: true + type: string + Security_Solution_Timeline_API_FilterTimelineResult: + type: object + properties: + exists: + type: boolean + match_all: + type: string + meta: + type: object + properties: + alias: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - DestWeather: - count: 0 - name: DestWeather + controlledBy: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - DistanceKilometers: - count: 0 - name: DistanceKilometers - type: number - esTypes: - - float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - DistanceMiles: - count: 0 - name: DistanceMiles - type: number - esTypes: - - float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - FlightDelay: - count: 0 - name: FlightDelay + disabled: type: boolean - esTypes: - - boolean - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: boolean - shortDotsEnable: false - isMapped: true - FlightDelayMin: - count: 0 - name: FlightDelayMin - type: number - esTypes: - - integer - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - FlightDelayType: - count: 0 - name: FlightDelayType - type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - FlightNum: - count: 0 - name: FlightNum - type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - FlightTimeHour: - count: 0 - name: FlightTimeHour - type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - FlightTimeMin: - count: 0 - name: FlightTimeMin - type: number - esTypes: - - float - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - Origin: - count: 0 - name: Origin - type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - OriginAirportID: - count: 0 - name: OriginAirportID + field: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - OriginCityName: - count: 0 - name: OriginCityName + formattedValue: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - OriginCountry: - count: 0 - name: OriginCountry + index: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - OriginLocation: - count: 0 - name: OriginLocation - type: geo_point - esTypes: - - geo_point - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: geo_point - params: - transform: wkt - shortDotsEnable: false - isMapped: true - OriginRegion: - count: 0 - name: OriginRegion + key: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - OriginWeather: - count: 0 - name: OriginWeather + negate: + type: boolean + params: type: string - esTypes: - - keyword - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: string - shortDotsEnable: false - isMapped: true - _id: - count: 0 - name: _id + type: type: string - esTypes: - - _id - scripted: false - searchable: true - aggregatable: false - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - _index: - count: 0 - name: _index + value: type: string - esTypes: - - _index - scripted: false - searchable: true - aggregatable: true - readFromDocValues: false - format: - id: string - shortDotsEnable: false - isMapped: true - _score: - count: 0 - name: _score - type: number - scripted: false - searchable: false - aggregatable: false - readFromDocValues: false - format: - id: number - shortDotsEnable: false - isMapped: true - _source: - count: 0 - name: _source - type: _source - esTypes: - - _source - scripted: false - searchable: false - aggregatable: false - readFromDocValues: false - format: - id: _source - shortDotsEnable: false - isMapped: true - dayOfWeek: - count: 0 - name: dayOfWeek - type: number - esTypes: - - integer - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: number - shortDotsEnable: false - isMapped: true - timestamp: - count: 0 - name: timestamp - type: date - esTypes: - - date - scripted: false - searchable: true - aggregatable: true - readFromDocValues: true - format: - id: date - shortDotsEnable: false - isMapped: true - fieldFormats: - hour_of_day: - id: number - params: - pattern: '00' - AvgTicketPrice: - id: number - params: - pattern: $0,0.[00] - runtimeFieldMap: - hour_of_day: - type: long - script: - source: emit(doc['timestamp'].value.getHour()); - fieldAttrs: {} - allowNoIndex: false - name: Kibana Sample Data Flights - Data_views_update_runtime_field_request: - summary: Update an existing runtime field on a data view. - value: - runtimeField: - script: - source: emit(doc["bar"].value) - Data_views_get_default_data_view_response: - summary: The get default data view API returns the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - Data_views_set_default_data_view_request: - summary: Set the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - force: true - Data_views_swap_data_view_request: - summary: >- - Swap references from data view ID "abcd-efg" to "xyz-123" and remove the - data view that is no longer referenced. - value: - fromId: abcd-efg - toId: xyz-123 - delete: true - Data_views_preview_swap_data_view_request: - summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". - value: - fromId: abcd-efg - toId: xyz-123 - Machine_learning_APIs_mlSyncExample: - summary: Two anomaly detection jobs required synchronization in this example. - value: - savedObjectsCreated: - anomaly-detector: - myjob1: - success: true - myjob2: - success: true - savedObjectsDeleted: {} - datafeedsAdded: {} - datafeedsRemoved: {} - Saved_objects_key_rotation_response: - summary: Encryption key rotation using default parameters. - value: - total: 1000 - successful: 300 - failed: 0 - Saved_objects_export_objects_request: - summary: Export a specific saved object. - value: - objects: - - type: map - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - includeReferencesDeep: false - excludeExportDetails: true - Saved_objects_export_objects_response: - summary: >- - The export objects API response contains a JSON record for each exported - object. - value: - attributes: - description: '' - layerListJSON: >- - [{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total - Requests by - Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web - logs - count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual - Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total - Requests and - Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web - logs - count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}] - mapStateJSON: >- - {"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}} - title: '[Logs] Total Requests and Bytes' - uiStateJSON: '{"isDarkMode":false}' - coreMigrationVersion: 8.8.0 - created_at: '2023-08-23T20:03:32.204Z' - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - managed: false - references: - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_1_join_0_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_2_source_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_3_source_index_pattern - type: index-pattern - type: map - typeMigrationVersion: 8.4.0 - updated_at: '2023-08-23T20:03:32.204Z' - version: WzEzLDFd - Saved_objects_import_objects_request: - value: - file: file.ndjson - Saved_objects_import_objects_response: - summary: >- - The import objects API response indicates a successful import and the - objects are created. Since these objects are created as new copies, each - entry in the successResults array includes a destinationId attribute. - value: - successCount: 1 - success: true - successResults: - - type: index-pattern - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - meta: - title: Kibana Sample Data Logs - icon: indexPatternApp - managed: false - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 - Saved_objects_resolve_missing_reference_request: - value: - file: file.ndjson - retries: - - type: index-pattern - id: my-pattern - overwrite: true - - type: visualization - id: my-vis - overwrite: true - destinationId: another-vis - - type: canvas - id: my-canvas - overwrite: true - destinationId: yet-another-canvas - - type: dashboard - id: my-dashboard - Saved_objects_resolve_missing_reference_response: - summary: Resolve missing reference errors. - value: - success: true - successCount: 3 - successResults: - - id: my-vis - type: visualization - meta: - icon: visualizeApp - title: Look at my visualization - - id: my-search - type: search - meta: - icon: searchApp - title: Look at my search - - id: my-dashboard - type: dashboard - meta: - icon: dashboardApp - title: Look at my dashboard - responses: - Connectors_401: - description: Authorization information is missing or invalid. - content: - application/json: - schema: + missing: + type: string + query: + type: string + range: + type: string + script: + type: string + Security_Solution_Timeline_API_ImportTimelineResult: + type: object + properties: + errors: + items: type: object - title: Unauthorized response properties: error: + type: object + properties: + message: + type: string + status_code: + type: number + id: + type: string + type: array + success: + type: boolean + success_count: + type: number + timelines_installed: + type: number + timelines_updated: + type: number + Security_Solution_Timeline_API_ImportTimelines: + allOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_SavedTimeline' + - type: object + properties: + eventNotes: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + nullable: true + type: array + globalNotes: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + nullable: true + type: array + pinnedEventIds: + items: + type: string + nullable: true + type: array + savedObjectId: + nullable: true + type: string + version: + nullable: true + type: string + Security_Solution_Timeline_API_Note: + allOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_BareNote' + - type: object + properties: + noteId: + type: string + version: + type: string + Security_Solution_Timeline_API_PinnedEvent: + type: object + properties: + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + eventId: + type: string + pinnedEventId: + type: string + timelineId: + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + version: + type: string + required: + - eventId + - pinnedEventId + - timelineId + - version + Security_Solution_Timeline_API_QueryMatchResult: + type: object + properties: + displayField: + nullable: true + type: string + displayValue: + nullable: true + type: string + field: + nullable: true + type: string + operator: + nullable: true + type: string + value: + nullable: true + type: string + Security_Solution_Timeline_API_Readable: + type: object + properties: + _data: + additionalProperties: true + type: object + _encoding: + type: string + _events: + additionalProperties: true + type: object + _eventsCount: + type: number + _maxListeners: + additionalProperties: true + type: object + _position: + type: number + _read: + additionalProperties: true + type: object + _readableState: + additionalProperties: true + type: object + readable: + type: boolean + Security_Solution_Timeline_API_RowRendererId: + enum: + - alert + - alerts + - auditd + - auditd_file + - library + - netflow + - plain + - registry + - suricata + - system + - system_dns + - system_endgame_process + - system_file + - system_fim + - system_security_event + - system_socket + - threat_match + - zeek + type: string + Security_Solution_Timeline_API_SavedTimeline: + type: object + properties: + columns: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_ColumnHeaderResult + nullable: true + type: array + created: + nullable: true + type: number + createdBy: + nullable: true + type: string + dataProviders: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_DataProviderResult + nullable: true + type: array + dataViewId: + nullable: true + type: string + dateRange: + nullable: true + type: object + properties: + end: + oneOf: + - type: string + - type: number + start: + oneOf: + - type: string + - type: number + description: + nullable: true + type: string + eqlOptions: + nullable: true + type: object + properties: + eventCategoryField: + nullable: true + type: string + query: + nullable: true + type: string + size: + oneOf: + - nullable: true + type: string + - nullable: true + type: number + tiebreakerField: + nullable: true + type: string + timestampField: + nullable: true + type: string + eventType: + nullable: true + type: string + excludedRowRendererIds: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_RowRendererId' + nullable: true + type: array + favorite: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FavoriteTimelineResult + nullable: true + type: array + filters: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_FilterTimelineResult + nullable: true + type: array + indexNames: + items: + type: string + nullable: true + type: array + kqlMode: + nullable: true + type: string + kqlQuery: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_SerializedFilterQueryResult + nullable: true + savedQueryId: + nullable: true + type: string + savedSearchId: + nullable: true + type: string + sort: + $ref: '#/components/schemas/Security_Solution_Timeline_API_Sort' + nullable: true + status: + enum: + - active + - draft + - immutable + nullable: true + type: string + templateTimelineId: + nullable: true + type: string + templateTimelineVersion: + nullable: true + type: number + timelineType: + $ref: '#/components/schemas/Security_Solution_Timeline_API_TimelineType' + nullable: true + title: + nullable: true + type: string + updated: + nullable: true + type: number + updatedBy: + nullable: true + type: string + Security_Solution_Timeline_API_SerializedFilterQueryResult: + type: object + properties: + filterQuery: + nullable: true + type: object + properties: + kuery: + nullable: true + type: object + properties: + expression: + nullable: true + type: string + kind: + nullable: true + type: string + serializedQuery: + nullable: true + type: string + Security_Solution_Timeline_API_Sort: + oneOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_SortObject' + - items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_SortObject' + type: array + Security_Solution_Timeline_API_SortFieldTimeline: + description: The field to sort the timelines by. + enum: + - title + - description + - updated + - created + type: string + Security_Solution_Timeline_API_SortObject: + type: object + properties: + columnId: + nullable: true + type: string + columnType: + nullable: true + type: string + sortDirection: + nullable: true + type: string + Security_Solution_Timeline_API_TimelineResponse: + allOf: + - $ref: '#/components/schemas/Security_Solution_Timeline_API_SavedTimeline' + - type: object + properties: + eventIdToNoteIds: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_Note' + type: array + noteIds: + items: type: string - example: Unauthorized - enum: - - Unauthorized - message: + type: array + notes: + items: + $ref: '#/components/schemas/Security_Solution_Timeline_API_Note' + type: array + pinnedEventIds: + items: type: string - statusCode: - type: integer - example: 401 - enum: - - 401 - Connectors_404: - description: Object is not found. - content: - application/json: - schema: + type: array + pinnedEventsSaveObject: + items: + $ref: >- + #/components/schemas/Security_Solution_Timeline_API_PinnedEvent + type: array + savedObjectId: + type: string + version: + type: string + required: + - savedObjectId + - version + Security_Solution_Timeline_API_TimelineStatus: + description: >- + The status of the timeline. Valid values are `active`, `draft`, and + `immutable`. + enum: + - active + - draft + - immutable + type: string + Security_Solution_Timeline_API_TimelineType: + description: >- + The type of timeline to create. Valid values are `default` and + `template`. + enum: + - default + - template + type: string + SLOs_400_response: + title: Bad request + type: object + properties: + error: + example: Bad Request + type: string + message: + example: 'Invalid value ''foo'' supplied to: [...]' + type: string + statusCode: + example: 400 + type: number + required: + - statusCode + - error + - message + SLOs_401_response: + title: Unauthorized + type: object + properties: + error: + example: Unauthorized + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 401 + type: number + required: + - statusCode + - error + - message + SLOs_403_response: + title: Unauthorized + type: object + properties: + error: + example: Unauthorized + type: string + message: + example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" + type: string + statusCode: + example: 403 + type: number + required: + - statusCode + - error + - message + SLOs_404_response: + title: Not found + type: object + properties: + error: + example: Not Found + type: string + message: + example: 'SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found' + type: string + statusCode: + example: 404 + type: number + required: + - statusCode + - error + - message + SLOs_409_response: + title: Conflict + type: object + properties: + error: + example: Conflict + type: string + message: + example: 'SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists' + type: string + statusCode: + example: 409 + type: number + required: + - statusCode + - error + - message + SLOs_budgeting_method: + description: The budgeting method to use when computing the rollup data. + enum: + - occurrences + - timeslices + example: occurrences + title: Budgeting method + type: string + SLOs_create_slo_request: + description: > + The create SLO API request body varies depending on the type of + indicator, time window and budgeting method. + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. + type: string + groupBy: + description: optional group by field to use to generate an SLO per distinct value + example: some.field + type: string + id: + description: >- + A optional and unique identifier for the SLO. Must be between 8 and + 36 chars + example: my-super-slo-id + type: string + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + required: + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + title: Create SLO request + type: object + SLOs_create_slo_response: + title: Create SLO response + type: object + properties: + id: + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + required: + - id + SLOs_delete_slo_instances_request: + description: > + The delete SLO instances request takes a list of SLO id and instance id, + then delete the rollup and summary data. This API can be used to remove + the staled data of an instance SLO that no longer get updated. + properties: + list: + description: An array of slo id and instance id + items: type: object - title: Not found response properties: - error: + instanceId: + description: The SLO instance identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - example: Not Found - enum: - - Not Found - message: + sloId: + description: The SLO unique identifier + example: 8853df00-ae2e-11ed-90af-09bb6422b258 type: string - example: >- - Saved object [action/baf33fc0-920c-11ed-b36a-874bd1548a00] not - found - statusCode: - type: integer - example: 404 - enum: - - 404 - Connectors_200_actions: - description: Indicates a successful call. - content: - application/json: - schema: - $ref: '#/components/schemas/Connectors_action_response_properties' + required: + - sloId + - instanceId + type: array + required: + - list + title: Delete SLO instances request + type: object + SLOs_error_budget: + title: Error budget + type: object + properties: + consumed: + description: 'The error budget consummed, as a percentage of the initial value.' + example: 0.8 + type: number + initial: + description: 'The initial error budget, as 1 - objective' + example: 0.02 + type: number + isEstimated: + description: >- + Only for SLO defined with occurrences budgeting method and calendar + aligned time window. + example: true + type: boolean + remaining: + description: 'The error budget remaining, as a percentage of the initial value.' + example: 0.2 + type: number + required: + - initial + - consumed + - remaining + - isEstimated + SLOs_filter: + description: Defines properties for a filter + properties: + meta: + $ref: '#/components/schemas/SLOs_filter_meta' + query: + type: object + title: Filter + type: object + SLOs_filter_meta: + description: Defines properties for a filter + properties: + alias: + nullable: true + type: string + controlledBy: + type: string + disabled: + type: boolean + field: + type: string + group: + type: string + index: + type: string + isMultiIndex: + type: boolean + key: + type: string + negate: + type: boolean + params: + type: object + type: + type: string + value: + type: string + title: FilterMeta + type: object + SLOs_find_slo_response: + description: | + A paginated response of SLOs matching the query. + properties: + page: + example: 1 + type: number + perPage: + example: 25 + type: number + results: + items: + $ref: '#/components/schemas/SLOs_slo_with_summary_response' + type: array + total: + example: 34 + type: number + title: Find SLO response + type: object + SLOs_indicator_properties_apm_availability: + description: Defines properties for the APM availability indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production + type: string + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: 'metrics-apm*,apm*' + type: string + service: + description: The APM service name + example: o11y-app + type: string + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM availability + SLOs_indicator_properties_apm_latency: + description: Defines properties for the APM latency indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + environment: + description: The APM service environment or "*" + example: production + type: string + filter: + description: KQL query used for filtering the data + example: 'service.foo : "bar"' + type: string + index: + description: The index used by APM metrics + example: 'metrics-apm*,apm*' + type: string + service: + description: The APM service name + example: o11y-app + type: string + threshold: + description: The latency threshold in milliseconds + example: 250 + type: number + transactionName: + description: The APM transaction name or "*" + example: GET /my/api + type: string + transactionType: + description: The APM transaction type or "*" + example: request + type: string + required: + - service + - environment + - transactionType + - transactionName + - index + - threshold + type: + description: The type of indicator. + example: sli.apm.transactionDuration + type: string + required: + - type + - params + title: APM latency + SLOs_indicator_properties_custom_kql: + description: Defines properties for a custom query indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + $ref: '#/components/schemas/SLOs_kql_with_filters' + good: + $ref: '#/components/schemas/SLOs_kql_with_filters_good' + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + $ref: '#/components/schemas/SLOs_kql_with_filters_total' + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.kql.custom + type: string + required: + - type + - params + title: Custom Query + SLOs_indicator_properties_custom_metric: + description: Defines properties for a custom metric indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "good" metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + type: object + properties: + aggregation: + description: >- + The aggregation type of the metric. Only valid option + is "sum" + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: '^[A-Z]$' + type: string + required: + - name + - aggregation + - field + type: array + required: + - metrics + - equation + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + description: | + An object defining the "total" metrics and equation + type: object + properties: + equation: + description: The equation to calculate the "total" metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + type: object + properties: + aggregation: + description: >- + The aggregation type of the metric. Only valid option + is "sum" + enum: + - sum + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: *' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: '^[A-Z]$' + type: string + required: + - name + - aggregation + - field + type: array + required: + - metrics + - equation + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.metric.custom + type: string + required: + - type + - params + title: Custom metric + SLOs_indicator_properties_histogram: + description: Defines properties for a histogram indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + good: + description: | + An object defining the "good" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for good events. + example: 'processor.outcome: "success"' + type: string + from: + description: >- + The starting value of the range. Only required for "range" + aggregations. + example: 0 + type: number + to: + description: >- + The ending value of the range. Only required for "range" + aggregations. + example: 100 + type: number + required: + - aggregation + - field + index: + description: The index or index pattern to use + example: my-service-* + type: string + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + total: + description: | + An object defining the "total" events + type: object + properties: + aggregation: + description: The type of aggregation to use. + enum: + - value_count + - range + example: value_count + type: string + field: + description: The field use to aggregate the good events. + example: processor.latency + type: string + filter: + description: The filter for total events. + example: 'processor.outcome : *' + type: string + from: + description: >- + The starting value of the range. Only required for "range" + aggregations. + example: 0 + type: number + to: + description: >- + The ending value of the range. Only required for "range" + aggregations. + example: 100 + type: number + required: + - aggregation + - field + required: + - index + - timestampField + - good + - total + type: + description: The type of indicator. + example: sli.histogram.custom + type: string + required: + - type + - params + title: Histogram indicator + SLOs_indicator_properties_timeslice_metric: + description: Defines properties for a timeslice metric indicator type + type: object + properties: + params: + description: An object containing the indicator parameters. + nullable: false + type: object + properties: + dataViewId: + description: >- + The kibana data view id to use, primarily used to include data + view runtime mappings. Make sure to save SLO again if you + add/update run time fields to the data view and if those fields + are being used in slo queries. + example: 03b80ab3-003d-498b-881c-3beedbaf1162 + type: string + filter: + description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + index: + description: The index or index pattern to use + example: my-service-* + type: string + metric: + description: > + An object defining the metrics, equation, and threshold to + determine if it's a good slice or not + type: object + properties: + comparator: + description: >- + The comparator to use to compare the equation to the + threshold. + enum: + - GT + - GTE + - LT + - LTE + example: GT + type: string + equation: + description: The equation to calculate the metric. + example: A + type: string + metrics: + description: >- + List of metrics with their name, aggregation type, and + field. + items: + anyOf: + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_percentile_metric + - $ref: >- + #/components/schemas/SLOs_timeslice_metric_doc_count_metric + type: array + threshold: + description: >- + The threshold used to determine if the metric is a good + slice or not. + example: 100 + type: number + required: + - metrics + - equation + - comparator + - threshold + timestampField: + description: | + The timestamp field used in the source indice. + example: timestamp + type: string + required: + - index + - timestampField + - metric + type: + description: The type of indicator. + example: sli.metric.timeslice + type: string + required: + - type + - params + title: Timeslice metric + SLOs_kql_with_filters: + description: Defines properties for a filter + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL with filters + SLOs_kql_with_filters_good: + description: The KQL query used to define the good events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'request.latency <= 150 and request.status_code : "2xx"' + type: string + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL query for good events + SLOs_kql_with_filters_total: + description: The KQL query used to define all events. + oneOf: + - description: the KQL query to filter the documents with. + example: 'field.environment : "production" and service.name : "my-service"' + type: string + - type: object + properties: + filters: + items: + $ref: '#/components/schemas/SLOs_filter' + type: array + kqlQuery: + type: string + title: KQL query for all events + SLOs_objective: + description: Defines properties for the SLO objective + type: object + properties: + target: + description: the target objective between 0 and 1 excluded + example: 0.99 + exclusiveMaximum: true + exclusiveMinimum: true + maximum: 100 + minimum: 0 + type: number + timesliceTarget: + description: >- + the target objective for each slice when using a timeslices + budgeting method + example: 0.995 + maximum: 100 + minimum: 0 + type: number + timesliceWindow: + description: >- + the duration of each slice when using a timeslices budgeting method, + as {duraton}{unit} + example: 5m + type: string + required: + - target + title: Objective + SLOs_settings: + description: Defines properties for SLO settings. + properties: + frequency: + default: 1m + description: 'Configure how often the transform runs, default 1m' + example: 5m + type: string + preventInitialBackfill: + default: false + description: Prevents the transform from backfilling data when it starts. + example: true + type: boolean + syncDelay: + default: 1m + description: The synch delay to apply to the transform. Default 1m + example: 5m + type: string + title: Settings + type: object + SLOs_slo_definition_response: + title: SLO definition response + type: object + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' + type: string + description: + description: The description of the SLO. + example: My SLO description + type: string + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + description: optional group by field to use to generate an SLO per distinct value + example: some.field + type: string + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - enabled + - groupBy + - tags + - createdAt + - updatedAt + - version + SLOs_slo_with_summary_response: + title: SLO response + type: object + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + createdAt: + description: The creation date + example: '2023-01-12T10:03:19.000Z' + type: string + description: + description: The description of the SLO. + example: My SLO description + type: string + enabled: + description: Indicate if the SLO is enabled + example: true + type: boolean + groupBy: + description: optional group by field to use to generate an SLO per distinct value + example: some.field + type: string + id: + description: The identifier of the SLO. + example: 8853df00-ae2e-11ed-90af-09bb6422b258 + type: string + indicator: + discriminator: + mapping: + sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' + sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' + sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' + sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' + sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' + sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + propertyName: type + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + instanceId: + description: 'the value derived from the groupBy field, if present, otherwise ''*''' + example: host-abcde + type: string + name: + description: The name of the SLO. + example: My Service SLO + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + revision: + description: The SLO revision + example: 2 + type: number + settings: + $ref: '#/components/schemas/SLOs_settings' + summary: + $ref: '#/components/schemas/SLOs_summary' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + updatedAt: + description: The last update date + example: '2023-01-12T10:03:19.000Z' + type: string + version: + description: The internal SLO version + example: 2 + type: number + required: + - id + - name + - description + - indicator + - timeWindow + - budgetingMethod + - objective + - settings + - revision + - summary + - enabled + - groupBy + - instanceId + - tags + - createdAt + - updatedAt + - version + SLOs_summary: + description: The SLO computed data + properties: + errorBudget: + $ref: '#/components/schemas/SLOs_error_budget' + sliValue: + example: 0.9836 + type: number + status: + $ref: '#/components/schemas/SLOs_summary_status' + required: + - status + - sliValue + - errorBudget + title: Summary + type: object + SLOs_summary_status: + enum: + - NO_DATA + - HEALTHY + - DEGRADING + - VIOLATED + example: HEALTHY + title: summary status + type: string + SLOs_time_window: + description: Defines properties for the SLO time window + type: object + properties: + duration: + description: >- + the duration formatted as {duration}{unit}. Accepted values for + rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w + (weekly) or 1M (monthly) + example: 30d + type: string + type: + description: >- + Indicates weither the time window is a rolling or a calendar aligned + time window. + enum: + - rolling + - calendarAligned + example: rolling + type: string + required: + - duration + - type + title: Time window + SLOs_timeslice_metric_basic_metric_with_field: + type: object + properties: + aggregation: + description: The aggregation type of the metric. + enum: + - sum + - avg + - min + - max + - std_deviation + - last_value + - cardinality + example: sum + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: '^[A-Z]$' + type: string + required: + - name + - aggregation + - field + title: Timeslice Metric Basic Metric with Field + SLOs_timeslice_metric_doc_count_metric: + type: object + properties: + aggregation: + description: The aggregation type of the metric. Only valid option is "doc_count" + enum: + - doc_count + example: doc_count + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: '^[A-Z]$' + type: string + required: + - name + - aggregation + title: Timeslice Metric Doc Count Metric + SLOs_timeslice_metric_percentile_metric: + type: object + properties: + aggregation: + description: >- + The aggregation type of the metric. Only valid option is + "percentile" + enum: + - percentile + example: percentile + type: string + field: + description: The field of the metric. + example: processor.processed + type: string + filter: + description: The filter to apply to the metric. + example: 'processor.outcome: "success"' + type: string + name: + description: The name of the metric. Only valid options are A-Z + example: A + pattern: '^[A-Z]$' + type: string + percentile: + description: The percentile value. + example: 95 + type: number + required: + - name + - aggregation + - field + - percentile + title: Timeslice Metric Percentile Metric + SLOs_update_slo_request: + description: > + The update SLO API request body varies depending on the type of + indicator, time window and budgeting method. Partial update is handled. + properties: + budgetingMethod: + $ref: '#/components/schemas/SLOs_budgeting_method' + description: + description: A description for the SLO. + type: string + indicator: + oneOf: + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' + - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' + - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' + - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' + - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' + name: + description: A name for the SLO. + type: string + objective: + $ref: '#/components/schemas/SLOs_objective' + settings: + $ref: '#/components/schemas/SLOs_settings' + tags: + description: List of tags + items: + type: string + type: array + timeWindow: + $ref: '#/components/schemas/SLOs_time_window' + title: Update SLO request + type: object securitySchemes: - Kibana_HTTP_APIs_apiKeyAuth: + apiKeyAuth: + description: > + These APIs use key-based authentication. You must create an API key and + use the encoded value in the request header. For example: + `Authorization: ApiKey base64AccessApiKey` in: header name: Authorization type: apiKey - Kibana_HTTP_APIs_basicAuth: - scheme: basic - type: http -x-tagGroups: - - name: Alerting - tags: - - alerting - - name: APM UI - tags: - - APM agent keys - - APM annotations - - name: Cases - tags: - - cases - - name: Connectors - tags: - - connectors - - name: Data views - tags: - - data views - - name: Machine learning APIs - tags: - - ml - - name: Saved objects - tags: - - saved objects - - name: Kibana HTTP APIs - tags: - - system +security: + - apiKeyAuth: [] +tags: + - description: > + Configure APM agent keys to authorize requests from APM agents to the APM + Server. + name: APM agent keys + - description: > + Annotate visualizations in the APM app with significant events. + Annotations enable you to easily see how events are impacting the + performance of your applications. + name: APM annotations + - description: Connector APIs enable you to create and manage connectors. + name: connectors + - description: >- + Data view APIs enable you to manage data views, formerly known as Kibana + index patterns. + name: data views + - description: Machine learning + name: ml + - description: >- + Manage Kibana saved objects, including dashboards, visualizations, and + more. + name: saved objects + - description: Manage and interact with Security Assistant resources. + name: Security AI Assistant API + - description: >- + You can create rules that automatically turn events and external alerts + sent to Elastic Security into detection alerts. These alerts are displayed + on the Detections page. + name: Security Solution Detections API + - description: Interact with and manage endpoints running the Elastic Defend integration. + name: Security Solution Endpoint Management API + - description: '' + name: Security Solution Entity Analytics API + - description: >- + Exceptions API allows you to manage detection rule exceptions to prevent a + rule from generating an alert from incoming events even when the rule's + other criteria are met. + name: Security Solution Exceptions API + - description: 'Lists API allows you to manage lists of keywords, IPs or IP ranges items.' + name: Security Solution Lists API + - description: 'Run live queries, manage packs and saved queries.' + name: Security Solution Osquery API + - description: >- + You can create Timelines and Timeline templates via the API, as well as + import new Timelines from an ndjson file. + name: Security Solution Timeline API + - description: 'SLO APIs enable you to define, manage and track service-level objectives' + name: slo + - name: system diff --git a/oas_docs/scripts/merge_ess_oas.js b/oas_docs/scripts/merge_ess_oas.js new file mode 100644 index 0000000000000..a1812670c15f9 --- /dev/null +++ b/oas_docs/scripts/merge_ess_oas.js @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +require('../../src/setup_node_env'); +const { merge } = require('@kbn/openapi-bundler'); +const { REPO_ROOT } = require('@kbn/repo-info'); + +(async () => { + await merge({ + sourceGlobs: [ + `${REPO_ROOT}/oas_docs/bundle.json`, + `${REPO_ROOT}/x-pack/plugins/actions/docs/openapi/bundled.yaml`, + `${REPO_ROOT}/src/plugins/data_views/docs/openapi/bundled.yaml`, + `${REPO_ROOT}/x-pack/plugins/ml/common/openapi/ml_apis.yaml`, + `${REPO_ROOT}/packages/core/saved-objects/docs/openapi/bundled.yaml`, + + // Observability Solution + `${REPO_ROOT}/x-pack/plugins/observability_solution/apm/docs/openapi/apm.yaml`, + `${REPO_ROOT}/x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.yaml`, + + // Security solution + `${REPO_ROOT}/x-pack/plugins/security_solution/docs/openapi/ess/*.schema.yaml`, + `${REPO_ROOT}/packages/kbn-securitysolution-lists-common/docs/openapi/ess/*.schema.yaml`, + `${REPO_ROOT}/packages/kbn-securitysolution-exceptions-common/docs/openapi/ess/*.schema.yaml`, + `${REPO_ROOT}/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/ess/*.schema.yaml`, + `${REPO_ROOT}/x-pack/packages/kbn-elastic-assistant-common/docs/openapi/ess/*.schema.yaml`, + `${REPO_ROOT}/x-pack/plugins/osquery/docs/openapi/ess/*.schema.yaml`, + ], + outputFilePath: `${REPO_ROOT}/oas_docs/output/kibana.yaml`, + options: { + prototypeDocument: `${REPO_ROOT}/oas_docs/kibana.info.yaml`, + }, + }); +})(); diff --git a/oas_docs/scripts/merge_serverless_oas.js b/oas_docs/scripts/merge_serverless_oas.js new file mode 100644 index 0000000000000..e1b9bf3c7ab17 --- /dev/null +++ b/oas_docs/scripts/merge_serverless_oas.js @@ -0,0 +1,39 @@ +/* + * Copyright Elasticsearch B.V. and/or licensed to Elasticsearch B.V. under one + * or more contributor license agreements. Licensed under the Elastic License + * 2.0 and the Server Side Public License, v 1; you may not use this file except + * in compliance with, at your election, the Elastic License 2.0 or the Server + * Side Public License, v 1. + */ + +require('../../src/setup_node_env'); +const { merge } = require('@kbn/openapi-bundler'); +const { REPO_ROOT } = require('@kbn/repo-info'); + +(async () => { + await merge({ + sourceGlobs: [ + `${REPO_ROOT}/oas_docs/bundle.serverless.json`, + `${REPO_ROOT}/x-pack/plugins/actions/docs/openapi/bundled_serverless.yaml`, + `${REPO_ROOT}/src/plugins/data_views/docs/openapi/bundled.yaml`, + `${REPO_ROOT}/x-pack/plugins/ml/common/openapi/ml_apis_serverless.yaml`, + `${REPO_ROOT}/packages/core/saved-objects/docs/openapi/bundled_serverless.yaml`, + + // Observability Solution + `${REPO_ROOT}/x-pack/plugins/observability_solution/apm/docs/openapi/apm.yaml`, + `${REPO_ROOT}/x-pack/plugins/observability_solution/slo/docs/openapi/slo/bundled.yaml`, + + // Security solution + `${REPO_ROOT}/x-pack/plugins/security_solution/docs/openapi/serverless/*.schema.yaml`, + `${REPO_ROOT}/packages/kbn-securitysolution-lists-common/docs/openapi/serverless/*.schema.yaml`, + `${REPO_ROOT}/packages/kbn-securitysolution-exceptions-common/docs/openapi/serverless/*.schema.yaml`, + `${REPO_ROOT}/packages/kbn-securitysolution-endpoint-exceptions-common/docs/openapi/serverless/*.schema.yaml`, + `${REPO_ROOT}/x-pack/packages/kbn-elastic-assistant-common/docs/openapi/serverless/*.schema.yaml`, + `${REPO_ROOT}/x-pack/plugins/osquery/docs/openapi/serverless/*.schema.yaml`, + ], + outputFilePath: `${REPO_ROOT}/oas_docs/output/kibana.serverless.yaml`, + options: { + prototypeDocument: `${REPO_ROOT}/oas_docs/kibana.info.yaml`, + }, + }); +})(); diff --git a/packages/kbn-openapi-bundler/src/bundler/merge_documents/enrich_with_version_mime_param.ts b/packages/kbn-openapi-bundler/src/bundler/merge_documents/enrich_with_version_mime_param.ts index d3d7c6e44885e..5216efae0012e 100644 --- a/packages/kbn-openapi-bundler/src/bundler/merge_documents/enrich_with_version_mime_param.ts +++ b/packages/kbn-openapi-bundler/src/bundler/merge_documents/enrich_with_version_mime_param.ts @@ -12,9 +12,12 @@ import { isRefNode } from '../process_document'; import { getOasDocumentVersion } from '../../utils/get_oas_document_version'; import { KNOWN_HTTP_METHODS } from './http_methods'; +const DEFAULT_API_VERSION = '2023-10-31'; +const VERSION_REGEX = /\d{4}-\d{2}-\d{2}/; + export function enrichWithVersionMimeParam(resolvedDocuments: ResolvedDocument[]): void { for (const resolvedDocument of resolvedDocuments) { - const version = getOasDocumentVersion(resolvedDocument); + const version = extractApiVersion(resolvedDocument); const paths = resolvedDocument.document.paths as OpenAPIV3.PathsObject; for (const path of Object.keys(paths ?? {})) { @@ -80,3 +83,13 @@ function enrichContentWithVersion( delete content[mimeType]; } } + +function extractApiVersion(resolvedDocument: ResolvedDocument): string { + const version = getOasDocumentVersion(resolvedDocument); + + if (!VERSION_REGEX.test(version)) { + return DEFAULT_API_VERSION; + } + + return version < DEFAULT_API_VERSION ? DEFAULT_API_VERSION : version; +} diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_delete_rules/bulk_delete_rules_route.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_delete_rules/bulk_delete_rules_route.schema.yaml index 2a7ac4cf1d1e1..095fe330f09ba 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_delete_rules/bulk_delete_rules_route.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/rule_management/bulk_crud/bulk_delete_rules/bulk_delete_rules_route.schema.yaml @@ -60,6 +60,7 @@ paths: x-codegen-enabled: true operationId: BulkDeleteRulesPost deprecated: true + summary: Delete multiple detection rules description: Deletes multiple rules. tags: - Bulk API diff --git a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml index 56f73783667ef..dcee1694a4aeb 100644 --- a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -474,6 +474,7 @@ paths: schema: $ref: '#/components/schemas/SiemErrorResponse' description: Internal server error response + summary: Delete multiple detection rules tags: - Security Solution Detections API - Bulk API