From c0569315980af0e9bc808369c0fe6e265baf87e1 Mon Sep 17 00:00:00 2001 From: Lisa Cawley Date: Mon, 28 Oct 2024 18:04:48 -0700 Subject: [PATCH] [8.x] [OpenAPI][DOCS] Add descriptions, examples, responses for role APIs (#195527) (#197889) # Backport This will backport the following commits from `main` to `8.x`: - [[OpenAPI][DOCS] Add descriptions, examples, responses for role APIs (#195527)](https://github.com/elastic/kibana/pull/195527) ### Questions ? Please refer to the [Backport tool documentation](https://github.com/sqren/backport) --------- Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com> --- docs/api/role-management.asciidoc | 18 +- docs/api/role-management/delete.asciidoc | 26 - docs/api/role-management/get-all.asciidoc | 80 - docs/api/role-management/get.asciidoc | 106 - docs/api/role-management/put-bulk.asciidoc | 377 - docs/api/role-management/put.asciidoc | 238 - .../architecture/security/rbac.asciidoc | 2 +- docs/management/watcher-ui/index.asciidoc | 5 +- docs/redirects.asciidoc | 26 +- docs/setup/configuring-reporting.asciidoc | 5 +- docs/user/introduction.asciidoc | 4 +- docs/user/security/api-keys/index.asciidoc | 2 +- .../authorization/kibana-privileges.asciidoc | 19 +- docs/user/security/index.asciidoc | 4 +- oas_docs/bundle.json | 76 +- oas_docs/bundle.serverless.json | 6637 --- oas_docs/examples/create_role_request1.yaml | 23 + oas_docs/examples/create_role_request2.yaml | 16 + oas_docs/examples/create_role_request3.yaml | 14 + oas_docs/examples/create_role_request4.yaml | 34 + oas_docs/examples/get_role_response1.yaml | 41 + oas_docs/examples/get_roles_response1.yaml | 39 + oas_docs/makefile | 3 +- oas_docs/output/kibana.serverless.yaml | 33624 ---------------- oas_docs/output/kibana.yaml | 230 +- .../overlays/kibana.overlays.serverless.yaml | 4 +- oas_docs/overlays/kibana.overlays.yaml | 49 +- .../src/authorization/role_schema.ts | 147 +- .../routes/authorization/roles/delete.ts | 5 + .../server/routes/authorization/roles/get.ts | 23 +- .../routes/authorization/roles/get_all.ts | 16 +- .../authorization/roles/model/put_payload.ts | 19 +- .../server/routes/authorization/roles/post.ts | 5 + .../server/routes/authorization/roles/put.ts | 22 +- 34 files changed, 763 insertions(+), 41176 deletions(-) delete mode 100644 docs/api/role-management/delete.asciidoc delete mode 100644 docs/api/role-management/get-all.asciidoc delete mode 100644 docs/api/role-management/get.asciidoc delete mode 100644 docs/api/role-management/put-bulk.asciidoc delete mode 100644 docs/api/role-management/put.asciidoc delete mode 100644 oas_docs/bundle.serverless.json create mode 100644 oas_docs/examples/create_role_request1.yaml create mode 100644 oas_docs/examples/create_role_request2.yaml create mode 100644 oas_docs/examples/create_role_request3.yaml create mode 100644 oas_docs/examples/create_role_request4.yaml create mode 100644 oas_docs/examples/get_role_response1.yaml create mode 100644 oas_docs/examples/get_roles_response1.yaml delete mode 100644 oas_docs/output/kibana.serverless.yaml diff --git a/docs/api/role-management.asciidoc b/docs/api/role-management.asciidoc index 7fbded3e57dd3..837e63bff74f0 100644 --- a/docs/api/role-management.asciidoc +++ b/docs/api/role-management.asciidoc @@ -1,4 +1,3 @@ -[role="xpack"] [[role-management-api]] == {kib} role management APIs @@ -6,19 +5,4 @@ Manage the roles that grant <>. WARNING: Do not use the {ref}/security-api.html#security-role-apis[{es} role management APIs] to manage {kib} roles. -The following {kib} role management APIs are available: - -* <> to create a new {kib} role, or update the attributes of an existing role -* <> to create a new {kib} roles, or update the attributes of existing roles - -* <> to retrieve all {kib} roles - -* <> to retrieve a specific role - -* <> to delete a {kib} role - -include::role-management/put.asciidoc[] -include::role-management/get.asciidoc[] -include::role-management/get-all.asciidoc[] -include::role-management/delete.asciidoc[] -include::role-management/put-bulk.asciidoc[] +For the latest API details, refer to {api-kibana}/group/endpoint-roles[role APIs]. diff --git a/docs/api/role-management/delete.asciidoc b/docs/api/role-management/delete.asciidoc deleted file mode 100644 index 530e1e252ef8f..0000000000000 --- a/docs/api/role-management/delete.asciidoc +++ /dev/null @@ -1,26 +0,0 @@ -[[role-management-api-delete]] -=== Delete role API -++++ -Delete role -++++ - -experimental[] Delete a {kib} role. - -[[role-management-api-delete-prereqs]] -==== Prerequisite - -To use the delete role API, you must have the `manage_security` cluster privilege. - -[[role-management-api-delete-request-body]] -==== Request - -`DELETE :/api/security/role/my_admin_role` - -[[role-management-api-delete-response-codes]] -==== Response codes - -`204`:: - Indicates a successful call. - -`404`:: - Indicates an unsuccessful call. diff --git a/docs/api/role-management/get-all.asciidoc b/docs/api/role-management/get-all.asciidoc deleted file mode 100644 index 56c8b2c78859b..0000000000000 --- a/docs/api/role-management/get-all.asciidoc +++ /dev/null @@ -1,80 +0,0 @@ -[[role-management-api-get]] -=== Get all {kib} roles API -++++ -Get all roles -++++ - -experimental[] Retrieve all {kib} roles. - -[[role-management-api-get-prereqs]] -==== Prerequisite - -To use the get role API, you must have the `manage_security` cluster privilege. - -[[role-management-api-retrieve-all-request-body]] -==== Request - -`GET :/api/security/role` - -[[role-management-api-retrieve-all-response-codes]] -==== Response code - -`200`:: - Indicates a successful call. - -[[role-management-api-retrieve-all-example]] -==== Example - -The API returns the following: - -[source,sh] --------------------------------------------------- -[ - { - "name": "my_kibana_role", - "description": "My kibana role description", - "metadata" : { - "version" : 1 - }, - "transient_metadata": { - "enabled": true - }, - "elasticsearch": { - "indices": [ ], - "cluster": [ ], - "run_as": [ ] - }, - "kibana": [{ - "base": [ - "all" - ], - "feature": {}, - "spaces": [ - "*" - ] - }] - }, - { - "name": "my_admin_role", - "description": "My admin role description", - "metadata" : { - "version" : 1 - }, - "transient_metadata": { - "enabled": true - }, - "elasticsearch": { - "cluster" : [ "all" ], - "indices" : [ { - "names" : [ "index1", "index2" ], - "privileges" : [ "all" ], - "field_security" : { - "grant" : [ "title", "body" ] - }, - "query" : "{\"match\": {\"title\": \"foo\"}}" - } ], - }, - "kibana": [ ] - } -] --------------------------------------------------- diff --git a/docs/api/role-management/get.asciidoc b/docs/api/role-management/get.asciidoc deleted file mode 100644 index 95f944a56e150..0000000000000 --- a/docs/api/role-management/get.asciidoc +++ /dev/null @@ -1,106 +0,0 @@ -[[role-management-specific-api-get]] -=== Get specific role API -++++ -Get specific role -++++ - -experimental[] Retrieve a specific role. - -[[role-management-specific-api-get-prereqs]] -==== Prerequisite - -To use the get specific role API, you must have the `manage_security` cluster privilege. - -[[role-management-specific-api-retrieve-all-request-body]] -===== Request - -`GET :/api/security/role/my_restricted_kibana_role` - -[[role-management-specific-api-retrieve-all-response-codes]] -==== Response code - -`200`:: - Indicates a successful call. - -[[role-management-specific-api-retrieve-all-example]] -===== Example - -The API returns the following: - -[source,sh] --------------------------------------------------- -{ - "name": "my_restricted_kibana_role", - "description": "My restricted kibana role description", - "metadata" : { - "version" : 1 - }, - "transient_metadata": { - "enabled": true - }, - "elasticsearch": { - "cluster": [ ], - "indices": [ ], - "run_as": [ ] - }, - "kibana": [ - { - "base": [ - "read" - ], - "feature": {}, - "spaces": [ - "marketing" - ] - }, - { - "base": [], - "feature": { - "discover": [ - "all" - ], - "visualize": [ - "all" - ], - "dashboard": [ - "all" - ], - "dev_tools": [ - "read" - ], - "advancedSettings": [ - "read" - ], - "indexPatterns": [ - "read" - ], - "graph": [ - "all" - ], - "apm": [ - "read" - ], - "maps": [ - "read" - ], - "canvas": [ - "read" - ], - "infrastructure": [ - "all" - ], - "logs": [ - "all" - ], - "uptime": [ - "all" - ] - }, - "spaces": [ - "sales", - "default" - ] - } - ] -} --------------------------------------------------- diff --git a/docs/api/role-management/put-bulk.asciidoc b/docs/api/role-management/put-bulk.asciidoc deleted file mode 100644 index a11de47167e05..0000000000000 --- a/docs/api/role-management/put-bulk.asciidoc +++ /dev/null @@ -1,377 +0,0 @@ -[[role-management-api-put-bulk]] -=== Bulk create or update roles API -++++ -Bulk create or update roles API -++++ - -preview::["This functionality is in technical preview, and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features."] - -experimental[] Create new {kib} roles, or update the attributes of an existing roles. {kib} roles are stored in the -{es} native realm. - -[[role-management-api-put-bulk-request]] -==== Request - -`POST :/api/security/roles` - -[[role-management-api-put-bulk-prereqs]] -==== Prerequisite - -To use the bulk create or update roles API, you must have the `manage_security` cluster privilege. - -[role="child_attributes"] -[[role-management-api-bulk-response-body]] -==== Request body - -`roles`:: - (object) Object that specifies the roles to add as a role name to role map. -`` (required):: (string) The role name. -`description`:: - (Optional, string) Description for the role. - -`metadata`:: - (Optional, object) In the `metadata` object, keys that begin with `_` are reserved for system usage. - -`elasticsearch`:: - (Optional, object) {es} cluster and index privileges. Valid keys include - `cluster`, `indices`, `remote_indices`, `remote_cluster`, and `run_as`. For more information, see - {ref}/defining-roles.html[Defining roles]. - -`kibana`:: - (list) Objects that specify the <> for the role. -+ -.Properties of `kibana` -[%collapsible%open] -===== -`base` ::: - (Optional, list) A base privilege. When specified, the base must be `["all"]` or `["read"]`. - When the `base` privilege is specified, you are unable to use the `feature` section. - "all" grants read/write access to all {kib} features for the specified spaces. - "read" grants read-only access to all {kib} features for the specified spaces. - -`feature` ::: - (object) Contains privileges for specific features. - When the `feature` privileges are specified, you are unable to use the `base` section. - To retrieve a list of available features, use the <>. - -`spaces` ::: - (list) The spaces to apply the privileges to. - To grant access to all spaces, set to `["*"]`, or omit the value. -===== - -[[role-management-api-bulk-put-response-codes]] -==== Response code - -`200`:: - Indicates a successful call. - -==== Examples - -Grant access to various features in all spaces: - -[source,sh] --------------------------------------------------- -$ curl -X POST api/security/roles -{ - "roles": { - "my_kibana_role_1": { - "description": "my_kibana_role_1_description", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": [], - "indices": [] - }, - "kibana": [ - { - "base": [], - "feature": { - "discover": ["all"], - "visualize": ["all"], - "dashboard": ["all"], - "dev_tools": ["read"], - "advancedSettings": ["read"], - "indexPatterns": ["read"], - "graph": ["all"], - "apm": ["read"], - "maps": ["read"], - "canvas": ["read"], - "infrastructure": ["all"], - "logs": ["all"], - "uptime": ["all"] - }, - "spaces": ["*"] - } - ] - }, - "my_kibana_role_2": { - "description": "my_kibana_role_2_description", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": [], - "indices": [] - }, - "kibana": [ - { - "base": [], - "feature": { - "discover": ["all"], - "visualize": ["all"], - "dashboard": ["all"], - "dev_tools": ["read"], - "logs": ["all"], - "uptime": ["all"] - }, - "spaces": ["*"] - } - ] - } - } -} --------------------------------------------------- -// KIBANA - -Grant dashboard-only access to only the Marketing space for `my_kibana_role_1` and dashboard-only access to only Sales space for `my_kibana_role_2`: - -[source,sh] --------------------------------------------------- -$ curl -X POST api/security/roles -{ - "roles": { - "my_kibana_role_1": { - "description": "Grants dashboard-only access to only the Marketing space.", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": [], - "indices": [] - }, - "kibana": [ - { - "base": [], - "feature": { - "dashboard": ["read"] - }, - "spaces": ["marketing"] - } - ] - }, - "my_kibana_role_2": { - "description": "Grants dashboard-only access to only the Sales space.", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": [], - "indices": [] - }, - "kibana": [ - { - "base": [], - "feature": { - "dashboard": ["read"] - }, - "spaces": ["sales"] - } - ] - } - } -} - --------------------------------------------------- -// KIBANA - -Grant full access to all features in the Default space for `my_kibana_role_1` and `my_kibana_role_2`: - -[source,sh] --------------------------------------------------- -$ curl -X POST api/security/roles -{ - "roles": { - "my_kibana_role_1": { - "description": "Grants full access to all features in the Default space.", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": [], - "indices": [] - }, - "kibana": [ - { - "base": ["all"], - "feature": {}, - "spaces": ["default"] - } - ] - }, - "my_kibana_role_2": { - "description": "Grants full access to all features in the Default space.", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": [], - "indices": [] - }, - "kibana": [ - { - "base": ["all"], - "feature": {}, - "spaces": ["default"] - } - ] - } - } -} - --------------------------------------------------- -// KIBANA - -Grant different access to different spaces: - -[source,sh] --------------------------------------------------- -$ curl -X POST api/security/roles -{ - "roles": { - "my_kibana_role_1": { - "description": "Grants full access to discover and dashboard features in the default space. Grants read access in the marketing, and sales spaces.", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": [], - "indices": [] - }, - "kibana": [ - { - "base": [], - "feature": { - "discover": ["all"], - "dashboard": ["all"] - }, - "spaces": ["default"] - }, - { - "base": ["read"], - "spaces": ["marketing", "sales"] - } - ] - }, - "my_kibana_role_2": { - "description": "Grants full access to discover and dashboard features in the default space. Grants read access in the marketing space.", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": [], - "indices": [] - }, - "kibana": [ - { - "base": [], - "feature": { - "discover": ["all"], - "dashboard": ["all"] - }, - "spaces": ["default"] - }, - { - "base": ["read"], - "spaces": ["marketing"] - } - ] - } - } -} - --------------------------------------------------- -// KIBANA - -Grant access to {kib} and {es}: - -[source,sh] --------------------------------------------------- -$ curl -X POST api/security/roles -{ - "roles": { - "my_kibana_role_1": { - "description": "Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space.", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": ["all"], - "indices": [ - { - "names": ["index1", "index2"], - "privileges": ["all"] - } - ], - "remote_indices": [ - { - "clusters": ["remote_cluster1"], - "names": ["remote_index1", "remote_index2"], - "privileges": ["all"] - } - ], - "remote_cluster": [ - { - "clusters": ["remote_cluster1"], - "privileges": ["monitor_enrich"] - } - ] - }, - "kibana": [ - { - "base": ["all"], - "feature": {}, - "spaces": ["default"] - } - ] - }, - "my_kibana_role_2": { - "description": "Grants all cluster privileges and full access to index1. Grants full access to remote_index1, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space.", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": ["all"], - "indices": [ - { - "names": ["index1"], - "privileges": ["all"] - } - ], - "remote_indices": [ - { - "clusters": ["remote_cluster1"], - "names": ["remote_index1"], - "privileges": ["all"] - } - ], - "remote_cluster": [ - { - "clusters": ["remote_cluster1"], - "privileges": ["monitor_enrich"] - } - ] - }, - "kibana": [ - { - "base": ["all"], - "feature": {}, - "spaces": ["default"] - } - ] - } - } -} - --------------------------------------------------- -// KIBANA diff --git a/docs/api/role-management/put.asciidoc b/docs/api/role-management/put.asciidoc deleted file mode 100644 index d68f3928a4063..0000000000000 --- a/docs/api/role-management/put.asciidoc +++ /dev/null @@ -1,238 +0,0 @@ -[[role-management-api-put]] -=== Create or update role API -++++ -Create or update role -++++ - -experimental[] Create a new {kib} role, or update the attributes of an existing role. {kib} roles are stored in the -{es} native realm. - -[[role-management-api-put-request]] -==== Request - -`PUT :/api/security/role/my_kibana_role` - -[[role-management-api-put-prereqs]] -==== Prerequisite - -To use the create or update role API, you must have the `manage_security` cluster privilege. - -[role="child_attributes"] -[[role-management-api-response-body]] -==== Request body - -`description`:: - (Optional, string) Description for the role. - -`metadata`:: - (Optional, object) In the `metadata` object, keys that begin with `_` are reserved for system usage. - -`elasticsearch`:: - (Optional, object) {es} cluster and index privileges. Valid keys include - `cluster`, `indices`, `remote_indices`, `remote_cluster`, and `run_as`. For more information, see - {ref}/defining-roles.html[Defining roles]. - -`kibana`:: - (list) Objects that specify the <> for the role. -+ -.Properties of `kibana` -[%collapsible%open] -===== -`base` ::: - (Optional, list) A base privilege. When specified, the base must be `["all"]` or `["read"]`. - When the `base` privilege is specified, you are unable to use the `feature` section. - "all" grants read/write access to all {kib} features for the specified spaces. - "read" grants read-only access to all {kib} features for the specified spaces. - -`feature` ::: - (object) Contains privileges for specific features. - When the `feature` privileges are specified, you are unable to use the `base` section. - To retrieve a list of available features, use the <>. - -`spaces` ::: - (list) The spaces to apply the privileges to. - To grant access to all spaces, set to `["*"]`, or omit the value. -===== - -[[role-management-api-put-query-params]] -==== Query parameters - -`createOnly`:: - (Optional, boolean) When `true`, will prevent overwriting the role if it already exists. - -[[role-management-api-put-response-codes]] -==== Response code - -`204`:: - Indicates a successful call. - -`409`:: - When `createOnly` is true, indicates a conflict with an existing role. - -==== Examples - -Grant access to various features in all spaces: - -[source,sh] --------------------------------------------------- -$ curl -X PUT api/security/role/my_kibana_role -{ - "description": "my_kibana_role_description", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": [ ], - "indices": [ ] - }, - "kibana": [ - { - "base": [ ], - "feature": { - "discover": [ "all" ], - "visualize": [ "all" ], - "dashboard": [ "all" ], - "dev_tools": [ "read" ], - "advancedSettings": [ "read" ], - "indexPatterns": [ "read" ], - "graph": [ "all" ], - "apm": [ "read" ], - "maps": [ "read" ], - "canvas": [ "read" ], - "infrastructure": [ "all" ], - "logs": [ "all" ], - "uptime": [ "all" ] - }, - "spaces": [ "*" ] - } - ] -} --------------------------------------------------- -// KIBANA - -Grant dashboard-only access to only the Marketing space: - -[source,sh] --------------------------------------------------- -$ curl -X PUT api/security/role/my_kibana_role -{ - "description": "Grants dashboard-only access to only the Marketing space.", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": [ ], - "indices": [ ] - }, - "kibana": [ - { - "base": [ ], - "feature": { - "dashboard": [ "read" ] - }, - "spaces": [ "marketing" ] - } - ] -} --------------------------------------------------- -// KIBANA - -Grant full access to all features in the Default space: - -[source,sh] --------------------------------------------------- -$ curl -X PUT api/security/role/my_kibana_role -{ - "description": "Grants full access to all features in the Default space.", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": [ ], - "indices": [ ] - }, - "kibana": [ - { - "base": [ "all" ], - "feature": { }, - "spaces": [ "default" ] - } - ] -} --------------------------------------------------- -// KIBANA - -Grant different access to different spaces: - -[source,sh] --------------------------------------------------- -$ curl -X PUT api/security/role/my_kibana_role -{ - "description": "Grants full access to discover and dashboard features in the default space. Grants read access in the marketing, and sales spaces.", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": [ ], - "indices": [ ] - }, - "kibana": [ - { - "base": [ ], - "feature": { - "discover": [ "all" ], - "dashboard": [ "all" ] - }, - "spaces": [ "default" ] - }, - { - "base": [ "read"] , - "spaces": [ "marketing", "sales" ] - } - ] -} --------------------------------------------------- -// KIBANA - -Grant access to {kib} and {es}: - -[source,sh] --------------------------------------------------- -$ curl -X PUT api/security/role/my_kibana_role -{ - "description": "Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space.", - "metadata": { - "version": 1 - }, - "elasticsearch": { - "cluster": [ "all" ], - "indices": [ - { - "names": [ "index1", "index2" ], - "privileges": [ "all" ] - } - ], - "remote_indices": [ - { - "clusters": [ "remote_cluster1" ], - "names": [ "remote_index1", "remote_index2" ], - "privileges": [ "all" ] - } - ], - "remote_cluster": [ - { - "clusters": [ "remote_cluster1" ], - "privileges": [ "monitor_enrich" ] - } - ] - }, - "kibana": [ - { - "base": [ "all" ], - "feature": { }, - "spaces": [ "default" ] - } - ] -} --------------------------------------------------- -// KIBANA diff --git a/docs/developer/architecture/security/rbac.asciidoc b/docs/developer/architecture/security/rbac.asciidoc index bf75ec1715de0..11896da243f2d 100644 --- a/docs/developer/architecture/security/rbac.asciidoc +++ b/docs/developer/architecture/security/rbac.asciidoc @@ -77,7 +77,7 @@ The application is created by concatenating the prefix of `kibana-` with the val } ---------------------------------- -Roles that grant <> should be managed using the <> or the *Management -> Security -> Roles* page, not directly using the {es} {ref}/security-api.html#security-role-apis[role management API]. This role can then be assigned to users using the {es} +Roles that grant <> should be managed using the {api-kibana}/group/endpoint-roles[role APIs] or the *Management -> Security -> Roles* page, not directly using the {es} {ref}/security-api.html#security-role-apis[role management API]. This role can then be assigned to users using the {es} {ref}/security-api.html#security-user-apis[user management APIs]. [[development-rbac-authorization]] diff --git a/docs/management/watcher-ui/index.asciidoc b/docs/management/watcher-ui/index.asciidoc index 96ad0d3acc287..2e941cb86ca0b 100644 --- a/docs/management/watcher-ui/index.asciidoc +++ b/docs/management/watcher-ui/index.asciidoc @@ -39,9 +39,8 @@ and either of these Watcher roles: * `watcher_admin`. You can perform all Watcher actions, including create and edit watches. * `watcher_user`. You can view watches, but not create or edit them. -To manage roles, open the main menu, then click *Stack Management > Roles*, or use the -<>. Watches are shared between -all users with the same role. +To manage roles, open the main menu, then click *Stack Management > Roles*, or use the {api-kibana}/group/endpoint-roles[role APIs]. +Watches are shared between all users with the same role. NOTE: If you are creating a threshold watch, you must also have the `view_index_metadata` index privilege. See {ref}/index-mgmt.html[Index management] for detailed information. diff --git a/docs/redirects.asciidoc b/docs/redirects.asciidoc index 1fa61881eca92..84cf809c66667 100644 --- a/docs/redirects.asciidoc +++ b/docs/redirects.asciidoc @@ -1196,4 +1196,28 @@ Refer to {api-kibana}/group/endpoint-spaces[spaces APIs]. [role="exclude",id="spaces-api-update-objects-spaces"] == Update saved objects spaces API -Refer to {api-kibana}/group/endpoint-spaces[spaces APIs]. \ No newline at end of file +Refer to {api-kibana}/group/endpoint-spaces[spaces APIs]. +[role="exclude",id="role-management-api-delete] +== Delete role API + +Refer to {api-kibana}/group/endpoint-roles[role APIs]. + +[role="exclude",id="role-management-api-get"] +== Get all {kib} roles API + +Refer to {api-kibana}/group/endpoint-roles[role APIs]. + +[role="exclude",id="role-management-specific-api-get"] +== Get specific role API + +Refer to {api-kibana}/group/endpoint-roles[role APIs]. + +[role="exclude",id="role-management-api-put-bulk"] +== Bulk create or update roles API + +Refer to {api-kibana}/group/endpoint-roles[role APIs]. + +[role="exclude",id="role-management-api-put"] +== Create or update role API + +Refer to {api-kibana}/group/endpoint-roles[role APIs]. diff --git a/docs/setup/configuring-reporting.asciidoc b/docs/setup/configuring-reporting.asciidoc index a1b2f7e9af583..4213cf38b6398 100644 --- a/docs/setup/configuring-reporting.asciidoc +++ b/docs/setup/configuring-reporting.asciidoc @@ -99,9 +99,10 @@ Granting the privilege to generate reports also grants the user the privilege to [float] [[reporting-roles-user-api]] ==== Grant access with the role API -With <> enabled in Reporting, you can also use the {ref}/security-api-put-role.html[role API] to grant access to the {report-features}, using *All* privileges, or sub-feature privileges. +With <> enabled in Reporting, you can also use the {api-kibana}/group/endpoint-roles[role APIs] to grant access to the {report-features}, using *All* privileges, or sub-feature privileges. + +NOTE: This API request needs to be run against the <>. -NOTE: This link:https://www.elastic.co/guide/en/kibana/current/role-management-api-put.html[API request] needs to be executed against the link:https://www.elastic.co/guide/en/kibana/current/api.html[Kibana API endpoint]. [source, sh] --------------------------------------------------------------- PUT :/api/security/role/custom_reporting_user diff --git a/docs/user/introduction.asciidoc b/docs/user/introduction.asciidoc index f3281b9bed175..48c9dfd91c9c6 100644 --- a/docs/user/introduction.asciidoc +++ b/docs/user/introduction.asciidoc @@ -193,8 +193,8 @@ or even give users their very own private space. For example, power users might have privileges to create and edit visualizations and dashboards, while analysts or executives might have *Dashboard* and *Canvas* with read-only privileges. -{kib}’s role management interface allows you to describe these various access -levels, or you can automate role creation via our <>. +The {kib} role management interface allows you to describe these various access +levels, or you can automate role creation by using {api-kibana}/group/endpoint-roles[role APIs]. [role="screenshot"] image::spaces/images/spaces-roles.png[{kib privileges}] diff --git a/docs/user/security/api-keys/index.asciidoc b/docs/user/security/api-keys/index.asciidoc index 5b3dd206b5408..2f9a0d337e3b9 100644 --- a/docs/user/security/api-keys/index.asciidoc +++ b/docs/user/security/api-keys/index.asciidoc @@ -28,7 +28,7 @@ image:images/api-keys.png["API Keys UI"] * To create or update a *cross-cluster API key*, you must have the `manage_security` privilege and an Enterprise license. * To have a read-only view on the API keys, you must have access to the page and the `read_security` cluster privilege. -To manage roles, open the main menu, then click *Stack Management > Security > Roles*, or use the <>. +To manage roles, open the main menu, then click *Stack Management > Security > Roles*, or use the {api-kibana}/group/endpoint-roles[role APIs]. [float] [[create-api-key]] diff --git a/docs/user/security/authorization/kibana-privileges.asciidoc b/docs/user/security/authorization/kibana-privileges.asciidoc index 581210bb9d393..6c9a94a354fb3 100644 --- a/docs/user/security/authorization/kibana-privileges.asciidoc +++ b/docs/user/security/authorization/kibana-privileges.asciidoc @@ -1,22 +1,21 @@ -[role="xpack"] [[kibana-privileges]] -=== {kib} privileges += {kib} privileges {kib} privileges grant users access to features within {kib}. Roles have privileges to determine whether users have write or read access. -==== Base privileges +== Base privileges Assigning a base privilege grants access to all {kib} features, such as *Discover*, *Dashboard*, *Visualize Library*, and *Canvas*. [[kibana-privileges-all]] `all`:: Grants full read-write access. `read`:: Grants read-only access. -===== Assigning base privileges +=== Assigning base privileges From the role management screen: [role="screenshot"] image::security/images/assign-base-privilege.png[Assign base privilege] -From the <>: +Using the {api-kibana}/group/endpoint-roles[role APIs]: [source,js] -------------------------------------------------- PUT /api/security/role/my_kibana_role @@ -37,23 +36,23 @@ PUT /api/security/role/my_kibana_role [[kibana-feature-privileges]] -==== Feature privileges +== Feature privileges Assigning a feature privilege grants access to a specific feature. `all`:: Grants full read-write access. `read`:: Grants read-only access. -===== Sub-feature privileges +=== Sub-feature privileges Some features allow for finer access control than the `all` and `read` privileges. -This additional level of control is a https://www.elastic.co/subscriptions[subscription feature]. +This additional level of control is a {subscriptions}[subscription feature]. -===== Assigning feature privileges +=== Assigning feature privileges From the role management screen: [role="screenshot"] image::security/images/assign-subfeature-privilege.png[Assign feature privilege] -From the <>: +Using the {api-kibana}/group/endpoint-roles[role APIs]: [source,js] -------------------------------------------------- PUT /api/security/role/my_kibana_role diff --git a/docs/user/security/index.asciidoc b/docs/user/security/index.asciidoc index 906aee3d76d5a..44d7c41391c35 100644 --- a/docs/user/security/index.asciidoc +++ b/docs/user/security/index.asciidoc @@ -30,7 +30,7 @@ authentication and built-in users, see === Roles To manage roles, open the main menu, then click *Stack Management > Roles*, or use -the <>. For more information on configuring roles for {kib}, see <>. +the {api-kibana}/group/endpoint-roles[role APIs]. For more information on configuring roles for {kib}, see <>. For a more holistic overview of configuring roles for the entire stack, see {ref}/authorization.html[User authorization]. @@ -43,7 +43,7 @@ cause Kibana's authorization to behave unexpectedly. ============================================================================ include::authorization/index.asciidoc[] -include::authorization/kibana-privileges.asciidoc[] +include::authorization/kibana-privileges.asciidoc[leveloffset=+2] include::api-keys/index.asciidoc[] include::role-mappings/index.asciidoc[] include::fips-140-2.asciidoc[] diff --git a/oas_docs/bundle.json b/oas_docs/bundle.json index f3117b38def7a..7a43eed976fd8 100644 --- a/oas_docs/bundle.json +++ b/oas_docs/bundle.json @@ -6192,6 +6192,7 @@ } }, { + "description": "If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.", "in": "query", "name": "replaceDeprecatedPrivileges", "required": false, @@ -6200,7 +6201,11 @@ } } ], - "responses": {}, + "responses": { + "200": { + "description": "Indicates a successful call." + } + }, "summary": "Get all roles", "tags": [ "roles" @@ -6243,7 +6248,11 @@ } } ], - "responses": {}, + "responses": { + "204": { + "description": "Indicates a successful call." + } + }, "summary": "Delete a role", "tags": [ "roles" @@ -6265,6 +6274,7 @@ } }, { + "description": "The role name.", "in": "path", "name": "name", "required": true, @@ -6274,6 +6284,7 @@ } }, { + "description": "If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.", "in": "query", "name": "replaceDeprecatedPrivileges", "required": false, @@ -6282,13 +6293,18 @@ } } ], - "responses": {}, + "responses": { + "200": { + "description": "Indicates a successful call." + } + }, "summary": "Get a role", "tags": [ "roles" ] }, "put": { + "description": "Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.", "operationId": "%2Fapi%2Fsecurity%2Frole%2F%7Bname%7D#2", "parameters": [ { @@ -6314,6 +6330,7 @@ } }, { + "description": "The role name.", "in": "path", "name": "name", "required": true, @@ -6324,6 +6341,7 @@ } }, { + "description": "When true, a role is not overwritten if it already exists.", "in": "query", "name": "createOnly", "required": false, @@ -6340,6 +6358,7 @@ "additionalProperties": false, "properties": { "description": { + "description": "A description for the role.", "maxLength": 2048, "type": "string" }, @@ -6348,6 +6367,7 @@ "properties": { "cluster": { "items": { + "description": "Cluster privileges that define the cluster level actions that users can perform.", "type": "string" }, "type": "array" @@ -6357,11 +6377,13 @@ "additionalProperties": false, "properties": { "allow_restricted_indices": { + "description": "Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.", "type": "boolean" }, "field_security": { "additionalProperties": { "items": { + "description": "The document fields that the role members have read access to.", "type": "string" }, "type": "array" @@ -6370,6 +6392,7 @@ }, "names": { "items": { + "description": "The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).", "type": "string" }, "minItems": 1, @@ -6377,12 +6400,14 @@ }, "privileges": { "items": { + "description": "The index level privileges that the role members have for the data streams and indices.", "type": "string" }, "minItems": 1, "type": "array" }, "query": { + "description": "A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.", "type": "string" } }, @@ -6400,6 +6425,7 @@ "properties": { "clusters": { "items": { + "description": "A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.", "type": "string" }, "minItems": 1, @@ -6407,6 +6433,7 @@ }, "privileges": { "items": { + "description": "The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.", "type": "string" }, "minItems": 1, @@ -6426,10 +6453,12 @@ "additionalProperties": false, "properties": { "allow_restricted_indices": { + "description": "Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.", "type": "boolean" }, "clusters": { "items": { + "description": "A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.", "type": "string" }, "minItems": 1, @@ -6438,6 +6467,7 @@ "field_security": { "additionalProperties": { "items": { + "description": "The document fields that the role members have read access to.", "type": "string" }, "type": "array" @@ -6446,6 +6476,7 @@ }, "names": { "items": { + "description": "A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).", "type": "string" }, "minItems": 1, @@ -6453,12 +6484,14 @@ }, "privileges": { "items": { + "description": "The index level privileges that role members have for the specified indices.", "type": "string" }, "minItems": 1, "type": "array" }, "query": { + "description": "A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ", "type": "string" } }, @@ -6473,6 +6506,7 @@ }, "run_as": { "items": { + "description": "A user name that the role member can impersonate.", "type": "string" }, "type": "array" @@ -6507,12 +6541,14 @@ "oneOf": [ { "items": { + "description": "A base privilege that grants applies to all spaces.", "type": "string" }, "type": "array" }, { "items": { + "description": "A base privilege that applies to specific spaces.", "type": "string" }, "type": "array" @@ -6522,6 +6558,7 @@ "feature": { "additionalProperties": { "items": { + "description": "The privileges that the role member has for the feature.", "type": "string" }, "type": "array" @@ -6543,6 +6580,7 @@ }, { "items": { + "description": "A space that the privilege applies to.", "type": "string" }, "type": "array" @@ -6573,7 +6611,11 @@ } } }, - "responses": {}, + "responses": { + "204": { + "description": "Indicates a successful call." + } + }, "summary": "Create or update a role", "tags": [ "roles" @@ -6618,6 +6660,7 @@ "additionalProperties": false, "properties": { "description": { + "description": "A description for the role.", "maxLength": 2048, "type": "string" }, @@ -6626,6 +6669,7 @@ "properties": { "cluster": { "items": { + "description": "Cluster privileges that define the cluster level actions that users can perform.", "type": "string" }, "type": "array" @@ -6635,11 +6679,13 @@ "additionalProperties": false, "properties": { "allow_restricted_indices": { + "description": "Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.", "type": "boolean" }, "field_security": { "additionalProperties": { "items": { + "description": "The document fields that the role members have read access to.", "type": "string" }, "type": "array" @@ -6648,6 +6694,7 @@ }, "names": { "items": { + "description": "The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).", "type": "string" }, "minItems": 1, @@ -6655,12 +6702,14 @@ }, "privileges": { "items": { + "description": "The index level privileges that the role members have for the data streams and indices.", "type": "string" }, "minItems": 1, "type": "array" }, "query": { + "description": "A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.", "type": "string" } }, @@ -6678,6 +6727,7 @@ "properties": { "clusters": { "items": { + "description": "A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.", "type": "string" }, "minItems": 1, @@ -6685,6 +6735,7 @@ }, "privileges": { "items": { + "description": "The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.", "type": "string" }, "minItems": 1, @@ -6704,10 +6755,12 @@ "additionalProperties": false, "properties": { "allow_restricted_indices": { + "description": "Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.", "type": "boolean" }, "clusters": { "items": { + "description": "A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.", "type": "string" }, "minItems": 1, @@ -6716,6 +6769,7 @@ "field_security": { "additionalProperties": { "items": { + "description": "The document fields that the role members have read access to.", "type": "string" }, "type": "array" @@ -6724,6 +6778,7 @@ }, "names": { "items": { + "description": "A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).", "type": "string" }, "minItems": 1, @@ -6731,12 +6786,14 @@ }, "privileges": { "items": { + "description": "The index level privileges that role members have for the specified indices.", "type": "string" }, "minItems": 1, "type": "array" }, "query": { + "description": "A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ", "type": "string" } }, @@ -6751,6 +6808,7 @@ }, "run_as": { "items": { + "description": "A user name that the role member can impersonate.", "type": "string" }, "type": "array" @@ -6785,12 +6843,14 @@ "oneOf": [ { "items": { + "description": "A base privilege that grants applies to all spaces.", "type": "string" }, "type": "array" }, { "items": { + "description": "A base privilege that applies to specific spaces.", "type": "string" }, "type": "array" @@ -6800,6 +6860,7 @@ "feature": { "additionalProperties": { "items": { + "description": "The privileges that the role member has for the feature.", "type": "string" }, "type": "array" @@ -6821,6 +6882,7 @@ }, { "items": { + "description": "A space that the privilege applies to.", "type": "string" }, "type": "array" @@ -6859,7 +6921,11 @@ } } }, - "responses": {}, + "responses": { + "200": { + "description": "Indicates a successful call." + } + }, "summary": "Create or update roles", "tags": [ "roles" diff --git a/oas_docs/bundle.serverless.json b/oas_docs/bundle.serverless.json deleted file mode 100644 index 4fea1c02a22c5..0000000000000 --- a/oas_docs/bundle.serverless.json +++ /dev/null @@ -1,6637 +0,0 @@ -{ - "components": { - "schemas": { - "core_status_redactedResponse": { - "additionalProperties": false, - "description": "A minimal representation of Kibana's operational status.", - "properties": { - "status": { - "additionalProperties": false, - "properties": { - "overall": { - "additionalProperties": false, - "properties": { - "level": { - "description": "Service status levels as human and machine readable values.", - "enum": [ - "available", - "degraded", - "unavailable", - "critical" - ], - "type": "string" - } - }, - "required": [ - "level" - ], - "type": "object" - } - }, - "required": [ - "overall" - ], - "type": "object" - } - }, - "required": [ - "status" - ], - "type": "object" - }, - "core_status_response": { - "additionalProperties": false, - "description": "Kibana's operational status as well as a detailed breakdown of plugin statuses indication of various loads (like event loop utilization and network traffic) at time of request.", - "properties": { - "metrics": { - "additionalProperties": false, - "description": "Metric groups collected by Kibana.", - "properties": { - "collection_interval_in_millis": { - "description": "The interval at which metrics should be collected.", - "type": "number" - }, - "elasticsearch_client": { - "additionalProperties": false, - "description": "Current network metrics of Kibana's Elasticsearch client.", - "properties": { - "totalActiveSockets": { - "description": "Count of network sockets currently in use.", - "type": "number" - }, - "totalIdleSockets": { - "description": "Count of network sockets currently idle.", - "type": "number" - }, - "totalQueuedRequests": { - "description": "Count of requests not yet assigned to sockets.", - "type": "number" - } - }, - "required": [ - "totalActiveSockets", - "totalIdleSockets", - "totalQueuedRequests" - ], - "type": "object" - }, - "last_updated": { - "description": "The time metrics were collected.", - "type": "string" - } - }, - "required": [ - "elasticsearch_client", - "last_updated", - "collection_interval_in_millis" - ], - "type": "object" - }, - "name": { - "description": "Kibana instance name.", - "type": "string" - }, - "status": { - "additionalProperties": false, - "properties": { - "core": { - "additionalProperties": false, - "description": "Statuses of core Kibana services.", - "properties": { - "elasticsearch": { - "additionalProperties": false, - "properties": { - "detail": { - "description": "Human readable detail of the service status.", - "type": "string" - }, - "documentationUrl": { - "description": "A URL to further documentation regarding this service.", - "type": "string" - }, - "level": { - "description": "Service status levels as human and machine readable values.", - "enum": [ - "available", - "degraded", - "unavailable", - "critical" - ], - "type": "string" - }, - "meta": { - "additionalProperties": {}, - "description": "An unstructured set of extra metadata about this service.", - "type": "object" - }, - "summary": { - "description": "A human readable summary of the service status.", - "type": "string" - } - }, - "required": [ - "level", - "summary", - "meta" - ], - "type": "object" - }, - "savedObjects": { - "additionalProperties": false, - "properties": { - "detail": { - "description": "Human readable detail of the service status.", - "type": "string" - }, - "documentationUrl": { - "description": "A URL to further documentation regarding this service.", - "type": "string" - }, - "level": { - "description": "Service status levels as human and machine readable values.", - "enum": [ - "available", - "degraded", - "unavailable", - "critical" - ], - "type": "string" - }, - "meta": { - "additionalProperties": {}, - "description": "An unstructured set of extra metadata about this service.", - "type": "object" - }, - "summary": { - "description": "A human readable summary of the service status.", - "type": "string" - } - }, - "required": [ - "level", - "summary", - "meta" - ], - "type": "object" - } - }, - "required": [ - "elasticsearch", - "savedObjects" - ], - "type": "object" - }, - "overall": { - "additionalProperties": false, - "properties": { - "detail": { - "description": "Human readable detail of the service status.", - "type": "string" - }, - "documentationUrl": { - "description": "A URL to further documentation regarding this service.", - "type": "string" - }, - "level": { - "description": "Service status levels as human and machine readable values.", - "enum": [ - "available", - "degraded", - "unavailable", - "critical" - ], - "type": "string" - }, - "meta": { - "additionalProperties": {}, - "description": "An unstructured set of extra metadata about this service.", - "type": "object" - }, - "summary": { - "description": "A human readable summary of the service status.", - "type": "string" - } - }, - "required": [ - "level", - "summary", - "meta" - ], - "type": "object" - }, - "plugins": { - "additionalProperties": { - "additionalProperties": false, - "properties": { - "detail": { - "description": "Human readable detail of the service status.", - "type": "string" - }, - "documentationUrl": { - "description": "A URL to further documentation regarding this service.", - "type": "string" - }, - "level": { - "description": "Service status levels as human and machine readable values.", - "enum": [ - "available", - "degraded", - "unavailable", - "critical" - ], - "type": "string" - }, - "meta": { - "additionalProperties": {}, - "description": "An unstructured set of extra metadata about this service.", - "type": "object" - }, - "summary": { - "description": "A human readable summary of the service status.", - "type": "string" - } - }, - "required": [ - "level", - "summary", - "meta" - ], - "type": "object" - }, - "description": "A dynamic mapping of plugin ID to plugin status.", - "type": "object" - } - }, - "required": [ - "overall", - "core", - "plugins" - ], - "type": "object" - }, - "uuid": { - "description": "Unique, generated Kibana instance UUID. This UUID should persist even if the Kibana process restarts.", - "type": "string" - }, - "version": { - "additionalProperties": false, - "properties": { - "build_date": { - "description": "The date and time of this build.", - "type": "string" - }, - "build_flavor": { - "description": "The build flavour determines configuration and behavior of Kibana. On premise users will almost always run the \"traditional\" flavour, while other flavours are reserved for Elastic-specific use cases.", - "enum": [ - "serverless", - "traditional" - ], - "type": "string" - }, - "build_hash": { - "description": "A unique hash value representing the git commit of this Kibana build.", - "type": "string" - }, - "build_number": { - "description": "A monotonically increasing number, each subsequent build will have a higher number.", - "type": "number" - }, - "build_snapshot": { - "description": "Whether this build is a snapshot build.", - "type": "boolean" - }, - "number": { - "description": "A semantic version number.", - "type": "string" - } - }, - "required": [ - "number", - "build_hash", - "build_number", - "build_snapshot", - "build_flavor", - "build_date" - ], - "type": "object" - } - }, - "required": [ - "name", - "uuid", - "version", - "status", - "metrics" - ], - "type": "object" - } - }, - "securitySchemes": { - "apiKeyAuth": { - "in": "header", - "name": "Authorization", - "type": "apiKey" - }, - "basicAuth": { - "scheme": "basic", - "type": "http" - } - } - }, - "info": { - "title": "Kibana HTTP APIs", - "version": "0.0.0" - }, - "openapi": "3.0.0", - "paths": { - "/api/actions": { - "get": { - "deprecated": true, - "operationId": "%2Fapi%2Factions#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - } - ], - "responses": {}, - "summary": "Get all connectors", - "tags": [ - "connectors" - ] - } - }, - "/api/actions/action": { - "post": { - "deprecated": true, - "operationId": "%2Fapi%2Factions%2Faction#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "actionTypeId": { - "description": "The connector type identifier.", - "type": "string" - }, - "config": { - "additionalProperties": {}, - "default": {}, - "type": "object" - }, - "name": { - "description": "The display name for the connector.", - "type": "string" - }, - "secrets": { - "additionalProperties": {}, - "default": {}, - "type": "object" - } - }, - "required": [ - "name", - "actionTypeId" - ], - "type": "object" - } - } - } - }, - "responses": { - "200": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "config": { - "additionalProperties": {}, - "type": "object" - }, - "connector_type_id": { - "description": "The connector type identifier.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector.", - "type": "string" - }, - "is_deprecated": { - "description": "Indicates whether the connector is deprecated.", - "type": "boolean" - }, - "is_missing_secrets": { - "description": "Indicates whether the connector is missing secrets.", - "type": "boolean" - }, - "is_preconfigured": { - "description": "Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ", - "type": "boolean" - }, - "is_system_action": { - "description": "Indicates whether the connector is used for system actions.", - "type": "boolean" - }, - "name": { - "description": " The name of the rule.", - "type": "string" - } - }, - "required": [ - "id", - "name", - "connector_type_id", - "is_preconfigured", - "is_deprecated", - "is_system_action" - ], - "type": "object" - } - } - }, - "description": "Indicates a successful call." - } - }, - "summary": "Create a connector", - "tags": [ - "connectors" - ] - } - }, - "/api/actions/action/{id}": { - "delete": { - "deprecated": true, - "description": "WARNING: When you delete a connector, it cannot be recovered.", - "operationId": "%2Fapi%2Factions%2Faction%2F%7Bid%7D#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "An identifier for the connector.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "description": "Indicates a successful call." - } - }, - "summary": "Delete a connector", - "tags": [ - "connectors" - ] - }, - "get": { - "deprecated": true, - "operationId": "%2Fapi%2Factions%2Faction%2F%7Bid%7D#1", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "An identifier for the connector.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "config": { - "additionalProperties": {}, - "type": "object" - }, - "connector_type_id": { - "description": "The connector type identifier.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector.", - "type": "string" - }, - "is_deprecated": { - "description": "Indicates whether the connector is deprecated.", - "type": "boolean" - }, - "is_missing_secrets": { - "description": "Indicates whether the connector is missing secrets.", - "type": "boolean" - }, - "is_preconfigured": { - "description": "Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ", - "type": "boolean" - }, - "is_system_action": { - "description": "Indicates whether the connector is used for system actions.", - "type": "boolean" - }, - "name": { - "description": " The name of the rule.", - "type": "string" - } - }, - "required": [ - "id", - "name", - "connector_type_id", - "is_preconfigured", - "is_deprecated", - "is_system_action" - ], - "type": "object" - } - } - }, - "description": "Indicates a successful call." - } - }, - "summary": "Get connector information", - "tags": [ - "connectors" - ] - }, - "put": { - "deprecated": true, - "operationId": "%2Fapi%2Factions%2Faction%2F%7Bid%7D#2", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "An identifier for the connector.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "config": { - "additionalProperties": {}, - "default": {}, - "type": "object" - }, - "name": { - "type": "string" - }, - "secrets": { - "additionalProperties": {}, - "default": {}, - "type": "object" - } - }, - "required": [ - "name" - ], - "type": "object" - } - } - } - }, - "responses": { - "200": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "config": { - "additionalProperties": {}, - "type": "object" - }, - "connector_type_id": { - "description": "The connector type identifier.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector.", - "type": "string" - }, - "is_deprecated": { - "description": "Indicates whether the connector is deprecated.", - "type": "boolean" - }, - "is_missing_secrets": { - "description": "Indicates whether the connector is missing secrets.", - "type": "boolean" - }, - "is_preconfigured": { - "description": "Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ", - "type": "boolean" - }, - "is_system_action": { - "description": "Indicates whether the connector is used for system actions.", - "type": "boolean" - }, - "name": { - "description": " The name of the rule.", - "type": "string" - } - }, - "required": [ - "id", - "name", - "connector_type_id", - "is_preconfigured", - "is_deprecated", - "is_system_action" - ], - "type": "object" - } - } - }, - "description": "Indicates a successful call." - } - }, - "summary": "Update a connector", - "tags": [ - "connectors" - ] - } - }, - "/api/actions/action/{id}/_execute": { - "post": { - "deprecated": true, - "operationId": "%2Fapi%2Factions%2Faction%2F%7Bid%7D%2F_execute#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "An identifier for the connector.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "params": { - "additionalProperties": {}, - "type": "object" - } - }, - "required": [ - "params" - ], - "type": "object" - } - } - } - }, - "responses": { - "200": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "config": { - "additionalProperties": {}, - "type": "object" - }, - "connector_type_id": { - "description": "The connector type identifier.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector.", - "type": "string" - }, - "is_deprecated": { - "description": "Indicates whether the connector is deprecated.", - "type": "boolean" - }, - "is_missing_secrets": { - "description": "Indicates whether the connector is missing secrets.", - "type": "boolean" - }, - "is_preconfigured": { - "description": "Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ", - "type": "boolean" - }, - "is_system_action": { - "description": "Indicates whether the connector is used for system actions.", - "type": "boolean" - }, - "name": { - "description": " The name of the rule.", - "type": "string" - } - }, - "required": [ - "id", - "name", - "connector_type_id", - "is_preconfigured", - "is_deprecated", - "is_system_action" - ], - "type": "object" - } - } - }, - "description": "Indicates a successful call." - } - }, - "summary": "Run a connector", - "tags": [ - "connectors" - ] - } - }, - "/api/actions/connector/{id}": { - "delete": { - "description": "WARNING: When you delete a connector, it cannot be recovered.", - "operationId": "%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "An identifier for the connector.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "description": "Indicates a successful call." - } - }, - "summary": "Delete a connector", - "tags": [ - "connectors" - ] - }, - "get": { - "operationId": "%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#1", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "An identifier for the connector.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "config": { - "additionalProperties": {}, - "type": "object" - }, - "connector_type_id": { - "description": "The connector type identifier.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector.", - "type": "string" - }, - "is_deprecated": { - "description": "Indicates whether the connector is deprecated.", - "type": "boolean" - }, - "is_missing_secrets": { - "description": "Indicates whether the connector is missing secrets.", - "type": "boolean" - }, - "is_preconfigured": { - "description": "Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ", - "type": "boolean" - }, - "is_system_action": { - "description": "Indicates whether the connector is used for system actions.", - "type": "boolean" - }, - "name": { - "description": " The name of the rule.", - "type": "string" - } - }, - "required": [ - "id", - "name", - "connector_type_id", - "is_preconfigured", - "is_deprecated", - "is_system_action" - ], - "type": "object" - } - } - }, - "description": "Indicates a successful call." - } - }, - "summary": "Get connector information", - "tags": [ - "connectors" - ] - }, - "post": { - "operationId": "%2Fapi%2Factions%2Fconnector%2F%7Bid%3F%7D#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "An identifier for the connector.", - "in": "path", - "name": "id", - "required": false, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "config": { - "additionalProperties": {}, - "default": {}, - "type": "object" - }, - "connector_type_id": { - "description": "The type of connector.", - "type": "string" - }, - "name": { - "description": "The display name for the connector.", - "type": "string" - }, - "secrets": { - "additionalProperties": {}, - "default": {}, - "type": "object" - } - }, - "required": [ - "name", - "connector_type_id" - ], - "type": "object" - } - } - } - }, - "responses": { - "200": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "config": { - "additionalProperties": {}, - "type": "object" - }, - "connector_type_id": { - "description": "The connector type identifier.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector.", - "type": "string" - }, - "is_deprecated": { - "description": "Indicates whether the connector is deprecated.", - "type": "boolean" - }, - "is_missing_secrets": { - "description": "Indicates whether the connector is missing secrets.", - "type": "boolean" - }, - "is_preconfigured": { - "description": "Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ", - "type": "boolean" - }, - "is_system_action": { - "description": "Indicates whether the connector is used for system actions.", - "type": "boolean" - }, - "name": { - "description": " The name of the rule.", - "type": "string" - } - }, - "required": [ - "id", - "name", - "connector_type_id", - "is_preconfigured", - "is_deprecated", - "is_system_action" - ], - "type": "object" - } - } - }, - "description": "Indicates a successful call." - } - }, - "summary": "Create a connector", - "tags": [ - "connectors" - ] - }, - "put": { - "operationId": "%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#2", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "An identifier for the connector.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "config": { - "additionalProperties": {}, - "default": {}, - "type": "object" - }, - "name": { - "description": "The display name for the connector.", - "type": "string" - }, - "secrets": { - "additionalProperties": {}, - "default": {}, - "type": "object" - } - }, - "required": [ - "name" - ], - "type": "object" - } - } - } - }, - "responses": { - "200": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "config": { - "additionalProperties": {}, - "type": "object" - }, - "connector_type_id": { - "description": "The connector type identifier.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector.", - "type": "string" - }, - "is_deprecated": { - "description": "Indicates whether the connector is deprecated.", - "type": "boolean" - }, - "is_missing_secrets": { - "description": "Indicates whether the connector is missing secrets.", - "type": "boolean" - }, - "is_preconfigured": { - "description": "Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ", - "type": "boolean" - }, - "is_system_action": { - "description": "Indicates whether the connector is used for system actions.", - "type": "boolean" - }, - "name": { - "description": " The name of the rule.", - "type": "string" - } - }, - "required": [ - "id", - "name", - "connector_type_id", - "is_preconfigured", - "is_deprecated", - "is_system_action" - ], - "type": "object" - } - } - }, - "description": "Indicates a successful call." - } - }, - "summary": "Update a connector", - "tags": [ - "connectors" - ] - } - }, - "/api/actions/connector/{id}/_execute": { - "post": { - "description": "You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.", - "operationId": "%2Fapi%2Factions%2Fconnector%2F%7Bid%7D%2F_execute#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "An identifier for the connector.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "params": { - "additionalProperties": {}, - "type": "object" - } - }, - "required": [ - "params" - ], - "type": "object" - } - } - } - }, - "responses": { - "200": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "config": { - "additionalProperties": {}, - "type": "object" - }, - "connector_type_id": { - "description": "The connector type identifier.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector.", - "type": "string" - }, - "is_deprecated": { - "description": "Indicates whether the connector is deprecated.", - "type": "boolean" - }, - "is_missing_secrets": { - "description": "Indicates whether the connector is missing secrets.", - "type": "boolean" - }, - "is_preconfigured": { - "description": "Indicates whether the connector is preconfigured. If true, the `config` and `is_missing_secrets` properties are omitted from the response. ", - "type": "boolean" - }, - "is_system_action": { - "description": "Indicates whether the connector is used for system actions.", - "type": "boolean" - }, - "name": { - "description": " The name of the rule.", - "type": "string" - } - }, - "required": [ - "id", - "name", - "connector_type_id", - "is_preconfigured", - "is_deprecated", - "is_system_action" - ], - "type": "object" - } - } - }, - "description": "Indicates a successful call." - } - }, - "summary": "Run a connector", - "tags": [ - "connectors" - ] - } - }, - "/api/actions/connector_types": { - "get": { - "description": "You do not need any Kibana feature privileges to run this API.", - "operationId": "%2Fapi%2Factions%2Fconnector_types#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A filter to limit the retrieved connector types to those that support a specific feature (such as alerting or cases).", - "in": "query", - "name": "feature_id", - "required": false, - "schema": { - "type": "string" - } - } - ], - "responses": {}, - "summary": "Get connector types", - "tags": [ - "connectors" - ] - } - }, - "/api/actions/connectors": { - "get": { - "operationId": "%2Fapi%2Factions%2Fconnectors#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - } - ], - "responses": {}, - "summary": "Get all connectors", - "tags": [ - "connectors" - ] - } - }, - "/api/actions/list_action_types": { - "get": { - "deprecated": true, - "operationId": "%2Fapi%2Factions%2Flist_action_types#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - } - ], - "responses": {}, - "summary": "Get connector types", - "tags": [ - "connectors" - ] - } - }, - "/api/alerting/rule/{id}": { - "delete": { - "operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D#2", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "The identifier for the rule.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "description": "Indicates a successful call." - }, - "400": { - "description": "Indicates an invalid schema or parameters." - }, - "403": { - "description": "Indicates that this call is forbidden." - }, - "404": { - "description": "Indicates a rule with the given ID does not exist." - } - }, - "summary": "Delete a rule", - "tags": [ - "alerting" - ] - }, - "get": { - "operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "The identifier for the rule.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "actions": { - "items": { - "additionalProperties": false, - "properties": { - "alerts_filter": { - "additionalProperties": false, - "description": "Defines a period that limits whether the action runs.", - "properties": { - "query": { - "additionalProperties": false, - "properties": { - "dsl": { - "description": "A filter written in Elasticsearch Query Domain Specific Language (DSL).", - "type": "string" - }, - "filters": { - "description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.", - "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "description": "A filter can be either specific to an application context or applied globally.", - "enum": [ - "appState", - "globalState" - ], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": {}, - "type": "object" - }, - "query": { - "additionalProperties": {}, - "type": "object" - } - }, - "required": [ - "meta" - ], - "type": "object" - }, - "type": "array" - }, - "kql": { - "description": "A filter written in Kibana Query Language (KQL).", - "type": "string" - } - }, - "required": [ - "kql", - "filters" - ], - "type": "object" - }, - "timeframe": { - "additionalProperties": false, - "properties": { - "days": { - "description": "Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.", - "items": { - "enum": [ - 1, - 2, - 3, - 4, - 5, - 6, - 7 - ], - "type": "integer" - }, - "type": "array" - }, - "hours": { - "additionalProperties": false, - "properties": { - "end": { - "description": "The end of the time frame in 24-hour notation (`hh:mm`).", - "type": "string" - }, - "start": { - "description": "The start of the time frame in 24-hour notation (`hh:mm`).", - "type": "string" - } - }, - "required": [ - "start", - "end" - ], - "type": "object" - }, - "timezone": { - "description": "The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.", - "type": "string" - } - }, - "required": [ - "days", - "hours", - "timezone" - ], - "type": "object" - } - }, - "type": "object" - }, - "connector_type_id": { - "description": "The type of connector. This property appears in responses but cannot be set in requests.", - "type": "string" - }, - "frequency": { - "additionalProperties": false, - "properties": { - "notify_when": { - "description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "enum": [ - "onActionGroupChange", - "onActiveAlert", - "onThrottleInterval" - ], - "type": "string" - }, - "summary": { - "description": "Indicates whether the action is a summary.", - "type": "boolean" - }, - "throttle": { - "description": "The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "nullable": true, - "type": "string" - } - }, - "required": [ - "summary", - "notify_when", - "throttle" - ], - "type": "object" - }, - "group": { - "description": "The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector saved object.", - "type": "string" - }, - "params": { - "additionalProperties": {}, - "description": "The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.", - "type": "object" - }, - "use_alert_data_for_template": { - "description": "Indicates whether to use alert data as a template.", - "type": "boolean" - }, - "uuid": { - "description": "A universally unique identifier (UUID) for the action.", - "type": "string" - } - }, - "required": [ - "id", - "connector_type_id", - "params" - ], - "type": "object" - }, - "type": "array" - }, - "active_snoozes": { - "items": { - "description": "List of active snoozes for the rule.", - "type": "string" - }, - "type": "array" - }, - "alert_delay": { - "additionalProperties": false, - "description": "Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.", - "properties": { - "active": { - "description": "The number of consecutive runs that must meet the rule conditions.", - "type": "number" - } - }, - "required": [ - "active" - ], - "type": "object" - }, - "api_key_created_by_user": { - "description": "Indicates whether the API key that is associated with the rule was created by the user.", - "nullable": true, - "type": "boolean" - }, - "api_key_owner": { - "description": "The owner of the API key that is associated with the rule and used to run background tasks.", - "nullable": true, - "type": "string" - }, - "consumer": { - "description": "The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.", - "type": "string" - }, - "created_at": { - "description": "The date and time that the rule was created.", - "type": "string" - }, - "created_by": { - "description": "The identifier for the user that created the rule.", - "nullable": true, - "type": "string" - }, - "enabled": { - "description": "Indicates whether you want to run the rule on an interval basis after it is created.", - "type": "boolean" - }, - "execution_status": { - "additionalProperties": false, - "properties": { - "error": { - "additionalProperties": false, - "properties": { - "message": { - "description": "Error message.", - "type": "string" - }, - "reason": { - "description": "Reason for error.", - "enum": [ - "read", - "decrypt", - "execute", - "unknown", - "license", - "timeout", - "disabled", - "validate" - ], - "type": "string" - } - }, - "required": [ - "reason", - "message" - ], - "type": "object" - }, - "last_duration": { - "description": "Duration of last execution of the rule.", - "type": "number" - }, - "last_execution_date": { - "description": "The date and time when rule was executed last.", - "type": "string" - }, - "status": { - "description": "Status of rule execution.", - "enum": [ - "ok", - "active", - "error", - "warning", - "pending", - "unknown" - ], - "type": "string" - }, - "warning": { - "additionalProperties": false, - "properties": { - "message": { - "description": "Warning message.", - "type": "string" - }, - "reason": { - "description": "Reason for warning.", - "enum": [ - "maxExecutableActions", - "maxAlerts", - "maxQueuedActions", - "ruleExecution" - ], - "type": "string" - } - }, - "required": [ - "reason", - "message" - ], - "type": "object" - } - }, - "required": [ - "status", - "last_execution_date" - ], - "type": "object" - }, - "flapping": { - "additionalProperties": false, - "nullable": true, - "properties": { - "look_back_window": { - "maximum": 20, - "minimum": 2, - "type": "number" - }, - "status_change_threshold": { - "maximum": 20, - "minimum": 2, - "type": "number" - } - }, - "required": [ - "look_back_window", - "status_change_threshold" - ], - "type": "object" - }, - "id": { - "description": "The identifier for the rule.", - "type": "string" - }, - "is_snoozed_until": { - "description": "The date when the rule will no longer be snoozed.", - "nullable": true, - "type": "string" - }, - "last_run": { - "additionalProperties": false, - "nullable": true, - "properties": { - "alerts_count": { - "additionalProperties": false, - "properties": { - "active": { - "description": "Number of active alerts during last run.", - "nullable": true, - "type": "number" - }, - "ignored": { - "description": "Number of ignored alerts during last run.", - "nullable": true, - "type": "number" - }, - "new": { - "description": "Number of new alerts during last run.", - "nullable": true, - "type": "number" - }, - "recovered": { - "description": "Number of recovered alerts during last run.", - "nullable": true, - "type": "number" - } - }, - "type": "object" - }, - "outcome": { - "description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.", - "enum": [ - "succeeded", - "warning", - "failed" - ], - "type": "string" - }, - "outcome_msg": { - "items": { - "description": "Outcome message generated during last rule run.", - "type": "string" - }, - "nullable": true, - "type": "array" - }, - "outcome_order": { - "description": "Order of the outcome.", - "type": "number" - }, - "warning": { - "description": "Warning of last rule execution.", - "enum": [ - "read", - "decrypt", - "execute", - "unknown", - "license", - "timeout", - "disabled", - "validate", - "maxExecutableActions", - "maxAlerts", - "maxQueuedActions", - "ruleExecution" - ], - "nullable": true, - "type": "string" - } - }, - "required": [ - "outcome", - "alerts_count" - ], - "type": "object" - }, - "mapped_params": { - "additionalProperties": {}, - "type": "object" - }, - "monitoring": { - "additionalProperties": false, - "description": "Monitoring details of the rule.", - "properties": { - "run": { - "additionalProperties": false, - "description": "Rule run details.", - "properties": { - "calculated_metrics": { - "additionalProperties": false, - "description": "Calculation of different percentiles and success ratio.", - "properties": { - "p50": { - "type": "number" - }, - "p95": { - "type": "number" - }, - "p99": { - "type": "number" - }, - "success_ratio": { - "type": "number" - } - }, - "required": [ - "success_ratio" - ], - "type": "object" - }, - "history": { - "description": "History of the rule run.", - "items": { - "additionalProperties": false, - "properties": { - "duration": { - "description": "Duration of the rule run.", - "type": "number" - }, - "outcome": { - "description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.", - "enum": [ - "succeeded", - "warning", - "failed" - ], - "type": "string" - }, - "success": { - "description": "Indicates whether the rule run was successful.", - "type": "boolean" - }, - "timestamp": { - "description": "Time of rule run.", - "type": "number" - } - }, - "required": [ - "success", - "timestamp" - ], - "type": "object" - }, - "type": "array" - }, - "last_run": { - "additionalProperties": false, - "properties": { - "metrics": { - "additionalProperties": false, - "properties": { - "duration": { - "description": "Duration of most recent rule run.", - "type": "number" - }, - "gap_duration_s": { - "description": "Duration in seconds of rule run gap.", - "nullable": true, - "type": "number" - }, - "total_alerts_created": { - "description": "Total number of alerts created during last rule run.", - "nullable": true, - "type": "number" - }, - "total_alerts_detected": { - "description": "Total number of alerts detected during last rule run.", - "nullable": true, - "type": "number" - }, - "total_indexing_duration_ms": { - "description": "Total time spent indexing documents during last rule run in milliseconds.", - "nullable": true, - "type": "number" - }, - "total_search_duration_ms": { - "description": "Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.", - "nullable": true, - "type": "number" - } - }, - "type": "object" - }, - "timestamp": { - "description": "Time of the most recent rule run.", - "type": "string" - } - }, - "required": [ - "timestamp", - "metrics" - ], - "type": "object" - } - }, - "required": [ - "history", - "calculated_metrics", - "last_run" - ], - "type": "object" - } - }, - "required": [ - "run" - ], - "type": "object" - }, - "mute_all": { - "description": "Indicates whether all alerts are muted.", - "type": "boolean" - }, - "muted_alert_ids": { - "items": { - "description": "List of identifiers of muted alerts. ", - "type": "string" - }, - "type": "array" - }, - "name": { - "description": " The name of the rule.", - "type": "string" - }, - "next_run": { - "description": "Date and time of the next run of the rule.", - "nullable": true, - "type": "string" - }, - "notify_when": { - "description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "enum": [ - "onActionGroupChange", - "onActiveAlert", - "onThrottleInterval" - ], - "nullable": true, - "type": "string" - }, - "params": { - "additionalProperties": {}, - "description": "The parameters for the rule.", - "type": "object" - }, - "revision": { - "description": "The rule revision number.", - "type": "number" - }, - "rule_type_id": { - "description": "The rule type identifier.", - "type": "string" - }, - "running": { - "description": "Indicates whether the rule is running.", - "nullable": true, - "type": "boolean" - }, - "schedule": { - "additionalProperties": false, - "properties": { - "interval": { - "description": "The interval is specified in seconds, minutes, hours, or days.", - "type": "string" - } - }, - "required": [ - "interval" - ], - "type": "object" - }, - "scheduled_task_id": { - "description": "Identifier of the scheduled task.", - "type": "string" - }, - "snooze_schedule": { - "items": { - "additionalProperties": false, - "properties": { - "duration": { - "description": "Duration of the rule snooze schedule.", - "type": "number" - }, - "id": { - "description": "Identifier of the rule snooze schedule.", - "type": "string" - }, - "rRule": { - "additionalProperties": false, - "properties": { - "byhour": { - "items": { - "description": "Indicates hours of the day to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "byminute": { - "items": { - "description": "Indicates minutes of the hour to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bymonth": { - "items": { - "description": "Indicates months of the year that this rule should recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bymonthday": { - "items": { - "description": "Indicates the days of the month to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bysecond": { - "items": { - "description": "Indicates seconds of the day to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bysetpos": { - "items": { - "description": "A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "byweekday": { - "items": { - "anyOf": [ - { - "type": "string" - }, - { - "type": "number" - } - ], - "description": "Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination." - }, - "nullable": true, - "type": "array" - }, - "byweekno": { - "items": { - "description": "Indicates number of the week hours to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "byyearday": { - "items": { - "description": "Indicates the days of the year that this rule should recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "count": { - "description": "Number of times the rule should recur until it stops.", - "type": "number" - }, - "dtstart": { - "description": "Rule start date in Coordinated Universal Time (UTC).", - "type": "string" - }, - "freq": { - "description": "Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.", - "enum": [ - 0, - 1, - 2, - 3, - 4, - 5, - 6 - ], - "type": "integer" - }, - "interval": { - "description": "Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.", - "type": "number" - }, - "tzid": { - "description": "Indicates timezone abbreviation.", - "type": "string" - }, - "until": { - "description": "Recur the rule until this date.", - "type": "string" - }, - "wkst": { - "description": "Indicates the start of week, defaults to Monday.", - "enum": [ - "MO", - "TU", - "WE", - "TH", - "FR", - "SA", - "SU" - ], - "type": "string" - } - }, - "required": [ - "dtstart", - "tzid" - ], - "type": "object" - }, - "skipRecurrences": { - "items": { - "description": "Skips recurrence of rule on this date.", - "type": "string" - }, - "type": "array" - } - }, - "required": [ - "duration", - "rRule" - ], - "type": "object" - }, - "type": "array" - }, - "tags": { - "items": { - "description": "The tags for the rule.", - "type": "string" - }, - "type": "array" - }, - "throttle": { - "deprecated": true, - "description": "Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "nullable": true, - "type": "string" - }, - "updated_at": { - "description": "The date and time that the rule was updated most recently.", - "type": "string" - }, - "updated_by": { - "description": "The identifier for the user that updated this rule most recently.", - "nullable": true, - "type": "string" - }, - "view_in_app_relative_url": { - "description": "Relative URL to view rule in the app.", - "nullable": true, - "type": "string" - } - }, - "required": [ - "id", - "enabled", - "name", - "tags", - "rule_type_id", - "consumer", - "schedule", - "actions", - "params", - "created_by", - "updated_by", - "created_at", - "updated_at", - "api_key_owner", - "mute_all", - "muted_alert_ids", - "execution_status", - "revision" - ], - "type": "object" - } - } - }, - "description": "Indicates a successful call." - }, - "400": { - "description": "Indicates an invalid schema or parameters." - }, - "403": { - "description": "Indicates that this call is forbidden." - }, - "404": { - "description": "Indicates a rule with the given ID does not exist." - } - }, - "summary": "Get rule details", - "tags": [ - "alerting" - ] - }, - "post": { - "operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%3F%7D#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "The identifier for the rule. If it is omitted, an ID is randomly generated.", - "in": "path", - "name": "id", - "required": false, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "actions": { - "default": [], - "items": { - "additionalProperties": false, - "description": "An action that runs under defined conditions.", - "properties": { - "alerts_filter": { - "additionalProperties": false, - "description": "Conditions that affect whether the action runs. If you specify multiple conditions, all conditions must be met for the action to run. For example, if an alert occurs within the specified time frame and matches the query, the action runs.", - "properties": { - "query": { - "additionalProperties": false, - "properties": { - "dsl": { - "description": "A filter written in Elasticsearch Query Domain Specific Language (DSL).", - "type": "string" - }, - "filters": { - "description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.", - "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "description": "A filter can be either specific to an application context or applied globally.", - "enum": [ - "appState", - "globalState" - ], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": {}, - "type": "object" - }, - "query": { - "additionalProperties": {}, - "type": "object" - } - }, - "required": [ - "meta" - ], - "type": "object" - }, - "type": "array" - }, - "kql": { - "description": "A filter written in Kibana Query Language (KQL).", - "type": "string" - } - }, - "required": [ - "kql", - "filters" - ], - "type": "object" - }, - "timeframe": { - "additionalProperties": false, - "description": "Defines a period that limits whether the action runs.", - "properties": { - "days": { - "description": "Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.", - "items": { - "enum": [ - 1, - 2, - 3, - 4, - 5, - 6, - 7 - ], - "type": "integer" - }, - "type": "array" - }, - "hours": { - "additionalProperties": false, - "description": "Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.", - "properties": { - "end": { - "description": "The end of the time frame in 24-hour notation (`hh:mm`).", - "type": "string" - }, - "start": { - "description": "The start of the time frame in 24-hour notation (`hh:mm`).", - "type": "string" - } - }, - "required": [ - "start", - "end" - ], - "type": "object" - }, - "timezone": { - "description": "The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.", - "type": "string" - } - }, - "required": [ - "days", - "hours", - "timezone" - ], - "type": "object" - } - }, - "type": "object" - }, - "frequency": { - "additionalProperties": false, - "properties": { - "notify_when": { - "description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "enum": [ - "onActionGroupChange", - "onActiveAlert", - "onThrottleInterval" - ], - "type": "string" - }, - "summary": { - "description": "Indicates whether the action is a summary.", - "type": "boolean" - }, - "throttle": { - "description": "The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "nullable": true, - "type": "string" - } - }, - "required": [ - "summary", - "notify_when", - "throttle" - ], - "type": "object" - }, - "group": { - "description": "The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector saved object.", - "type": "string" - }, - "params": { - "additionalProperties": {}, - "default": {}, - "description": "The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.", - "type": "object" - }, - "use_alert_data_for_template": { - "description": "Indicates whether to use alert data as a template.", - "type": "boolean" - }, - "uuid": { - "description": "A universally unique identifier (UUID) for the action.", - "type": "string" - } - }, - "required": [ - "id" - ], - "type": "object" - }, - "type": "array" - }, - "alert_delay": { - "additionalProperties": false, - "description": "Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.", - "properties": { - "active": { - "description": "The number of consecutive runs that must meet the rule conditions.", - "type": "number" - } - }, - "required": [ - "active" - ], - "type": "object" - }, - "consumer": { - "description": "The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.", - "type": "string" - }, - "enabled": { - "default": true, - "description": "Indicates whether you want to run the rule on an interval basis after it is created.", - "type": "boolean" - }, - "flapping": { - "additionalProperties": false, - "nullable": true, - "properties": { - "look_back_window": { - "maximum": 20, - "minimum": 2, - "type": "number" - }, - "status_change_threshold": { - "maximum": 20, - "minimum": 2, - "type": "number" - } - }, - "required": [ - "look_back_window", - "status_change_threshold" - ], - "type": "object" - }, - "name": { - "description": "The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.", - "type": "string" - }, - "notify_when": { - "description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "enum": [ - "onActionGroupChange", - "onActiveAlert", - "onThrottleInterval" - ], - "nullable": true, - "type": "string" - }, - "params": { - "additionalProperties": {}, - "default": {}, - "description": "The parameters for the rule.", - "type": "object" - }, - "rule_type_id": { - "description": "The rule type identifier.", - "type": "string" - }, - "schedule": { - "additionalProperties": false, - "description": "The check interval, which specifies how frequently the rule conditions are checked.", - "properties": { - "interval": { - "description": "The interval is specified in seconds, minutes, hours, or days.", - "type": "string" - } - }, - "required": [ - "interval" - ], - "type": "object" - }, - "tags": { - "default": [], - "description": "The tags for the rule.", - "items": { - "type": "string" - }, - "type": "array" - }, - "throttle": { - "description": "Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "nullable": true, - "type": "string" - } - }, - "required": [ - "name", - "rule_type_id", - "consumer", - "schedule" - ], - "type": "object" - } - } - } - }, - "responses": { - "200": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "actions": { - "items": { - "additionalProperties": false, - "properties": { - "alerts_filter": { - "additionalProperties": false, - "description": "Defines a period that limits whether the action runs.", - "properties": { - "query": { - "additionalProperties": false, - "properties": { - "dsl": { - "description": "A filter written in Elasticsearch Query Domain Specific Language (DSL).", - "type": "string" - }, - "filters": { - "description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.", - "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "description": "A filter can be either specific to an application context or applied globally.", - "enum": [ - "appState", - "globalState" - ], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": {}, - "type": "object" - }, - "query": { - "additionalProperties": {}, - "type": "object" - } - }, - "required": [ - "meta" - ], - "type": "object" - }, - "type": "array" - }, - "kql": { - "description": "A filter written in Kibana Query Language (KQL).", - "type": "string" - } - }, - "required": [ - "kql", - "filters" - ], - "type": "object" - }, - "timeframe": { - "additionalProperties": false, - "properties": { - "days": { - "description": "Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.", - "items": { - "enum": [ - 1, - 2, - 3, - 4, - 5, - 6, - 7 - ], - "type": "integer" - }, - "type": "array" - }, - "hours": { - "additionalProperties": false, - "properties": { - "end": { - "description": "The end of the time frame in 24-hour notation (`hh:mm`).", - "type": "string" - }, - "start": { - "description": "The start of the time frame in 24-hour notation (`hh:mm`).", - "type": "string" - } - }, - "required": [ - "start", - "end" - ], - "type": "object" - }, - "timezone": { - "description": "The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.", - "type": "string" - } - }, - "required": [ - "days", - "hours", - "timezone" - ], - "type": "object" - } - }, - "type": "object" - }, - "connector_type_id": { - "description": "The type of connector. This property appears in responses but cannot be set in requests.", - "type": "string" - }, - "frequency": { - "additionalProperties": false, - "properties": { - "notify_when": { - "description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "enum": [ - "onActionGroupChange", - "onActiveAlert", - "onThrottleInterval" - ], - "type": "string" - }, - "summary": { - "description": "Indicates whether the action is a summary.", - "type": "boolean" - }, - "throttle": { - "description": "The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "nullable": true, - "type": "string" - } - }, - "required": [ - "summary", - "notify_when", - "throttle" - ], - "type": "object" - }, - "group": { - "description": "The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector saved object.", - "type": "string" - }, - "params": { - "additionalProperties": {}, - "description": "The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.", - "type": "object" - }, - "use_alert_data_for_template": { - "description": "Indicates whether to use alert data as a template.", - "type": "boolean" - }, - "uuid": { - "description": "A universally unique identifier (UUID) for the action.", - "type": "string" - } - }, - "required": [ - "id", - "connector_type_id", - "params" - ], - "type": "object" - }, - "type": "array" - }, - "active_snoozes": { - "items": { - "description": "List of active snoozes for the rule.", - "type": "string" - }, - "type": "array" - }, - "alert_delay": { - "additionalProperties": false, - "description": "Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.", - "properties": { - "active": { - "description": "The number of consecutive runs that must meet the rule conditions.", - "type": "number" - } - }, - "required": [ - "active" - ], - "type": "object" - }, - "api_key_created_by_user": { - "description": "Indicates whether the API key that is associated with the rule was created by the user.", - "nullable": true, - "type": "boolean" - }, - "api_key_owner": { - "description": "The owner of the API key that is associated with the rule and used to run background tasks.", - "nullable": true, - "type": "string" - }, - "consumer": { - "description": "The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.", - "type": "string" - }, - "created_at": { - "description": "The date and time that the rule was created.", - "type": "string" - }, - "created_by": { - "description": "The identifier for the user that created the rule.", - "nullable": true, - "type": "string" - }, - "enabled": { - "description": "Indicates whether you want to run the rule on an interval basis after it is created.", - "type": "boolean" - }, - "execution_status": { - "additionalProperties": false, - "properties": { - "error": { - "additionalProperties": false, - "properties": { - "message": { - "description": "Error message.", - "type": "string" - }, - "reason": { - "description": "Reason for error.", - "enum": [ - "read", - "decrypt", - "execute", - "unknown", - "license", - "timeout", - "disabled", - "validate" - ], - "type": "string" - } - }, - "required": [ - "reason", - "message" - ], - "type": "object" - }, - "last_duration": { - "description": "Duration of last execution of the rule.", - "type": "number" - }, - "last_execution_date": { - "description": "The date and time when rule was executed last.", - "type": "string" - }, - "status": { - "description": "Status of rule execution.", - "enum": [ - "ok", - "active", - "error", - "warning", - "pending", - "unknown" - ], - "type": "string" - }, - "warning": { - "additionalProperties": false, - "properties": { - "message": { - "description": "Warning message.", - "type": "string" - }, - "reason": { - "description": "Reason for warning.", - "enum": [ - "maxExecutableActions", - "maxAlerts", - "maxQueuedActions", - "ruleExecution" - ], - "type": "string" - } - }, - "required": [ - "reason", - "message" - ], - "type": "object" - } - }, - "required": [ - "status", - "last_execution_date" - ], - "type": "object" - }, - "flapping": { - "additionalProperties": false, - "nullable": true, - "properties": { - "look_back_window": { - "maximum": 20, - "minimum": 2, - "type": "number" - }, - "status_change_threshold": { - "maximum": 20, - "minimum": 2, - "type": "number" - } - }, - "required": [ - "look_back_window", - "status_change_threshold" - ], - "type": "object" - }, - "id": { - "description": "The identifier for the rule.", - "type": "string" - }, - "is_snoozed_until": { - "description": "The date when the rule will no longer be snoozed.", - "nullable": true, - "type": "string" - }, - "last_run": { - "additionalProperties": false, - "nullable": true, - "properties": { - "alerts_count": { - "additionalProperties": false, - "properties": { - "active": { - "description": "Number of active alerts during last run.", - "nullable": true, - "type": "number" - }, - "ignored": { - "description": "Number of ignored alerts during last run.", - "nullable": true, - "type": "number" - }, - "new": { - "description": "Number of new alerts during last run.", - "nullable": true, - "type": "number" - }, - "recovered": { - "description": "Number of recovered alerts during last run.", - "nullable": true, - "type": "number" - } - }, - "type": "object" - }, - "outcome": { - "description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.", - "enum": [ - "succeeded", - "warning", - "failed" - ], - "type": "string" - }, - "outcome_msg": { - "items": { - "description": "Outcome message generated during last rule run.", - "type": "string" - }, - "nullable": true, - "type": "array" - }, - "outcome_order": { - "description": "Order of the outcome.", - "type": "number" - }, - "warning": { - "description": "Warning of last rule execution.", - "enum": [ - "read", - "decrypt", - "execute", - "unknown", - "license", - "timeout", - "disabled", - "validate", - "maxExecutableActions", - "maxAlerts", - "maxQueuedActions", - "ruleExecution" - ], - "nullable": true, - "type": "string" - } - }, - "required": [ - "outcome", - "alerts_count" - ], - "type": "object" - }, - "mapped_params": { - "additionalProperties": {}, - "type": "object" - }, - "monitoring": { - "additionalProperties": false, - "description": "Monitoring details of the rule.", - "properties": { - "run": { - "additionalProperties": false, - "description": "Rule run details.", - "properties": { - "calculated_metrics": { - "additionalProperties": false, - "description": "Calculation of different percentiles and success ratio.", - "properties": { - "p50": { - "type": "number" - }, - "p95": { - "type": "number" - }, - "p99": { - "type": "number" - }, - "success_ratio": { - "type": "number" - } - }, - "required": [ - "success_ratio" - ], - "type": "object" - }, - "history": { - "description": "History of the rule run.", - "items": { - "additionalProperties": false, - "properties": { - "duration": { - "description": "Duration of the rule run.", - "type": "number" - }, - "outcome": { - "description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.", - "enum": [ - "succeeded", - "warning", - "failed" - ], - "type": "string" - }, - "success": { - "description": "Indicates whether the rule run was successful.", - "type": "boolean" - }, - "timestamp": { - "description": "Time of rule run.", - "type": "number" - } - }, - "required": [ - "success", - "timestamp" - ], - "type": "object" - }, - "type": "array" - }, - "last_run": { - "additionalProperties": false, - "properties": { - "metrics": { - "additionalProperties": false, - "properties": { - "duration": { - "description": "Duration of most recent rule run.", - "type": "number" - }, - "gap_duration_s": { - "description": "Duration in seconds of rule run gap.", - "nullable": true, - "type": "number" - }, - "total_alerts_created": { - "description": "Total number of alerts created during last rule run.", - "nullable": true, - "type": "number" - }, - "total_alerts_detected": { - "description": "Total number of alerts detected during last rule run.", - "nullable": true, - "type": "number" - }, - "total_indexing_duration_ms": { - "description": "Total time spent indexing documents during last rule run in milliseconds.", - "nullable": true, - "type": "number" - }, - "total_search_duration_ms": { - "description": "Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.", - "nullable": true, - "type": "number" - } - }, - "type": "object" - }, - "timestamp": { - "description": "Time of the most recent rule run.", - "type": "string" - } - }, - "required": [ - "timestamp", - "metrics" - ], - "type": "object" - } - }, - "required": [ - "history", - "calculated_metrics", - "last_run" - ], - "type": "object" - } - }, - "required": [ - "run" - ], - "type": "object" - }, - "mute_all": { - "description": "Indicates whether all alerts are muted.", - "type": "boolean" - }, - "muted_alert_ids": { - "items": { - "description": "List of identifiers of muted alerts. ", - "type": "string" - }, - "type": "array" - }, - "name": { - "description": " The name of the rule.", - "type": "string" - }, - "next_run": { - "description": "Date and time of the next run of the rule.", - "nullable": true, - "type": "string" - }, - "notify_when": { - "description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "enum": [ - "onActionGroupChange", - "onActiveAlert", - "onThrottleInterval" - ], - "nullable": true, - "type": "string" - }, - "params": { - "additionalProperties": {}, - "description": "The parameters for the rule.", - "type": "object" - }, - "revision": { - "description": "The rule revision number.", - "type": "number" - }, - "rule_type_id": { - "description": "The rule type identifier.", - "type": "string" - }, - "running": { - "description": "Indicates whether the rule is running.", - "nullable": true, - "type": "boolean" - }, - "schedule": { - "additionalProperties": false, - "properties": { - "interval": { - "description": "The interval is specified in seconds, minutes, hours, or days.", - "type": "string" - } - }, - "required": [ - "interval" - ], - "type": "object" - }, - "scheduled_task_id": { - "description": "Identifier of the scheduled task.", - "type": "string" - }, - "snooze_schedule": { - "items": { - "additionalProperties": false, - "properties": { - "duration": { - "description": "Duration of the rule snooze schedule.", - "type": "number" - }, - "id": { - "description": "Identifier of the rule snooze schedule.", - "type": "string" - }, - "rRule": { - "additionalProperties": false, - "properties": { - "byhour": { - "items": { - "description": "Indicates hours of the day to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "byminute": { - "items": { - "description": "Indicates minutes of the hour to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bymonth": { - "items": { - "description": "Indicates months of the year that this rule should recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bymonthday": { - "items": { - "description": "Indicates the days of the month to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bysecond": { - "items": { - "description": "Indicates seconds of the day to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bysetpos": { - "items": { - "description": "A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "byweekday": { - "items": { - "anyOf": [ - { - "type": "string" - }, - { - "type": "number" - } - ], - "description": "Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination." - }, - "nullable": true, - "type": "array" - }, - "byweekno": { - "items": { - "description": "Indicates number of the week hours to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "byyearday": { - "items": { - "description": "Indicates the days of the year that this rule should recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "count": { - "description": "Number of times the rule should recur until it stops.", - "type": "number" - }, - "dtstart": { - "description": "Rule start date in Coordinated Universal Time (UTC).", - "type": "string" - }, - "freq": { - "description": "Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.", - "enum": [ - 0, - 1, - 2, - 3, - 4, - 5, - 6 - ], - "type": "integer" - }, - "interval": { - "description": "Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.", - "type": "number" - }, - "tzid": { - "description": "Indicates timezone abbreviation.", - "type": "string" - }, - "until": { - "description": "Recur the rule until this date.", - "type": "string" - }, - "wkst": { - "description": "Indicates the start of week, defaults to Monday.", - "enum": [ - "MO", - "TU", - "WE", - "TH", - "FR", - "SA", - "SU" - ], - "type": "string" - } - }, - "required": [ - "dtstart", - "tzid" - ], - "type": "object" - }, - "skipRecurrences": { - "items": { - "description": "Skips recurrence of rule on this date.", - "type": "string" - }, - "type": "array" - } - }, - "required": [ - "duration", - "rRule" - ], - "type": "object" - }, - "type": "array" - }, - "tags": { - "items": { - "description": "The tags for the rule.", - "type": "string" - }, - "type": "array" - }, - "throttle": { - "deprecated": true, - "description": "Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "nullable": true, - "type": "string" - }, - "updated_at": { - "description": "The date and time that the rule was updated most recently.", - "type": "string" - }, - "updated_by": { - "description": "The identifier for the user that updated this rule most recently.", - "nullable": true, - "type": "string" - }, - "view_in_app_relative_url": { - "description": "Relative URL to view rule in the app.", - "nullable": true, - "type": "string" - } - }, - "required": [ - "id", - "enabled", - "name", - "tags", - "rule_type_id", - "consumer", - "schedule", - "actions", - "params", - "created_by", - "updated_by", - "created_at", - "updated_at", - "api_key_owner", - "mute_all", - "muted_alert_ids", - "execution_status", - "revision" - ], - "type": "object" - } - } - }, - "description": "Indicates a successful call." - }, - "400": { - "description": "Indicates an invalid schema or parameters." - }, - "403": { - "description": "Indicates that this call is forbidden." - }, - "409": { - "description": "Indicates that the rule id is already in use." - } - }, - "summary": "Create a rule", - "tags": [ - "alerting" - ] - }, - "put": { - "operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D#1", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "The identifier for the rule.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "actions": { - "default": [], - "items": { - "additionalProperties": false, - "description": "An action that runs under defined conditions.", - "properties": { - "alerts_filter": { - "additionalProperties": false, - "properties": { - "query": { - "additionalProperties": false, - "properties": { - "dsl": { - "description": "A filter written in Elasticsearch Query Domain Specific Language (DSL).", - "type": "string" - }, - "filters": { - "description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.", - "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "description": "A filter can be either specific to an application context or applied globally.", - "enum": [ - "appState", - "globalState" - ], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": {}, - "type": "object" - }, - "query": { - "additionalProperties": {}, - "type": "object" - } - }, - "required": [ - "meta" - ], - "type": "object" - }, - "type": "array" - }, - "kql": { - "description": "A filter written in Kibana Query Language (KQL).", - "type": "string" - } - }, - "required": [ - "kql", - "filters" - ], - "type": "object" - }, - "timeframe": { - "additionalProperties": false, - "description": "Defines a period that limits whether the action runs.", - "properties": { - "days": { - "description": "Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.", - "items": { - "enum": [ - 1, - 2, - 3, - 4, - 5, - 6, - 7 - ], - "type": "integer" - }, - "type": "array" - }, - "hours": { - "additionalProperties": false, - "description": "Defines the range of time in a day that the action can run. If the `start` value is `00:00` and the `end` value is `24:00`, actions be generated all day.", - "properties": { - "end": { - "description": "The end of the time frame in 24-hour notation (`hh:mm`).", - "type": "string" - }, - "start": { - "description": "The start of the time frame in 24-hour notation (`hh:mm`).", - "type": "string" - } - }, - "required": [ - "start", - "end" - ], - "type": "object" - }, - "timezone": { - "description": "The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.", - "type": "string" - } - }, - "required": [ - "days", - "hours", - "timezone" - ], - "type": "object" - } - }, - "type": "object" - }, - "frequency": { - "additionalProperties": false, - "properties": { - "notify_when": { - "description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "enum": [ - "onActionGroupChange", - "onActiveAlert", - "onThrottleInterval" - ], - "type": "string" - }, - "summary": { - "description": "Indicates whether the action is a summary.", - "type": "boolean" - }, - "throttle": { - "description": "The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if `notify_when` is set to `onThrottleInterval`. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "nullable": true, - "type": "string" - } - }, - "required": [ - "summary", - "notify_when", - "throttle" - ], - "type": "object" - }, - "group": { - "description": "The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector saved object.", - "type": "string" - }, - "params": { - "additionalProperties": {}, - "default": {}, - "description": "The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.", - "type": "object" - }, - "use_alert_data_for_template": { - "description": "Indicates whether to use alert data as a template.", - "type": "boolean" - }, - "uuid": { - "description": "A universally unique identifier (UUID) for the action.", - "type": "string" - } - }, - "required": [ - "id" - ], - "type": "object" - }, - "type": "array" - }, - "alert_delay": { - "additionalProperties": false, - "description": "Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.", - "properties": { - "active": { - "description": "The number of consecutive runs that must meet the rule conditions.", - "type": "number" - } - }, - "required": [ - "active" - ], - "type": "object" - }, - "flapping": { - "additionalProperties": false, - "nullable": true, - "properties": { - "look_back_window": { - "maximum": 20, - "minimum": 2, - "type": "number" - }, - "status_change_threshold": { - "maximum": 20, - "minimum": 2, - "type": "number" - } - }, - "required": [ - "look_back_window", - "status_change_threshold" - ], - "type": "object" - }, - "name": { - "description": "The name of the rule. While this name does not have to be unique, a distinctive name can help you identify a rule.", - "type": "string" - }, - "notify_when": { - "description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "enum": [ - "onActionGroupChange", - "onActiveAlert", - "onThrottleInterval" - ], - "nullable": true, - "type": "string" - }, - "params": { - "additionalProperties": {}, - "default": {}, - "description": "The parameters for the rule.", - "type": "object" - }, - "schedule": { - "additionalProperties": false, - "properties": { - "interval": { - "description": "The interval is specified in seconds, minutes, hours, or days.", - "type": "string" - } - }, - "required": [ - "interval" - ], - "type": "object" - }, - "tags": { - "default": [], - "items": { - "description": "The tags for the rule.", - "type": "string" - }, - "type": "array" - }, - "throttle": { - "description": "Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "nullable": true, - "type": "string" - } - }, - "required": [ - "name", - "schedule" - ], - "type": "object" - } - } - } - }, - "responses": { - "200": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "actions": { - "items": { - "additionalProperties": false, - "properties": { - "alerts_filter": { - "additionalProperties": false, - "description": "Defines a period that limits whether the action runs.", - "properties": { - "query": { - "additionalProperties": false, - "properties": { - "dsl": { - "description": "A filter written in Elasticsearch Query Domain Specific Language (DSL).", - "type": "string" - }, - "filters": { - "description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.", - "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "description": "A filter can be either specific to an application context or applied globally.", - "enum": [ - "appState", - "globalState" - ], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": {}, - "type": "object" - }, - "query": { - "additionalProperties": {}, - "type": "object" - } - }, - "required": [ - "meta" - ], - "type": "object" - }, - "type": "array" - }, - "kql": { - "description": "A filter written in Kibana Query Language (KQL).", - "type": "string" - } - }, - "required": [ - "kql", - "filters" - ], - "type": "object" - }, - "timeframe": { - "additionalProperties": false, - "properties": { - "days": { - "description": "Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.", - "items": { - "enum": [ - 1, - 2, - 3, - 4, - 5, - 6, - 7 - ], - "type": "integer" - }, - "type": "array" - }, - "hours": { - "additionalProperties": false, - "properties": { - "end": { - "description": "The end of the time frame in 24-hour notation (`hh:mm`).", - "type": "string" - }, - "start": { - "description": "The start of the time frame in 24-hour notation (`hh:mm`).", - "type": "string" - } - }, - "required": [ - "start", - "end" - ], - "type": "object" - }, - "timezone": { - "description": "The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.", - "type": "string" - } - }, - "required": [ - "days", - "hours", - "timezone" - ], - "type": "object" - } - }, - "type": "object" - }, - "connector_type_id": { - "description": "The type of connector. This property appears in responses but cannot be set in requests.", - "type": "string" - }, - "frequency": { - "additionalProperties": false, - "properties": { - "notify_when": { - "description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "enum": [ - "onActionGroupChange", - "onActiveAlert", - "onThrottleInterval" - ], - "type": "string" - }, - "summary": { - "description": "Indicates whether the action is a summary.", - "type": "boolean" - }, - "throttle": { - "description": "The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "nullable": true, - "type": "string" - } - }, - "required": [ - "summary", - "notify_when", - "throttle" - ], - "type": "object" - }, - "group": { - "description": "The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector saved object.", - "type": "string" - }, - "params": { - "additionalProperties": {}, - "description": "The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.", - "type": "object" - }, - "use_alert_data_for_template": { - "description": "Indicates whether to use alert data as a template.", - "type": "boolean" - }, - "uuid": { - "description": "A universally unique identifier (UUID) for the action.", - "type": "string" - } - }, - "required": [ - "id", - "connector_type_id", - "params" - ], - "type": "object" - }, - "type": "array" - }, - "active_snoozes": { - "items": { - "description": "List of active snoozes for the rule.", - "type": "string" - }, - "type": "array" - }, - "alert_delay": { - "additionalProperties": false, - "description": "Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.", - "properties": { - "active": { - "description": "The number of consecutive runs that must meet the rule conditions.", - "type": "number" - } - }, - "required": [ - "active" - ], - "type": "object" - }, - "api_key_created_by_user": { - "description": "Indicates whether the API key that is associated with the rule was created by the user.", - "nullable": true, - "type": "boolean" - }, - "api_key_owner": { - "description": "The owner of the API key that is associated with the rule and used to run background tasks.", - "nullable": true, - "type": "string" - }, - "consumer": { - "description": "The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.", - "type": "string" - }, - "created_at": { - "description": "The date and time that the rule was created.", - "type": "string" - }, - "created_by": { - "description": "The identifier for the user that created the rule.", - "nullable": true, - "type": "string" - }, - "enabled": { - "description": "Indicates whether you want to run the rule on an interval basis after it is created.", - "type": "boolean" - }, - "execution_status": { - "additionalProperties": false, - "properties": { - "error": { - "additionalProperties": false, - "properties": { - "message": { - "description": "Error message.", - "type": "string" - }, - "reason": { - "description": "Reason for error.", - "enum": [ - "read", - "decrypt", - "execute", - "unknown", - "license", - "timeout", - "disabled", - "validate" - ], - "type": "string" - } - }, - "required": [ - "reason", - "message" - ], - "type": "object" - }, - "last_duration": { - "description": "Duration of last execution of the rule.", - "type": "number" - }, - "last_execution_date": { - "description": "The date and time when rule was executed last.", - "type": "string" - }, - "status": { - "description": "Status of rule execution.", - "enum": [ - "ok", - "active", - "error", - "warning", - "pending", - "unknown" - ], - "type": "string" - }, - "warning": { - "additionalProperties": false, - "properties": { - "message": { - "description": "Warning message.", - "type": "string" - }, - "reason": { - "description": "Reason for warning.", - "enum": [ - "maxExecutableActions", - "maxAlerts", - "maxQueuedActions", - "ruleExecution" - ], - "type": "string" - } - }, - "required": [ - "reason", - "message" - ], - "type": "object" - } - }, - "required": [ - "status", - "last_execution_date" - ], - "type": "object" - }, - "flapping": { - "additionalProperties": false, - "nullable": true, - "properties": { - "look_back_window": { - "maximum": 20, - "minimum": 2, - "type": "number" - }, - "status_change_threshold": { - "maximum": 20, - "minimum": 2, - "type": "number" - } - }, - "required": [ - "look_back_window", - "status_change_threshold" - ], - "type": "object" - }, - "id": { - "description": "The identifier for the rule.", - "type": "string" - }, - "is_snoozed_until": { - "description": "The date when the rule will no longer be snoozed.", - "nullable": true, - "type": "string" - }, - "last_run": { - "additionalProperties": false, - "nullable": true, - "properties": { - "alerts_count": { - "additionalProperties": false, - "properties": { - "active": { - "description": "Number of active alerts during last run.", - "nullable": true, - "type": "number" - }, - "ignored": { - "description": "Number of ignored alerts during last run.", - "nullable": true, - "type": "number" - }, - "new": { - "description": "Number of new alerts during last run.", - "nullable": true, - "type": "number" - }, - "recovered": { - "description": "Number of recovered alerts during last run.", - "nullable": true, - "type": "number" - } - }, - "type": "object" - }, - "outcome": { - "description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.", - "enum": [ - "succeeded", - "warning", - "failed" - ], - "type": "string" - }, - "outcome_msg": { - "items": { - "description": "Outcome message generated during last rule run.", - "type": "string" - }, - "nullable": true, - "type": "array" - }, - "outcome_order": { - "description": "Order of the outcome.", - "type": "number" - }, - "warning": { - "description": "Warning of last rule execution.", - "enum": [ - "read", - "decrypt", - "execute", - "unknown", - "license", - "timeout", - "disabled", - "validate", - "maxExecutableActions", - "maxAlerts", - "maxQueuedActions", - "ruleExecution" - ], - "nullable": true, - "type": "string" - } - }, - "required": [ - "outcome", - "alerts_count" - ], - "type": "object" - }, - "mapped_params": { - "additionalProperties": {}, - "type": "object" - }, - "monitoring": { - "additionalProperties": false, - "description": "Monitoring details of the rule.", - "properties": { - "run": { - "additionalProperties": false, - "description": "Rule run details.", - "properties": { - "calculated_metrics": { - "additionalProperties": false, - "description": "Calculation of different percentiles and success ratio.", - "properties": { - "p50": { - "type": "number" - }, - "p95": { - "type": "number" - }, - "p99": { - "type": "number" - }, - "success_ratio": { - "type": "number" - } - }, - "required": [ - "success_ratio" - ], - "type": "object" - }, - "history": { - "description": "History of the rule run.", - "items": { - "additionalProperties": false, - "properties": { - "duration": { - "description": "Duration of the rule run.", - "type": "number" - }, - "outcome": { - "description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.", - "enum": [ - "succeeded", - "warning", - "failed" - ], - "type": "string" - }, - "success": { - "description": "Indicates whether the rule run was successful.", - "type": "boolean" - }, - "timestamp": { - "description": "Time of rule run.", - "type": "number" - } - }, - "required": [ - "success", - "timestamp" - ], - "type": "object" - }, - "type": "array" - }, - "last_run": { - "additionalProperties": false, - "properties": { - "metrics": { - "additionalProperties": false, - "properties": { - "duration": { - "description": "Duration of most recent rule run.", - "type": "number" - }, - "gap_duration_s": { - "description": "Duration in seconds of rule run gap.", - "nullable": true, - "type": "number" - }, - "total_alerts_created": { - "description": "Total number of alerts created during last rule run.", - "nullable": true, - "type": "number" - }, - "total_alerts_detected": { - "description": "Total number of alerts detected during last rule run.", - "nullable": true, - "type": "number" - }, - "total_indexing_duration_ms": { - "description": "Total time spent indexing documents during last rule run in milliseconds.", - "nullable": true, - "type": "number" - }, - "total_search_duration_ms": { - "description": "Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.", - "nullable": true, - "type": "number" - } - }, - "type": "object" - }, - "timestamp": { - "description": "Time of the most recent rule run.", - "type": "string" - } - }, - "required": [ - "timestamp", - "metrics" - ], - "type": "object" - } - }, - "required": [ - "history", - "calculated_metrics", - "last_run" - ], - "type": "object" - } - }, - "required": [ - "run" - ], - "type": "object" - }, - "mute_all": { - "description": "Indicates whether all alerts are muted.", - "type": "boolean" - }, - "muted_alert_ids": { - "items": { - "description": "List of identifiers of muted alerts. ", - "type": "string" - }, - "type": "array" - }, - "name": { - "description": " The name of the rule.", - "type": "string" - }, - "next_run": { - "description": "Date and time of the next run of the rule.", - "nullable": true, - "type": "string" - }, - "notify_when": { - "description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "enum": [ - "onActionGroupChange", - "onActiveAlert", - "onThrottleInterval" - ], - "nullable": true, - "type": "string" - }, - "params": { - "additionalProperties": {}, - "description": "The parameters for the rule.", - "type": "object" - }, - "revision": { - "description": "The rule revision number.", - "type": "number" - }, - "rule_type_id": { - "description": "The rule type identifier.", - "type": "string" - }, - "running": { - "description": "Indicates whether the rule is running.", - "nullable": true, - "type": "boolean" - }, - "schedule": { - "additionalProperties": false, - "properties": { - "interval": { - "description": "The interval is specified in seconds, minutes, hours, or days.", - "type": "string" - } - }, - "required": [ - "interval" - ], - "type": "object" - }, - "scheduled_task_id": { - "description": "Identifier of the scheduled task.", - "type": "string" - }, - "snooze_schedule": { - "items": { - "additionalProperties": false, - "properties": { - "duration": { - "description": "Duration of the rule snooze schedule.", - "type": "number" - }, - "id": { - "description": "Identifier of the rule snooze schedule.", - "type": "string" - }, - "rRule": { - "additionalProperties": false, - "properties": { - "byhour": { - "items": { - "description": "Indicates hours of the day to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "byminute": { - "items": { - "description": "Indicates minutes of the hour to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bymonth": { - "items": { - "description": "Indicates months of the year that this rule should recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bymonthday": { - "items": { - "description": "Indicates the days of the month to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bysecond": { - "items": { - "description": "Indicates seconds of the day to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bysetpos": { - "items": { - "description": "A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "byweekday": { - "items": { - "anyOf": [ - { - "type": "string" - }, - { - "type": "number" - } - ], - "description": "Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination." - }, - "nullable": true, - "type": "array" - }, - "byweekno": { - "items": { - "description": "Indicates number of the week hours to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "byyearday": { - "items": { - "description": "Indicates the days of the year that this rule should recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "count": { - "description": "Number of times the rule should recur until it stops.", - "type": "number" - }, - "dtstart": { - "description": "Rule start date in Coordinated Universal Time (UTC).", - "type": "string" - }, - "freq": { - "description": "Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.", - "enum": [ - 0, - 1, - 2, - 3, - 4, - 5, - 6 - ], - "type": "integer" - }, - "interval": { - "description": "Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.", - "type": "number" - }, - "tzid": { - "description": "Indicates timezone abbreviation.", - "type": "string" - }, - "until": { - "description": "Recur the rule until this date.", - "type": "string" - }, - "wkst": { - "description": "Indicates the start of week, defaults to Monday.", - "enum": [ - "MO", - "TU", - "WE", - "TH", - "FR", - "SA", - "SU" - ], - "type": "string" - } - }, - "required": [ - "dtstart", - "tzid" - ], - "type": "object" - }, - "skipRecurrences": { - "items": { - "description": "Skips recurrence of rule on this date.", - "type": "string" - }, - "type": "array" - } - }, - "required": [ - "duration", - "rRule" - ], - "type": "object" - }, - "type": "array" - }, - "tags": { - "items": { - "description": "The tags for the rule.", - "type": "string" - }, - "type": "array" - }, - "throttle": { - "deprecated": true, - "description": "Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "nullable": true, - "type": "string" - }, - "updated_at": { - "description": "The date and time that the rule was updated most recently.", - "type": "string" - }, - "updated_by": { - "description": "The identifier for the user that updated this rule most recently.", - "nullable": true, - "type": "string" - }, - "view_in_app_relative_url": { - "description": "Relative URL to view rule in the app.", - "nullable": true, - "type": "string" - } - }, - "required": [ - "id", - "enabled", - "name", - "tags", - "rule_type_id", - "consumer", - "schedule", - "actions", - "params", - "created_by", - "updated_by", - "created_at", - "updated_at", - "api_key_owner", - "mute_all", - "muted_alert_ids", - "execution_status", - "revision" - ], - "type": "object" - } - } - }, - "description": "Indicates a successful call." - }, - "400": { - "description": "Indicates an invalid schema or parameters." - }, - "403": { - "description": "Indicates that this call is forbidden." - }, - "404": { - "description": "Indicates a rule with the given ID does not exist." - }, - "409": { - "description": "Indicates that the rule has already been updated by another user." - } - }, - "summary": "Update a rule", - "tags": [ - "alerting" - ] - } - }, - "/api/alerting/rule/{id}/_disable": { - "post": { - "operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_disable#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "The identifier for the rule.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "nullable": true, - "properties": { - "untrack": { - "description": "Defines whether this rule's alerts should be untracked.", - "type": "boolean" - } - }, - "type": "object", - "x-oas-optional": true - } - } - } - }, - "responses": { - "204": { - "description": "Indicates a successful call." - }, - "400": { - "description": "Indicates an invalid schema." - }, - "403": { - "description": "Indicates that this call is forbidden." - }, - "404": { - "description": "Indicates a rule with the given ID does not exist." - } - }, - "summary": "Disable a rule", - "tags": [ - "alerting" - ] - } - }, - "/api/alerting/rule/{id}/_enable": { - "post": { - "operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_enable#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "The identifier for the rule.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "description": "Indicates a successful call." - }, - "400": { - "description": "Indicates an invalid schema or parameters." - }, - "403": { - "description": "Indicates that this call is forbidden." - }, - "404": { - "description": "Indicates a rule with the given ID does not exist." - } - }, - "summary": "Enable a rule", - "tags": [ - "alerting" - ] - } - }, - "/api/alerting/rule/{id}/_mute_all": { - "post": { - "operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_mute_all#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "The identifier for the rule.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "description": "Indicates a successful call." - }, - "400": { - "description": "Indicates an invalid schema or parameters." - }, - "403": { - "description": "Indicates that this call is forbidden." - }, - "404": { - "description": "Indicates a rule with the given ID does not exist." - } - }, - "summary": "Mute all alerts", - "tags": [ - "alerting" - ] - } - }, - "/api/alerting/rule/{id}/_unmute_all": { - "post": { - "operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_unmute_all#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "The identifier for the rule.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "description": "Indicates a successful call." - }, - "400": { - "description": "Indicates an invalid schema or parameters." - }, - "403": { - "description": "Indicates that this call is forbidden." - }, - "404": { - "description": "Indicates a rule with the given ID does not exist." - } - }, - "summary": "Unmute all alerts", - "tags": [ - "alerting" - ] - } - }, - "/api/alerting/rule/{id}/_update_api_key": { - "post": { - "operationId": "%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_update_api_key#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "The identifier for the rule.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "description": "Indicates a successful call." - }, - "400": { - "description": "Indicates an invalid schema or parameters." - }, - "403": { - "description": "Indicates that this call is forbidden." - }, - "404": { - "description": "Indicates a rule with the given ID does not exist." - }, - "409": { - "description": "Indicates that the rule has already been updated by another user." - } - }, - "summary": "Update the API key for a rule", - "tags": [ - "alerting" - ] - } - }, - "/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute": { - "post": { - "operationId": "%2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_mute#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "The identifier for the rule.", - "in": "path", - "name": "rule_id", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "The identifier for the alert.", - "in": "path", - "name": "alert_id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "description": "Indicates a successful call." - }, - "400": { - "description": "Indicates an invalid schema or parameters." - }, - "403": { - "description": "Indicates that this call is forbidden." - }, - "404": { - "description": "Indicates a rule or alert with the given ID does not exist." - } - }, - "summary": "Mute an alert", - "tags": [ - "alerting" - ] - } - }, - "/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute": { - "post": { - "operationId": "%2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_unmute#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "The identifier for the rule.", - "in": "path", - "name": "rule_id", - "required": true, - "schema": { - "type": "string" - } - }, - { - "description": "The identifier for the alert.", - "in": "path", - "name": "alert_id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "description": "Indicates a successful call." - }, - "400": { - "description": "Indicates an invalid schema or parameters." - }, - "403": { - "description": "Indicates that this call is forbidden." - }, - "404": { - "description": "Indicates a rule or alert with the given ID does not exist." - } - }, - "summary": "Unmute an alert", - "tags": [ - "alerting" - ] - } - }, - "/api/alerting/rules/_find": { - "get": { - "operationId": "%2Fapi%2Falerting%2Frules%2F_find#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "The number of rules to return per page.", - "in": "query", - "name": "per_page", - "required": false, - "schema": { - "default": 10, - "minimum": 0, - "type": "number" - } - }, - { - "description": "The page number to return.", - "in": "query", - "name": "page", - "required": false, - "schema": { - "default": 1, - "minimum": 1, - "type": "number" - } - }, - { - "description": "An Elasticsearch simple_query_string query that filters the objects in the response.", - "in": "query", - "name": "search", - "required": false, - "schema": { - "type": "string" - } - }, - { - "description": "The default operator to use for the simple_query_string.", - "in": "query", - "name": "default_search_operator", - "required": false, - "schema": { - "default": "OR", - "enum": [ - "OR", - "AND" - ], - "type": "string" - } - }, - { - "description": "The fields to perform the simple_query_string parsed query against.", - "in": "query", - "name": "search_fields", - "required": false, - "schema": { - "anyOf": [ - { - "items": { - "type": "string" - }, - "type": "array" - }, - { - "type": "string" - } - ] - } - }, - { - "description": "Determines which field is used to sort the results. The field must exist in the `attributes` key of the response.", - "in": "query", - "name": "sort_field", - "required": false, - "schema": { - "type": "string" - } - }, - { - "description": "Determines the sort order.", - "in": "query", - "name": "sort_order", - "required": false, - "schema": { - "enum": [ - "asc", - "desc" - ], - "type": "string" - } - }, - { - "description": "Filters the rules that have a relation with the reference objects with a specific type and identifier.", - "in": "query", - "name": "has_reference", - "required": false, - "schema": { - "additionalProperties": false, - "nullable": true, - "properties": { - "id": { - "type": "string" - }, - "type": { - "type": "string" - } - }, - "required": [ - "type", - "id" - ], - "type": "object" - } - }, - { - "in": "query", - "name": "fields", - "required": false, - "schema": { - "items": { - "description": "The fields to return in the `attributes` key of the response.", - "type": "string" - }, - "type": "array" - } - }, - { - "description": "A KQL string that you filter with an attribute from your saved object. It should look like `savedObjectType.attributes.title: \"myTitle\"`. However, if you used a direct attribute of a saved object, such as `updatedAt`, you must define your filter, for example, `savedObjectType.updatedAt > 2018-12-22`.", - "in": "query", - "name": "filter", - "required": false, - "schema": { - "type": "string" - } - }, - { - "in": "query", - "name": "filter_consumers", - "required": false, - "schema": { - "items": { - "description": "List of consumers to filter.", - "type": "string" - }, - "type": "array" - } - } - ], - "responses": { - "200": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "actions": { - "items": { - "additionalProperties": false, - "properties": { - "alerts_filter": { - "additionalProperties": false, - "description": "Defines a period that limits whether the action runs.", - "properties": { - "query": { - "additionalProperties": false, - "properties": { - "dsl": { - "description": "A filter written in Elasticsearch Query Domain Specific Language (DSL).", - "type": "string" - }, - "filters": { - "description": "A filter written in Elasticsearch Query Domain Specific Language (DSL) as defined in the `kbn-es-query` package.", - "items": { - "additionalProperties": false, - "properties": { - "$state": { - "additionalProperties": false, - "properties": { - "store": { - "description": "A filter can be either specific to an application context or applied globally.", - "enum": [ - "appState", - "globalState" - ], - "type": "string" - } - }, - "required": [ - "store" - ], - "type": "object" - }, - "meta": { - "additionalProperties": {}, - "type": "object" - }, - "query": { - "additionalProperties": {}, - "type": "object" - } - }, - "required": [ - "meta" - ], - "type": "object" - }, - "type": "array" - }, - "kql": { - "description": "A filter written in Kibana Query Language (KQL).", - "type": "string" - } - }, - "required": [ - "kql", - "filters" - ], - "type": "object" - }, - "timeframe": { - "additionalProperties": false, - "properties": { - "days": { - "description": "Defines the days of the week that the action can run, represented as an array of numbers. For example, `1` represents Monday. An empty array is equivalent to specifying all the days of the week.", - "items": { - "enum": [ - 1, - 2, - 3, - 4, - 5, - 6, - 7 - ], - "type": "integer" - }, - "type": "array" - }, - "hours": { - "additionalProperties": false, - "properties": { - "end": { - "description": "The end of the time frame in 24-hour notation (`hh:mm`).", - "type": "string" - }, - "start": { - "description": "The start of the time frame in 24-hour notation (`hh:mm`).", - "type": "string" - } - }, - "required": [ - "start", - "end" - ], - "type": "object" - }, - "timezone": { - "description": "The ISO time zone for the `hours` values. Values such as `UTC` and `UTC+1` also work but lack built-in daylight savings time support and are not recommended.", - "type": "string" - } - }, - "required": [ - "days", - "hours", - "timezone" - ], - "type": "object" - } - }, - "type": "object" - }, - "connector_type_id": { - "description": "The type of connector. This property appears in responses but cannot be set in requests.", - "type": "string" - }, - "frequency": { - "additionalProperties": false, - "properties": { - "notify_when": { - "description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "enum": [ - "onActionGroupChange", - "onActiveAlert", - "onThrottleInterval" - ], - "type": "string" - }, - "summary": { - "description": "Indicates whether the action is a summary.", - "type": "boolean" - }, - "throttle": { - "description": "The throttle interval, which defines how often an alert generates repeated actions. It is specified in seconds, minutes, hours, or days and is applicable only if 'notify_when' is set to 'onThrottleInterval'. NOTE: You cannot specify the throttle interval at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "nullable": true, - "type": "string" - } - }, - "required": [ - "summary", - "notify_when", - "throttle" - ], - "type": "object" - }, - "group": { - "description": "The group name, which affects when the action runs (for example, when the threshold is met or when the alert is recovered). Each rule type has a list of valid action group names. If you don't need to group actions, set to `default`.", - "type": "string" - }, - "id": { - "description": "The identifier for the connector saved object.", - "type": "string" - }, - "params": { - "additionalProperties": {}, - "description": "The parameters for the action, which are sent to the connector. The `params` are handled as Mustache templates and passed a default set of context.", - "type": "object" - }, - "use_alert_data_for_template": { - "description": "Indicates whether to use alert data as a template.", - "type": "boolean" - }, - "uuid": { - "description": "A universally unique identifier (UUID) for the action.", - "type": "string" - } - }, - "required": [ - "id", - "connector_type_id", - "params" - ], - "type": "object" - }, - "type": "array" - }, - "active_snoozes": { - "items": { - "description": "List of active snoozes for the rule.", - "type": "string" - }, - "type": "array" - }, - "alert_delay": { - "additionalProperties": false, - "description": "Indicates that an alert occurs only when the specified number of consecutive runs met the rule conditions.", - "properties": { - "active": { - "description": "The number of consecutive runs that must meet the rule conditions.", - "type": "number" - } - }, - "required": [ - "active" - ], - "type": "object" - }, - "api_key_created_by_user": { - "description": "Indicates whether the API key that is associated with the rule was created by the user.", - "nullable": true, - "type": "boolean" - }, - "api_key_owner": { - "description": "The owner of the API key that is associated with the rule and used to run background tasks.", - "nullable": true, - "type": "string" - }, - "consumer": { - "description": "The name of the application or feature that owns the rule. For example: `alerts`, `apm`, `discover`, `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, `siem`, `stackAlerts`, or `uptime`.", - "type": "string" - }, - "created_at": { - "description": "The date and time that the rule was created.", - "type": "string" - }, - "created_by": { - "description": "The identifier for the user that created the rule.", - "nullable": true, - "type": "string" - }, - "enabled": { - "description": "Indicates whether you want to run the rule on an interval basis after it is created.", - "type": "boolean" - }, - "execution_status": { - "additionalProperties": false, - "properties": { - "error": { - "additionalProperties": false, - "properties": { - "message": { - "description": "Error message.", - "type": "string" - }, - "reason": { - "description": "Reason for error.", - "enum": [ - "read", - "decrypt", - "execute", - "unknown", - "license", - "timeout", - "disabled", - "validate" - ], - "type": "string" - } - }, - "required": [ - "reason", - "message" - ], - "type": "object" - }, - "last_duration": { - "description": "Duration of last execution of the rule.", - "type": "number" - }, - "last_execution_date": { - "description": "The date and time when rule was executed last.", - "type": "string" - }, - "status": { - "description": "Status of rule execution.", - "enum": [ - "ok", - "active", - "error", - "warning", - "pending", - "unknown" - ], - "type": "string" - }, - "warning": { - "additionalProperties": false, - "properties": { - "message": { - "description": "Warning message.", - "type": "string" - }, - "reason": { - "description": "Reason for warning.", - "enum": [ - "maxExecutableActions", - "maxAlerts", - "maxQueuedActions", - "ruleExecution" - ], - "type": "string" - } - }, - "required": [ - "reason", - "message" - ], - "type": "object" - } - }, - "required": [ - "status", - "last_execution_date" - ], - "type": "object" - }, - "flapping": { - "additionalProperties": false, - "nullable": true, - "properties": { - "look_back_window": { - "maximum": 20, - "minimum": 2, - "type": "number" - }, - "status_change_threshold": { - "maximum": 20, - "minimum": 2, - "type": "number" - } - }, - "required": [ - "look_back_window", - "status_change_threshold" - ], - "type": "object" - }, - "id": { - "description": "The identifier for the rule.", - "type": "string" - }, - "is_snoozed_until": { - "description": "The date when the rule will no longer be snoozed.", - "nullable": true, - "type": "string" - }, - "last_run": { - "additionalProperties": false, - "nullable": true, - "properties": { - "alerts_count": { - "additionalProperties": false, - "properties": { - "active": { - "description": "Number of active alerts during last run.", - "nullable": true, - "type": "number" - }, - "ignored": { - "description": "Number of ignored alerts during last run.", - "nullable": true, - "type": "number" - }, - "new": { - "description": "Number of new alerts during last run.", - "nullable": true, - "type": "number" - }, - "recovered": { - "description": "Number of recovered alerts during last run.", - "nullable": true, - "type": "number" - } - }, - "type": "object" - }, - "outcome": { - "description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.", - "enum": [ - "succeeded", - "warning", - "failed" - ], - "type": "string" - }, - "outcome_msg": { - "items": { - "description": "Outcome message generated during last rule run.", - "type": "string" - }, - "nullable": true, - "type": "array" - }, - "outcome_order": { - "description": "Order of the outcome.", - "type": "number" - }, - "warning": { - "description": "Warning of last rule execution.", - "enum": [ - "read", - "decrypt", - "execute", - "unknown", - "license", - "timeout", - "disabled", - "validate", - "maxExecutableActions", - "maxAlerts", - "maxQueuedActions", - "ruleExecution" - ], - "nullable": true, - "type": "string" - } - }, - "required": [ - "outcome", - "alerts_count" - ], - "type": "object" - }, - "mapped_params": { - "additionalProperties": {}, - "type": "object" - }, - "monitoring": { - "additionalProperties": false, - "description": "Monitoring details of the rule.", - "properties": { - "run": { - "additionalProperties": false, - "description": "Rule run details.", - "properties": { - "calculated_metrics": { - "additionalProperties": false, - "description": "Calculation of different percentiles and success ratio.", - "properties": { - "p50": { - "type": "number" - }, - "p95": { - "type": "number" - }, - "p99": { - "type": "number" - }, - "success_ratio": { - "type": "number" - } - }, - "required": [ - "success_ratio" - ], - "type": "object" - }, - "history": { - "description": "History of the rule run.", - "items": { - "additionalProperties": false, - "properties": { - "duration": { - "description": "Duration of the rule run.", - "type": "number" - }, - "outcome": { - "description": "Outcome of last run of the rule. Value could be succeeded, warning or failed.", - "enum": [ - "succeeded", - "warning", - "failed" - ], - "type": "string" - }, - "success": { - "description": "Indicates whether the rule run was successful.", - "type": "boolean" - }, - "timestamp": { - "description": "Time of rule run.", - "type": "number" - } - }, - "required": [ - "success", - "timestamp" - ], - "type": "object" - }, - "type": "array" - }, - "last_run": { - "additionalProperties": false, - "properties": { - "metrics": { - "additionalProperties": false, - "properties": { - "duration": { - "description": "Duration of most recent rule run.", - "type": "number" - }, - "gap_duration_s": { - "description": "Duration in seconds of rule run gap.", - "nullable": true, - "type": "number" - }, - "total_alerts_created": { - "description": "Total number of alerts created during last rule run.", - "nullable": true, - "type": "number" - }, - "total_alerts_detected": { - "description": "Total number of alerts detected during last rule run.", - "nullable": true, - "type": "number" - }, - "total_indexing_duration_ms": { - "description": "Total time spent indexing documents during last rule run in milliseconds.", - "nullable": true, - "type": "number" - }, - "total_search_duration_ms": { - "description": "Total time spent performing Elasticsearch searches as measured by Kibana; includes network latency and time spent serializing or deserializing the request and response.", - "nullable": true, - "type": "number" - } - }, - "type": "object" - }, - "timestamp": { - "description": "Time of the most recent rule run.", - "type": "string" - } - }, - "required": [ - "timestamp", - "metrics" - ], - "type": "object" - } - }, - "required": [ - "history", - "calculated_metrics", - "last_run" - ], - "type": "object" - } - }, - "required": [ - "run" - ], - "type": "object" - }, - "mute_all": { - "description": "Indicates whether all alerts are muted.", - "type": "boolean" - }, - "muted_alert_ids": { - "items": { - "description": "List of identifiers of muted alerts. ", - "type": "string" - }, - "type": "array" - }, - "name": { - "description": " The name of the rule.", - "type": "string" - }, - "next_run": { - "description": "Date and time of the next run of the rule.", - "nullable": true, - "type": "string" - }, - "notify_when": { - "description": "Indicates how often alerts generate actions. Valid values include: `onActionGroupChange`: Actions run when the alert status changes; `onActiveAlert`: Actions run when the alert becomes active and at each check interval while the rule conditions are met; `onThrottleInterval`: Actions run when the alert becomes active and at the interval specified in the throttle property while the rule conditions are met. NOTE: You cannot specify `notify_when` at both the rule and action level. The recommended method is to set it for each action. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "enum": [ - "onActionGroupChange", - "onActiveAlert", - "onThrottleInterval" - ], - "nullable": true, - "type": "string" - }, - "params": { - "additionalProperties": {}, - "description": "The parameters for the rule.", - "type": "object" - }, - "revision": { - "description": "The rule revision number.", - "type": "number" - }, - "rule_type_id": { - "description": "The rule type identifier.", - "type": "string" - }, - "running": { - "description": "Indicates whether the rule is running.", - "nullable": true, - "type": "boolean" - }, - "schedule": { - "additionalProperties": false, - "properties": { - "interval": { - "description": "The interval is specified in seconds, minutes, hours, or days.", - "type": "string" - } - }, - "required": [ - "interval" - ], - "type": "object" - }, - "scheduled_task_id": { - "description": "Identifier of the scheduled task.", - "type": "string" - }, - "snooze_schedule": { - "items": { - "additionalProperties": false, - "properties": { - "duration": { - "description": "Duration of the rule snooze schedule.", - "type": "number" - }, - "id": { - "description": "Identifier of the rule snooze schedule.", - "type": "string" - }, - "rRule": { - "additionalProperties": false, - "properties": { - "byhour": { - "items": { - "description": "Indicates hours of the day to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "byminute": { - "items": { - "description": "Indicates minutes of the hour to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bymonth": { - "items": { - "description": "Indicates months of the year that this rule should recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bymonthday": { - "items": { - "description": "Indicates the days of the month to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bysecond": { - "items": { - "description": "Indicates seconds of the day to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "bysetpos": { - "items": { - "description": "A positive or negative integer affecting the nth day of the month. For example, -2 combined with `byweekday` of FR is 2nd to last Friday of the month. It is recommended to not set this manually and just use `byweekday`.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "byweekday": { - "items": { - "anyOf": [ - { - "type": "string" - }, - { - "type": "number" - } - ], - "description": "Indicates the days of the week to recur or else nth-day-of-month strings. For example, \"+2TU\" second Tuesday of month, \"-1FR\" last Friday of the month, which are internally converted to a `byweekday/bysetpos` combination." - }, - "nullable": true, - "type": "array" - }, - "byweekno": { - "items": { - "description": "Indicates number of the week hours to recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "byyearday": { - "items": { - "description": "Indicates the days of the year that this rule should recur.", - "type": "number" - }, - "nullable": true, - "type": "array" - }, - "count": { - "description": "Number of times the rule should recur until it stops.", - "type": "number" - }, - "dtstart": { - "description": "Rule start date in Coordinated Universal Time (UTC).", - "type": "string" - }, - "freq": { - "description": "Indicates frequency of the rule. Options are YEARLY, MONTHLY, WEEKLY, DAILY.", - "enum": [ - 0, - 1, - 2, - 3, - 4, - 5, - 6 - ], - "type": "integer" - }, - "interval": { - "description": "Indicates the interval of frequency. For example, 1 and YEARLY is every 1 year, 2 and WEEKLY is every 2 weeks.", - "type": "number" - }, - "tzid": { - "description": "Indicates timezone abbreviation.", - "type": "string" - }, - "until": { - "description": "Recur the rule until this date.", - "type": "string" - }, - "wkst": { - "description": "Indicates the start of week, defaults to Monday.", - "enum": [ - "MO", - "TU", - "WE", - "TH", - "FR", - "SA", - "SU" - ], - "type": "string" - } - }, - "required": [ - "dtstart", - "tzid" - ], - "type": "object" - }, - "skipRecurrences": { - "items": { - "description": "Skips recurrence of rule on this date.", - "type": "string" - }, - "type": "array" - } - }, - "required": [ - "duration", - "rRule" - ], - "type": "object" - }, - "type": "array" - }, - "tags": { - "items": { - "description": "The tags for the rule.", - "type": "string" - }, - "type": "array" - }, - "throttle": { - "deprecated": true, - "description": "Deprecated in 8.13.0. Use the `throttle` property in the action `frequency` object instead. The throttle interval, which defines how often an alert generates repeated actions. NOTE: You cannot specify the throttle interval at both the rule and action level. If you set it at the rule level then update the rule in Kibana, it is automatically changed to use action-specific values.", - "nullable": true, - "type": "string" - }, - "updated_at": { - "description": "The date and time that the rule was updated most recently.", - "type": "string" - }, - "updated_by": { - "description": "The identifier for the user that updated this rule most recently.", - "nullable": true, - "type": "string" - }, - "view_in_app_relative_url": { - "description": "Relative URL to view rule in the app.", - "nullable": true, - "type": "string" - } - }, - "required": [ - "id", - "enabled", - "name", - "tags", - "rule_type_id", - "consumer", - "schedule", - "actions", - "params", - "created_by", - "updated_by", - "created_at", - "updated_at", - "api_key_owner", - "mute_all", - "muted_alert_ids", - "execution_status", - "revision" - ], - "type": "object" - } - } - }, - "description": "Indicates a successful call." - }, - "400": { - "description": "Indicates an invalid schema or parameters." - }, - "403": { - "description": "Indicates that this call is forbidden." - } - }, - "summary": "Get information about rules", - "tags": [ - "alerting" - ] - } - }, - "/api/spaces/space": { - "get": { - "operationId": "%2Fapi%2Fspaces%2Fspace#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "Specifies which authorization checks are applied to the API call. The default value is `any`.", - "in": "query", - "name": "purpose", - "required": false, - "schema": { - "enum": [ - "any", - "copySavedObjectsIntoSpace", - "shareSavedObjectsIntoSpace" - ], - "type": "string" - } - }, - { - "description": "When enabled, the API returns any spaces that the user is authorized to access in any capacity and each space will contain the purposes for which the user is authorized. This can be useful to determine which spaces a user can read but not take a specific action in. If the security plugin is not enabled, this parameter has no effect, since no authorization checks take place. This parameter cannot be used in with the `purpose` parameter.", - "in": "query", - "name": "include_authorized_purposes", - "required": true, - "schema": { - "anyOf": [ - { - "items": {}, - "type": "array" - }, - { - "type": "boolean" - }, - { - "type": "number" - }, - { - "type": "object" - }, - { - "type": "string" - } - ], - "nullable": true, - "oneOf": [ - { - "enum": [ - false - ], - "type": "boolean", - "x-oas-optional": true - }, - { - "type": "boolean", - "x-oas-optional": true - } - ] - } - } - ], - "responses": { - "200": { - "description": "Indicates a successful call." - } - }, - "summary": "Get all spaces", - "tags": [ - "spaces" - ] - }, - "post": { - "operationId": "%2Fapi%2Fspaces%2Fspace#1", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "_reserved": { - "type": "boolean" - }, - "color": { - "description": "The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.", - "type": "string" - }, - "description": { - "description": "A description for the space.", - "type": "string" - }, - "disabledFeatures": { - "default": [], - "items": { - "description": "The list of features that are turned off in the space.", - "type": "string" - }, - "type": "array" - }, - "id": { - "description": "The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.", - "type": "string" - }, - "imageUrl": { - "description": "The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.", - "type": "string" - }, - "initials": { - "description": "One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.", - "maxLength": 2, - "type": "string" - }, - "name": { - "description": "The display name for the space. ", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "id", - "name" - ], - "type": "object" - } - } - } - }, - "responses": { - "200": { - "description": "Indicates a successful call." - } - }, - "summary": "Create a space", - "tags": [ - "spaces" - ] - } - }, - "/api/spaces/space/{id}": { - "delete": { - "description": "When you delete a space, all saved objects that belong to the space are automatically deleted, which is permanent and cannot be undone.", - "operationId": "%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#2", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "The space identifier.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "204": { - "description": "Indicates a successful call." - }, - "404": { - "description": "Indicates that the request failed." - } - }, - "summary": "Delete a space", - "tags": [ - "spaces" - ] - }, - "get": { - "operationId": "%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "The space identifier.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "responses": { - "200": { - "description": "Indicates a successful call." - } - }, - "summary": "Get a space", - "tags": [ - "spaces" - ] - }, - "put": { - "operationId": "%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#1", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "A required header to protect against CSRF attacks", - "in": "header", - "name": "kbn-xsrf", - "required": true, - "schema": { - "example": "true", - "type": "string" - } - }, - { - "description": "The space identifier. You are unable to change the ID with the update operation.", - "in": "path", - "name": "id", - "required": true, - "schema": { - "type": "string" - } - } - ], - "requestBody": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "additionalProperties": false, - "properties": { - "_reserved": { - "type": "boolean" - }, - "color": { - "description": "The hexadecimal color code used in the space avatar. By default, the color is automatically generated from the space name.", - "type": "string" - }, - "description": { - "description": "A description for the space.", - "type": "string" - }, - "disabledFeatures": { - "default": [], - "items": { - "description": "The list of features that are turned off in the space.", - "type": "string" - }, - "type": "array" - }, - "id": { - "description": "The space ID that is part of the Kibana URL when inside the space. Space IDs are limited to lowercase alphanumeric, underscore, and hyphen characters (a-z, 0-9, _, and -). You are cannot change the ID with the update operation.", - "type": "string" - }, - "imageUrl": { - "description": "The data-URL encoded image to display in the space avatar. If specified, initials will not be displayed and the color will be visible as the background color for transparent images. For best results, your image should be 64x64. Images will not be optimized by this API call, so care should be taken when using custom images.", - "type": "string" - }, - "initials": { - "description": "One or two characters that are shown in the space avatar. By default, the initials are automatically generated from the space name.", - "maxLength": 2, - "type": "string" - }, - "name": { - "description": "The display name for the space. ", - "minLength": 1, - "type": "string" - } - }, - "required": [ - "id", - "name" - ], - "type": "object" - } - } - } - }, - "responses": { - "200": { - "description": "Indicates a successful call." - } - }, - "summary": "Update a space", - "tags": [ - "spaces" - ] - } - }, - "/api/status": { - "get": { - "operationId": "%2Fapi%2Fstatus#0", - "parameters": [ - { - "description": "The version of the API to use", - "in": "header", - "name": "elastic-api-version", - "schema": { - "default": "2023-10-31", - "enum": [ - "2023-10-31" - ], - "type": "string" - } - }, - { - "description": "Set to \"true\" to get the response in v7 format.", - "in": "query", - "name": "v7format", - "required": false, - "schema": { - "type": "boolean" - } - }, - { - "description": "Set to \"true\" to get the response in v8 format.", - "in": "query", - "name": "v8format", - "required": false, - "schema": { - "type": "boolean" - } - } - ], - "responses": { - "200": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "anyOf": [ - { - "$ref": "#/components/schemas/core_status_response" - }, - { - "$ref": "#/components/schemas/core_status_redactedResponse" - } - ], - "description": "Kibana's operational status. A minimal response is sent for unauthorized users." - } - } - }, - "description": "Overall status is OK and Kibana should be functioning normally." - }, - "503": { - "content": { - "application/json; Elastic-Api-Version=2023-10-31": { - "schema": { - "anyOf": [ - { - "$ref": "#/components/schemas/core_status_response" - }, - { - "$ref": "#/components/schemas/core_status_redactedResponse" - } - ], - "description": "Kibana's operational status. A minimal response is sent for unauthorized users." - } - } - }, - "description": "Kibana or some of it's essential services are unavailable. Kibana may be degraded or unavailable." - } - }, - "summary": "Get Kibana's current status", - "tags": [ - "system" - ] - } - } - }, - "security": [ - { - "basicAuth": [] - } - ], - "servers": [ - { - "url": "http://localhost:5622" - } - ], - "tags": [ - { - "name": "alerting" - }, - { - "name": "connectors" - }, - { - "name": "spaces" - }, - { - "name": "system" - } - ] -} \ No newline at end of file diff --git a/oas_docs/examples/create_role_request1.yaml b/oas_docs/examples/create_role_request1.yaml new file mode 100644 index 0000000000000..1d041005f30de --- /dev/null +++ b/oas_docs/examples/create_role_request1.yaml @@ -0,0 +1,23 @@ +summary: Feature privileges in multiple spaces +description: Grant access to various features in some spaces. +value: + description: Grant full access to discover and dashboard features in the default space. Grant read access in the marketing, and sales spaces. + metadata: + version: 1 + elasticsearch: + cluster: [] + indices: [] + kibana: + - base: [] + feature: + discover: + - all + dashboard: + - all + spaces: + - default + - base: + - read + spaces: + - marketing + - sales diff --git a/oas_docs/examples/create_role_request2.yaml b/oas_docs/examples/create_role_request2.yaml new file mode 100644 index 0000000000000..d36d7e2330f3c --- /dev/null +++ b/oas_docs/examples/create_role_request2.yaml @@ -0,0 +1,16 @@ +summary: Dashboard privileges in a space +description: Grant access to dashboard features in a Marketing space. +value: + description: Grant dashboard access in the Marketing space. + metadata: + version: 1 + elasticsearch: + cluster: [] + indices: [] + kibana: + - base: [] + feature: + dashboard: + - read + spaces: + - marketing \ No newline at end of file diff --git a/oas_docs/examples/create_role_request3.yaml b/oas_docs/examples/create_role_request3.yaml new file mode 100644 index 0000000000000..55b4cb0834b9f --- /dev/null +++ b/oas_docs/examples/create_role_request3.yaml @@ -0,0 +1,14 @@ +summary: Feature privileges in a space +description: Grant full access to all features in the default space. +value: + metadata: + version: 1 + elasticsearch: + cluster: [] + indices: [] + kibana: + - base: + - all + feature: { } + spaces: + - default \ No newline at end of file diff --git a/oas_docs/examples/create_role_request4.yaml b/oas_docs/examples/create_role_request4.yaml new file mode 100644 index 0000000000000..f2332e2e934dc --- /dev/null +++ b/oas_docs/examples/create_role_request4.yaml @@ -0,0 +1,34 @@ +summary: Elasticsearch and Kibana feature privileges +description: Grant Elasticsearch and Kibana feature privileges. +value: + description: Grant all cluster privileges and full access to index1 and index2. Grant full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grant all Kibana privileges in the default space. + metadata: + version: 1 + elasticsearch: + cluster: + - all + indices: + - names: + - index1 + - index2 + privileges: + - all + remote_indices: + - clusters: + - remote_cluster1 + names: + - remote_index1 + - remote_index2 + privileges: + - all + remote_cluster: + - clusters: + - remote_cluster1 + privileges: + - monitor_enrich + kibana: + - base: + - all + feature: { } + spaces: + - default \ No newline at end of file diff --git a/oas_docs/examples/get_role_response1.yaml b/oas_docs/examples/get_role_response1.yaml new file mode 100644 index 0000000000000..5e44481afa8ce --- /dev/null +++ b/oas_docs/examples/get_role_response1.yaml @@ -0,0 +1,41 @@ +summary: Get role details +value: + name: my_kibana_role + description: Grants all cluster privileges and full access to index1 and index2. Grants full access to remote_index1 and remote_index2, and the monitor_enrich cluster privilege on remote_cluster1. Grants all Kibana privileges in the default space. + metadata: + version: 1 + transient_metadata: + enabled: true + elasticsearch: + cluster: + - all + remote_cluster: + - privileges: + - monitor_enrich + clusters: + - remote_cluster1 + indices: + - names: + - index1 + - index2 + privileges: + - all + allow_restricted_indices: false + remote_indices: + - names: + - remote_index1 + - remote_index2 + privileges: + - all + allow_restricted_indices: false + clusters: + - remote_cluster1 + run_as: [] + kibana: + - base: + - all + feature: {} + spaces: + - default + _transform_error: [] + _unrecognized_applications: [] diff --git a/oas_docs/examples/get_roles_response1.yaml b/oas_docs/examples/get_roles_response1.yaml new file mode 100644 index 0000000000000..9c3a45163ace1 --- /dev/null +++ b/oas_docs/examples/get_roles_response1.yaml @@ -0,0 +1,39 @@ +summary: Get all role details +value: + - name: my_kibana_role + description: My kibana role description + metadata: + version: 1 + transient_metadata: + enabled: true + elasticsearch: + indices: [] + cluster: [] + run_as: [] + kibana: + - base: + - all + feature: {} + spaces: + - "*" + - name: my_admin_role + description: My admin role description + metadata: + version: 1 + transient_metadata: + enabled: true + elasticsearch: + cluster: + - all + indices: + - names: + - index1 + - index2 + privileges: + - all + field_security: + grant: + - title + - body + query: '{\"match\": {\"title\": \"foo\"}}' + kibana: [] \ No newline at end of file diff --git a/oas_docs/makefile b/oas_docs/makefile index 85ab06e0c2c73..7b690e4c07593 100644 --- a/oas_docs/makefile +++ b/oas_docs/makefile @@ -14,8 +14,7 @@ # permission is obtained from Elasticsearch B.V. .PHONY: api-docs -api-docs: ## Generate Serverless and ESS Kibana OpenAPI bundles with kbn-openapi-bundler - @node scripts/merge_serverless_oas.js +api-docs: ## Generate ESS Kibana OpenAPI bundles with kbn-openapi-bundler @node scripts/merge_ess_oas.js .PHONY: api-docs-stateful diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml deleted file mode 100644 index fd0ddfbf5f819..0000000000000 --- a/oas_docs/output/kibana.serverless.yaml +++ /dev/null @@ -1,33624 +0,0 @@ -openapi: 3.0.3 -info: - contact: - name: Kibana Team - description: > - **Technical preview** - - This functionality is in technical preview and may be changed or removed in - a future release. - - Elastic will work to fix any issues, but features in technical preview are - not subject to the support SLA of official GA features. - - - The Kibana REST APIs for Elastic serverless enable you to manage resources - - such as connectors, data views, and saved objects. The API calls are - - stateless. Each request that you make happens in isolation from other calls - - and must include all of the necessary information for Kibana to fulfill the - - request. API requests return JSON output, which is a format that is - - machine-readable and works well for automation. - - - To interact with Kibana APIs, use the following operations: - - - - GET: Fetches the information. - - - POST: Adds new information. - - - PUT: Updates the existing information. - - - DELETE: Removes the information. - - - You can prepend any Kibana API endpoint with `kbn:` and run the request in - - **Dev Tools → Console**. For example: - - - ``` - - GET kbn:/api/data_views - - ``` - - - ## Documentation source and versions - - - This documentation is derived from the `main` branch of the - [kibana](https://github.com/elastic/kibana) repository. - - It is provided under license [Attribution-NonCommercial-NoDerivatives 4.0 - International](https://creativecommons.org/licenses/by-nc-nd/4.0/). - title: Kibana Serverless APIs - version: 1.0.2 - x-doc-license: - name: Attribution-NonCommercial-NoDerivatives 4.0 International - url: 'https://creativecommons.org/licenses/by-nc-nd/4.0/' - x-feedbackLink: - label: Feedback - url: >- - https://github.com/elastic/docs-content/issues/new?assignees=&labels=feedback%2Ccommunity&projects=&template=api-feedback.yaml&title=%5BFeedback%5D%3A+ -servers: - - url: 'http://{kibana_host}:{port}' - variables: - kibana_host: - default: localhost - port: - default: '5601' - - url: 'http://localhost:5622' - - url: 'https://{kibana_url}' - variables: - kibana_url: - default: 'localhost:5601' - - url: / - - url: 'http://KIBANA_HOST:5601' - - description: local - url: 'http://localhost:5601' -paths: - /api/actions: - get: - deprecated: true - operationId: '%2Fapi%2Factions#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - responses: {} - summary: Get all connectors - tags: - - connectors - /api/actions/action: - post: - deprecated: true - operationId: '%2Fapi%2Factions%2Faction#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - actionTypeId: - description: The connector type identifier. - type: string - config: - additionalProperties: {} - default: {} - type: object - name: - description: The display name for the connector. - type: string - secrets: - additionalProperties: {} - default: {} - type: object - required: - - name - - actionTypeId - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - config: - additionalProperties: {} - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: >- - Indicates whether the connector is preconfigured. If true, - the `config` and `is_missing_secrets` properties are - omitted from the response. - type: boolean - is_system_action: - description: >- - Indicates whether the connector is used for system - actions. - type: boolean - name: - description: ' The name of the rule.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - description: Indicates a successful call. - summary: Create a connector - tags: - - connectors - '/api/actions/action/{id}': - delete: - deprecated: true - description: 'WARNING: When you delete a connector, it cannot be recovered.' - operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - summary: Delete a connector - tags: - - connectors - get: - deprecated: true - operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D#1' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - config: - additionalProperties: {} - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: >- - Indicates whether the connector is preconfigured. If true, - the `config` and `is_missing_secrets` properties are - omitted from the response. - type: boolean - is_system_action: - description: >- - Indicates whether the connector is used for system - actions. - type: boolean - name: - description: ' The name of the rule.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - description: Indicates a successful call. - summary: Get connector information - tags: - - connectors - put: - deprecated: true - operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D#2' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - config: - additionalProperties: {} - default: {} - type: object - name: - type: string - secrets: - additionalProperties: {} - default: {} - type: object - required: - - name - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - config: - additionalProperties: {} - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: >- - Indicates whether the connector is preconfigured. If true, - the `config` and `is_missing_secrets` properties are - omitted from the response. - type: boolean - is_system_action: - description: >- - Indicates whether the connector is used for system - actions. - type: boolean - name: - description: ' The name of the rule.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - description: Indicates a successful call. - summary: Update a connector - tags: - - connectors - '/api/actions/action/{id}/_execute': - post: - deprecated: true - operationId: '%2Fapi%2Factions%2Faction%2F%7Bid%7D%2F_execute#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - params: - additionalProperties: {} - type: object - required: - - params - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - config: - additionalProperties: {} - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: >- - Indicates whether the connector is preconfigured. If true, - the `config` and `is_missing_secrets` properties are - omitted from the response. - type: boolean - is_system_action: - description: >- - Indicates whether the connector is used for system - actions. - type: boolean - name: - description: ' The name of the rule.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - description: Indicates a successful call. - summary: Run a connector - tags: - - connectors - /api/actions/connector_types: - get: - description: You do not need any Kibana feature privileges to run this API. - operationId: '%2Fapi%2Factions%2Fconnector_types#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: >- - A filter to limit the retrieved connector types to those that - support a specific feature (such as alerting or cases). - in: query - name: feature_id - required: false - schema: - type: string - responses: {} - summary: Get connector types - tags: - - connectors - '/api/actions/connector/{id}': - delete: - description: 'WARNING: When you delete a connector, it cannot be recovered.' - operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - summary: Delete a connector - tags: - - connectors - get: - operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#1' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - config: - additionalProperties: {} - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: >- - Indicates whether the connector is preconfigured. If true, - the `config` and `is_missing_secrets` properties are - omitted from the response. - type: boolean - is_system_action: - description: >- - Indicates whether the connector is used for system - actions. - type: boolean - name: - description: ' The name of the rule.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - description: Indicates a successful call. - summary: Get connector information - tags: - - connectors - post: - operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%3F%7D#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: An identifier for the connector. - in: path - name: id - required: false - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - config: - additionalProperties: {} - default: {} - type: object - connector_type_id: - description: The type of connector. - type: string - name: - description: The display name for the connector. - type: string - secrets: - additionalProperties: {} - default: {} - type: object - required: - - name - - connector_type_id - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - config: - additionalProperties: {} - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: >- - Indicates whether the connector is preconfigured. If true, - the `config` and `is_missing_secrets` properties are - omitted from the response. - type: boolean - is_system_action: - description: >- - Indicates whether the connector is used for system - actions. - type: boolean - name: - description: ' The name of the rule.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - description: Indicates a successful call. - summary: Create a connector - tags: - - connectors - put: - operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D#2' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - config: - additionalProperties: {} - default: {} - type: object - name: - description: The display name for the connector. - type: string - secrets: - additionalProperties: {} - default: {} - type: object - required: - - name - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - config: - additionalProperties: {} - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: >- - Indicates whether the connector is preconfigured. If true, - the `config` and `is_missing_secrets` properties are - omitted from the response. - type: boolean - is_system_action: - description: >- - Indicates whether the connector is used for system - actions. - type: boolean - name: - description: ' The name of the rule.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - description: Indicates a successful call. - summary: Update a connector - tags: - - connectors - '/api/actions/connector/{id}/_execute': - post: - description: >- - You can use this API to test an action that involves interaction with - Kibana services or integrations with third-party systems. - operationId: '%2Fapi%2Factions%2Fconnector%2F%7Bid%7D%2F_execute#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: An identifier for the connector. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - params: - additionalProperties: {} - type: object - required: - - params - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - config: - additionalProperties: {} - type: object - connector_type_id: - description: The connector type identifier. - type: string - id: - description: The identifier for the connector. - type: string - is_deprecated: - description: Indicates whether the connector is deprecated. - type: boolean - is_missing_secrets: - description: Indicates whether the connector is missing secrets. - type: boolean - is_preconfigured: - description: >- - Indicates whether the connector is preconfigured. If true, - the `config` and `is_missing_secrets` properties are - omitted from the response. - type: boolean - is_system_action: - description: >- - Indicates whether the connector is used for system - actions. - type: boolean - name: - description: ' The name of the rule.' - type: string - required: - - id - - name - - connector_type_id - - is_preconfigured - - is_deprecated - - is_system_action - description: Indicates a successful call. - summary: Run a connector - tags: - - connectors - /api/actions/connectors: - get: - operationId: '%2Fapi%2Factions%2Fconnectors#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - responses: {} - summary: Get all connectors - tags: - - connectors - /api/actions/list_action_types: - get: - deprecated: true - operationId: '%2Fapi%2Factions%2Flist_action_types#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - responses: {} - summary: Get connector types - tags: - - connectors - '/api/alerting/rule/{id}': - delete: - operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D#2' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Delete a rule - tags: - - alerting - get: - operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - actions: - items: - additionalProperties: false - type: object - properties: - alerts_filter: - additionalProperties: false - description: >- - Defines a period that limits whether the action - runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: >- - A filter written in Elasticsearch Query - Domain Specific Language (DSL). - type: string - filters: - description: >- - A filter written in Elasticsearch Query - Domain Specific Language (DSL) as defined in - the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: >- - A filter can be either specific to an - application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: {} - type: object - query: - additionalProperties: {} - type: object - required: - - meta - type: array - kql: - description: >- - A filter written in Kibana Query Language - (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - type: object - properties: - days: - description: >- - Defines the days of the week that the action - can run, represented as an array of numbers. - For example, `1` represents Monday. An empty - array is equivalent to specifying all the - days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - type: object - properties: - end: - description: >- - The end of the time frame in 24-hour - notation (`hh:mm`). - type: string - start: - description: >- - The start of the time frame in 24-hour - notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: >- - The ISO time zone for the `hours` values. - Values such as `UTC` and `UTC+1` also work - but lack built-in daylight savings time - support and are not recommended. - type: string - required: - - days - - hours - - timezone - connector_type_id: - description: >- - The type of connector. This property appears in - responses but cannot be set in requests. - type: string - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: >- - Indicates how often alerts generate actions. - Valid values include: `onActionGroupChange`: - Actions run when the alert status changes; - `onActiveAlert`: Actions run when the alert - becomes active and at each check interval while - the rule conditions are met; - `onThrottleInterval`: Actions run when the alert - becomes active and at the interval specified in - the throttle property while the rule conditions - are met. NOTE: You cannot specify `notify_when` - at both the rule and action level. The - recommended method is to set it for each action. - If you set it at the rule level then update the - rule in Kibana, it is automatically changed to - use action-specific values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: >- - The throttle interval, which defines how often - an alert generates repeated actions. It is - specified in seconds, minutes, hours, or days - and is applicable only if 'notify_when' is set - to 'onThrottleInterval'. NOTE: You cannot - specify the throttle interval at both the rule - and action level. The recommended method is to - set it for each action. If you set it at the - rule level then update the rule in Kibana, it is - automatically changed to use action-specific - values. - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: >- - The group name, which affects when the action runs - (for example, when the threshold is met or when the - alert is recovered). Each rule type has a list of - valid action group names. If you don't need to group - actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: {} - description: >- - The parameters for the action, which are sent to the - connector. The `params` are handled as Mustache - templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: >- - A universally unique identifier (UUID) for the - action. - type: string - required: - - id - - connector_type_id - - params - type: array - active_snoozes: - items: - description: List of active snoozes for the rule. - type: string - type: array - alert_delay: - additionalProperties: false - description: >- - Indicates that an alert occurs only when the specified - number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: >- - The number of consecutive runs that must meet the rule - conditions. - type: number - required: - - active - api_key_created_by_user: - description: >- - Indicates whether the API key that is associated with the - rule was created by the user. - nullable: true - type: boolean - api_key_owner: - description: >- - The owner of the API key that is associated with the rule - and used to run background tasks. - nullable: true - type: string - consumer: - description: >- - The name of the application or feature that owns the rule. - For example: `alerts`, `apm`, `discover`, - `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, - `securitySolution`, `siem`, `stackAlerts`, or `uptime`. - type: string - created_at: - description: The date and time that the rule was created. - type: string - created_by: - description: The identifier for the user that created the rule. - nullable: true - type: string - enabled: - description: >- - Indicates whether you want to run the rule on an interval - basis after it is created. - type: boolean - execution_status: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - description: Error message. - type: string - reason: - description: Reason for error. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - type: string - required: - - reason - - message - last_duration: - description: Duration of last execution of the rule. - type: number - last_execution_date: - description: The date and time when rule was executed last. - type: string - status: - description: Status of rule execution. - enum: - - ok - - active - - error - - warning - - pending - - unknown - type: string - warning: - additionalProperties: false - type: object - properties: - message: - description: Warning message. - type: string - reason: - description: Reason for warning. - enum: - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - type: string - required: - - reason - - message - required: - - status - - last_execution_date - flapping: - additionalProperties: false - nullable: true - type: object - properties: - look_back_window: - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - id: - description: The identifier for the rule. - type: string - is_snoozed_until: - description: The date when the rule will no longer be snoozed. - nullable: true - type: string - last_run: - additionalProperties: false - nullable: true - type: object - properties: - alerts_count: - additionalProperties: false - type: object - properties: - active: - description: Number of active alerts during last run. - nullable: true - type: number - ignored: - description: Number of ignored alerts during last run. - nullable: true - type: number - new: - description: Number of new alerts during last run. - nullable: true - type: number - recovered: - description: Number of recovered alerts during last run. - nullable: true - type: number - outcome: - description: >- - Outcome of last run of the rule. Value could be - succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - outcome_msg: - items: - description: Outcome message generated during last rule run. - type: string - nullable: true - type: array - outcome_order: - description: Order of the outcome. - type: number - warning: - description: Warning of last rule execution. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - nullable: true - type: string - required: - - outcome - - alerts_count - mapped_params: - additionalProperties: {} - type: object - monitoring: - additionalProperties: false - description: Monitoring details of the rule. - type: object - properties: - run: - additionalProperties: false - description: Rule run details. - type: object - properties: - calculated_metrics: - additionalProperties: false - description: >- - Calculation of different percentiles and success - ratio. - type: object - properties: - p50: - type: number - p95: - type: number - p99: - type: number - success_ratio: - type: number - required: - - success_ratio - history: - description: History of the rule run. - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule run. - type: number - outcome: - description: >- - Outcome of last run of the rule. Value could - be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - success: - description: >- - Indicates whether the rule run was - successful. - type: boolean - timestamp: - description: Time of rule run. - type: number - required: - - success - - timestamp - type: array - last_run: - additionalProperties: false - type: object - properties: - metrics: - additionalProperties: false - type: object - properties: - duration: - description: Duration of most recent rule run. - type: number - gap_duration_s: - description: Duration in seconds of rule run gap. - nullable: true - type: number - total_alerts_created: - description: >- - Total number of alerts created during last - rule run. - nullable: true - type: number - total_alerts_detected: - description: >- - Total number of alerts detected during - last rule run. - nullable: true - type: number - total_indexing_duration_ms: - description: >- - Total time spent indexing documents during - last rule run in milliseconds. - nullable: true - type: number - total_search_duration_ms: - description: >- - Total time spent performing Elasticsearch - searches as measured by Kibana; includes - network latency and time spent serializing - or deserializing the request and response. - nullable: true - type: number - timestamp: - description: Time of the most recent rule run. - type: string - required: - - timestamp - - metrics - required: - - history - - calculated_metrics - - last_run - required: - - run - mute_all: - description: Indicates whether all alerts are muted. - type: boolean - muted_alert_ids: - items: - description: 'List of identifiers of muted alerts. ' - type: string - type: array - name: - description: ' The name of the rule.' - type: string - next_run: - description: Date and time of the next run of the rule. - nullable: true - type: string - notify_when: - description: >- - Indicates how often alerts generate actions. Valid values - include: `onActionGroupChange`: Actions run when the alert - status changes; `onActiveAlert`: Actions run when the - alert becomes active and at each check interval while the - rule conditions are met; `onThrottleInterval`: Actions run - when the alert becomes active and at the interval - specified in the throttle property while the rule - conditions are met. NOTE: You cannot specify `notify_when` - at both the rule and action level. The recommended method - is to set it for each action. If you set it at the rule - level then update the rule in Kibana, it is automatically - changed to use action-specific values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: {} - description: The parameters for the rule. - type: object - revision: - description: The rule revision number. - type: number - rule_type_id: - description: The rule type identifier. - type: string - running: - description: Indicates whether the rule is running. - nullable: true - type: boolean - schedule: - additionalProperties: false - type: object - properties: - interval: - description: >- - The interval is specified in seconds, minutes, hours, - or days. - type: string - required: - - interval - scheduled_task_id: - description: Identifier of the scheduled task. - type: string - snooze_schedule: - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule snooze schedule. - type: number - id: - description: Identifier of the rule snooze schedule. - type: string - rRule: - additionalProperties: false - type: object - properties: - byhour: - items: - description: Indicates hours of the day to recur. - type: number - nullable: true - type: array - byminute: - items: - description: Indicates minutes of the hour to recur. - type: number - nullable: true - type: array - bymonth: - items: - description: >- - Indicates months of the year that this rule - should recur. - type: number - nullable: true - type: array - bymonthday: - items: - description: Indicates the days of the month to recur. - type: number - nullable: true - type: array - bysecond: - items: - description: Indicates seconds of the day to recur. - type: number - nullable: true - type: array - bysetpos: - items: - description: >- - A positive or negative integer affecting the - nth day of the month. For example, -2 combined - with `byweekday` of FR is 2nd to last Friday - of the month. It is recommended to not set - this manually and just use `byweekday`. - type: number - nullable: true - type: array - byweekday: - items: - anyOf: - - type: string - - type: number - description: >- - Indicates the days of the week to recur or - else nth-day-of-month strings. For example, - "+2TU" second Tuesday of month, "-1FR" last - Friday of the month, which are internally - converted to a `byweekday/bysetpos` - combination. - nullable: true - type: array - byweekno: - items: - description: Indicates number of the week hours to recur. - type: number - nullable: true - type: array - byyearday: - items: - description: >- - Indicates the days of the year that this rule - should recur. - type: number - nullable: true - type: array - count: - description: >- - Number of times the rule should recur until it - stops. - type: number - dtstart: - description: >- - Rule start date in Coordinated Universal Time - (UTC). - type: string - freq: - description: >- - Indicates frequency of the rule. Options are - YEARLY, MONTHLY, WEEKLY, DAILY. - enum: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - type: integer - interval: - description: >- - Indicates the interval of frequency. For - example, 1 and YEARLY is every 1 year, 2 and - WEEKLY is every 2 weeks. - type: number - tzid: - description: Indicates timezone abbreviation. - type: string - until: - description: Recur the rule until this date. - type: string - wkst: - description: 'Indicates the start of week, defaults to Monday.' - enum: - - MO - - TU - - WE - - TH - - FR - - SA - - SU - type: string - required: - - dtstart - - tzid - skipRecurrences: - items: - description: Skips recurrence of rule on this date. - type: string - type: array - required: - - duration - - rRule - type: array - tags: - items: - description: The tags for the rule. - type: string - type: array - throttle: - deprecated: true - description: >- - Deprecated in 8.13.0. Use the `throttle` property in the - action `frequency` object instead. The throttle interval, - which defines how often an alert generates repeated - actions. NOTE: You cannot specify the throttle interval at - both the rule and action level. If you set it at the rule - level then update the rule in Kibana, it is automatically - changed to use action-specific values. - nullable: true - type: string - updated_at: - description: The date and time that the rule was updated most recently. - type: string - updated_by: - description: >- - The identifier for the user that updated this rule most - recently. - nullable: true - type: string - view_in_app_relative_url: - description: Relative URL to view rule in the app. - nullable: true - type: string - required: - - id - - enabled - - name - - tags - - rule_type_id - - consumer - - schedule - - actions - - params - - created_by - - updated_by - - created_at - - updated_at - - api_key_owner - - mute_all - - muted_alert_ids - - execution_status - - revision - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Get rule details - tags: - - alerting - post: - operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%3F%7D#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: >- - The identifier for the rule. If it is omitted, an ID is randomly - generated. - in: path - name: id - required: false - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - description: >- - Conditions that affect whether the action runs. If you - specify multiple conditions, all conditions must be - met for the action to run. For example, if an alert - occurs within the specified time frame and matches the - query, the action runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: >- - A filter written in Elasticsearch Query Domain - Specific Language (DSL). - type: string - filters: - description: >- - A filter written in Elasticsearch Query Domain - Specific Language (DSL) as defined in the - `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: >- - A filter can be either specific to an - application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: {} - type: object - query: - additionalProperties: {} - type: object - required: - - meta - type: array - kql: - description: >- - A filter written in Kibana Query Language - (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: >- - Defines a period that limits whether the action - runs. - type: object - properties: - days: - description: >- - Defines the days of the week that the action - can run, represented as an array of numbers. - For example, `1` represents Monday. An empty - array is equivalent to specifying all the days - of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: >- - Defines the range of time in a day that the - action can run. If the `start` value is - `00:00` and the `end` value is `24:00`, - actions be generated all day. - type: object - properties: - end: - description: >- - The end of the time frame in 24-hour - notation (`hh:mm`). - type: string - start: - description: >- - The start of the time frame in 24-hour - notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: >- - The ISO time zone for the `hours` values. - Values such as `UTC` and `UTC+1` also work but - lack built-in daylight savings time support - and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: >- - Indicates how often alerts generate actions. Valid - values include: `onActionGroupChange`: Actions run - when the alert status changes; `onActiveAlert`: - Actions run when the alert becomes active and at - each check interval while the rule conditions are - met; `onThrottleInterval`: Actions run when the - alert becomes active and at the interval specified - in the throttle property while the rule conditions - are met. NOTE: You cannot specify `notify_when` at - both the rule and action level. The recommended - method is to set it for each action. If you set it - at the rule level then update the rule in Kibana, - it is automatically changed to use action-specific - values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: >- - The throttle interval, which defines how often an - alert generates repeated actions. It is specified - in seconds, minutes, hours, or days and is - applicable only if `notify_when` is set to - `onThrottleInterval`. NOTE: You cannot specify the - throttle interval at both the rule and action - level. The recommended method is to set it for - each action. If you set it at the rule level then - update the rule in Kibana, it is automatically - changed to use action-specific values. - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: >- - The group name, which affects when the action runs - (for example, when the threshold is met or when the - alert is recovered). Each rule type has a list of - valid action group names. If you don't need to group - actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: {} - default: {} - description: >- - The parameters for the action, which are sent to the - connector. The `params` are handled as Mustache - templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: >- - Indicates that an alert occurs only when the specified - number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: >- - The number of consecutive runs that must meet the rule - conditions. - type: number - required: - - active - consumer: - description: >- - The name of the application or feature that owns the rule. - For example: `alerts`, `apm`, `discover`, `infrastructure`, - `logs`, `metrics`, `ml`, `monitoring`, `securitySolution`, - `siem`, `stackAlerts`, or `uptime`. - type: string - enabled: - default: true - description: >- - Indicates whether you want to run the rule on an interval - basis after it is created. - type: boolean - flapping: - additionalProperties: false - nullable: true - type: object - properties: - look_back_window: - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: >- - The name of the rule. While this name does not have to be - unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: >- - Indicates how often alerts generate actions. Valid values - include: `onActionGroupChange`: Actions run when the alert - status changes; `onActiveAlert`: Actions run when the alert - becomes active and at each check interval while the rule - conditions are met; `onThrottleInterval`: Actions run when - the alert becomes active and at the interval specified in - the throttle property while the rule conditions are met. - NOTE: You cannot specify `notify_when` at both the rule and - action level. The recommended method is to set it for each - action. If you set it at the rule level then update the rule - in Kibana, it is automatically changed to use - action-specific values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: {} - default: {} - description: The parameters for the rule. - type: object - rule_type_id: - description: The rule type identifier. - type: string - schedule: - additionalProperties: false - description: >- - The check interval, which specifies how frequently the rule - conditions are checked. - type: object - properties: - interval: - description: >- - The interval is specified in seconds, minutes, hours, or - days. - type: string - required: - - interval - tags: - default: [] - description: The tags for the rule. - items: - type: string - type: array - throttle: - description: >- - Use the `throttle` property in the action `frequency` object - instead. The throttle interval, which defines how often an - alert generates repeated actions. NOTE: You cannot specify - the throttle interval at both the rule and action level. If - you set it at the rule level then update the rule in Kibana, - it is automatically changed to use action-specific values. - nullable: true - type: string - required: - - name - - rule_type_id - - consumer - - schedule - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - actions: - items: - additionalProperties: false - type: object - properties: - alerts_filter: - additionalProperties: false - description: >- - Defines a period that limits whether the action - runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: >- - A filter written in Elasticsearch Query - Domain Specific Language (DSL). - type: string - filters: - description: >- - A filter written in Elasticsearch Query - Domain Specific Language (DSL) as defined in - the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: >- - A filter can be either specific to an - application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: {} - type: object - query: - additionalProperties: {} - type: object - required: - - meta - type: array - kql: - description: >- - A filter written in Kibana Query Language - (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - type: object - properties: - days: - description: >- - Defines the days of the week that the action - can run, represented as an array of numbers. - For example, `1` represents Monday. An empty - array is equivalent to specifying all the - days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - type: object - properties: - end: - description: >- - The end of the time frame in 24-hour - notation (`hh:mm`). - type: string - start: - description: >- - The start of the time frame in 24-hour - notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: >- - The ISO time zone for the `hours` values. - Values such as `UTC` and `UTC+1` also work - but lack built-in daylight savings time - support and are not recommended. - type: string - required: - - days - - hours - - timezone - connector_type_id: - description: >- - The type of connector. This property appears in - responses but cannot be set in requests. - type: string - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: >- - Indicates how often alerts generate actions. - Valid values include: `onActionGroupChange`: - Actions run when the alert status changes; - `onActiveAlert`: Actions run when the alert - becomes active and at each check interval while - the rule conditions are met; - `onThrottleInterval`: Actions run when the alert - becomes active and at the interval specified in - the throttle property while the rule conditions - are met. NOTE: You cannot specify `notify_when` - at both the rule and action level. The - recommended method is to set it for each action. - If you set it at the rule level then update the - rule in Kibana, it is automatically changed to - use action-specific values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: >- - The throttle interval, which defines how often - an alert generates repeated actions. It is - specified in seconds, minutes, hours, or days - and is applicable only if 'notify_when' is set - to 'onThrottleInterval'. NOTE: You cannot - specify the throttle interval at both the rule - and action level. The recommended method is to - set it for each action. If you set it at the - rule level then update the rule in Kibana, it is - automatically changed to use action-specific - values. - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: >- - The group name, which affects when the action runs - (for example, when the threshold is met or when the - alert is recovered). Each rule type has a list of - valid action group names. If you don't need to group - actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: {} - description: >- - The parameters for the action, which are sent to the - connector. The `params` are handled as Mustache - templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: >- - A universally unique identifier (UUID) for the - action. - type: string - required: - - id - - connector_type_id - - params - type: array - active_snoozes: - items: - description: List of active snoozes for the rule. - type: string - type: array - alert_delay: - additionalProperties: false - description: >- - Indicates that an alert occurs only when the specified - number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: >- - The number of consecutive runs that must meet the rule - conditions. - type: number - required: - - active - api_key_created_by_user: - description: >- - Indicates whether the API key that is associated with the - rule was created by the user. - nullable: true - type: boolean - api_key_owner: - description: >- - The owner of the API key that is associated with the rule - and used to run background tasks. - nullable: true - type: string - consumer: - description: >- - The name of the application or feature that owns the rule. - For example: `alerts`, `apm`, `discover`, - `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, - `securitySolution`, `siem`, `stackAlerts`, or `uptime`. - type: string - created_at: - description: The date and time that the rule was created. - type: string - created_by: - description: The identifier for the user that created the rule. - nullable: true - type: string - enabled: - description: >- - Indicates whether you want to run the rule on an interval - basis after it is created. - type: boolean - execution_status: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - description: Error message. - type: string - reason: - description: Reason for error. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - type: string - required: - - reason - - message - last_duration: - description: Duration of last execution of the rule. - type: number - last_execution_date: - description: The date and time when rule was executed last. - type: string - status: - description: Status of rule execution. - enum: - - ok - - active - - error - - warning - - pending - - unknown - type: string - warning: - additionalProperties: false - type: object - properties: - message: - description: Warning message. - type: string - reason: - description: Reason for warning. - enum: - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - type: string - required: - - reason - - message - required: - - status - - last_execution_date - flapping: - additionalProperties: false - nullable: true - type: object - properties: - look_back_window: - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - id: - description: The identifier for the rule. - type: string - is_snoozed_until: - description: The date when the rule will no longer be snoozed. - nullable: true - type: string - last_run: - additionalProperties: false - nullable: true - type: object - properties: - alerts_count: - additionalProperties: false - type: object - properties: - active: - description: Number of active alerts during last run. - nullable: true - type: number - ignored: - description: Number of ignored alerts during last run. - nullable: true - type: number - new: - description: Number of new alerts during last run. - nullable: true - type: number - recovered: - description: Number of recovered alerts during last run. - nullable: true - type: number - outcome: - description: >- - Outcome of last run of the rule. Value could be - succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - outcome_msg: - items: - description: Outcome message generated during last rule run. - type: string - nullable: true - type: array - outcome_order: - description: Order of the outcome. - type: number - warning: - description: Warning of last rule execution. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - nullable: true - type: string - required: - - outcome - - alerts_count - mapped_params: - additionalProperties: {} - type: object - monitoring: - additionalProperties: false - description: Monitoring details of the rule. - type: object - properties: - run: - additionalProperties: false - description: Rule run details. - type: object - properties: - calculated_metrics: - additionalProperties: false - description: >- - Calculation of different percentiles and success - ratio. - type: object - properties: - p50: - type: number - p95: - type: number - p99: - type: number - success_ratio: - type: number - required: - - success_ratio - history: - description: History of the rule run. - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule run. - type: number - outcome: - description: >- - Outcome of last run of the rule. Value could - be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - success: - description: >- - Indicates whether the rule run was - successful. - type: boolean - timestamp: - description: Time of rule run. - type: number - required: - - success - - timestamp - type: array - last_run: - additionalProperties: false - type: object - properties: - metrics: - additionalProperties: false - type: object - properties: - duration: - description: Duration of most recent rule run. - type: number - gap_duration_s: - description: Duration in seconds of rule run gap. - nullable: true - type: number - total_alerts_created: - description: >- - Total number of alerts created during last - rule run. - nullable: true - type: number - total_alerts_detected: - description: >- - Total number of alerts detected during - last rule run. - nullable: true - type: number - total_indexing_duration_ms: - description: >- - Total time spent indexing documents during - last rule run in milliseconds. - nullable: true - type: number - total_search_duration_ms: - description: >- - Total time spent performing Elasticsearch - searches as measured by Kibana; includes - network latency and time spent serializing - or deserializing the request and response. - nullable: true - type: number - timestamp: - description: Time of the most recent rule run. - type: string - required: - - timestamp - - metrics - required: - - history - - calculated_metrics - - last_run - required: - - run - mute_all: - description: Indicates whether all alerts are muted. - type: boolean - muted_alert_ids: - items: - description: 'List of identifiers of muted alerts. ' - type: string - type: array - name: - description: ' The name of the rule.' - type: string - next_run: - description: Date and time of the next run of the rule. - nullable: true - type: string - notify_when: - description: >- - Indicates how often alerts generate actions. Valid values - include: `onActionGroupChange`: Actions run when the alert - status changes; `onActiveAlert`: Actions run when the - alert becomes active and at each check interval while the - rule conditions are met; `onThrottleInterval`: Actions run - when the alert becomes active and at the interval - specified in the throttle property while the rule - conditions are met. NOTE: You cannot specify `notify_when` - at both the rule and action level. The recommended method - is to set it for each action. If you set it at the rule - level then update the rule in Kibana, it is automatically - changed to use action-specific values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: {} - description: The parameters for the rule. - type: object - revision: - description: The rule revision number. - type: number - rule_type_id: - description: The rule type identifier. - type: string - running: - description: Indicates whether the rule is running. - nullable: true - type: boolean - schedule: - additionalProperties: false - type: object - properties: - interval: - description: >- - The interval is specified in seconds, minutes, hours, - or days. - type: string - required: - - interval - scheduled_task_id: - description: Identifier of the scheduled task. - type: string - snooze_schedule: - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule snooze schedule. - type: number - id: - description: Identifier of the rule snooze schedule. - type: string - rRule: - additionalProperties: false - type: object - properties: - byhour: - items: - description: Indicates hours of the day to recur. - type: number - nullable: true - type: array - byminute: - items: - description: Indicates minutes of the hour to recur. - type: number - nullable: true - type: array - bymonth: - items: - description: >- - Indicates months of the year that this rule - should recur. - type: number - nullable: true - type: array - bymonthday: - items: - description: Indicates the days of the month to recur. - type: number - nullable: true - type: array - bysecond: - items: - description: Indicates seconds of the day to recur. - type: number - nullable: true - type: array - bysetpos: - items: - description: >- - A positive or negative integer affecting the - nth day of the month. For example, -2 combined - with `byweekday` of FR is 2nd to last Friday - of the month. It is recommended to not set - this manually and just use `byweekday`. - type: number - nullable: true - type: array - byweekday: - items: - anyOf: - - type: string - - type: number - description: >- - Indicates the days of the week to recur or - else nth-day-of-month strings. For example, - "+2TU" second Tuesday of month, "-1FR" last - Friday of the month, which are internally - converted to a `byweekday/bysetpos` - combination. - nullable: true - type: array - byweekno: - items: - description: Indicates number of the week hours to recur. - type: number - nullable: true - type: array - byyearday: - items: - description: >- - Indicates the days of the year that this rule - should recur. - type: number - nullable: true - type: array - count: - description: >- - Number of times the rule should recur until it - stops. - type: number - dtstart: - description: >- - Rule start date in Coordinated Universal Time - (UTC). - type: string - freq: - description: >- - Indicates frequency of the rule. Options are - YEARLY, MONTHLY, WEEKLY, DAILY. - enum: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - type: integer - interval: - description: >- - Indicates the interval of frequency. For - example, 1 and YEARLY is every 1 year, 2 and - WEEKLY is every 2 weeks. - type: number - tzid: - description: Indicates timezone abbreviation. - type: string - until: - description: Recur the rule until this date. - type: string - wkst: - description: 'Indicates the start of week, defaults to Monday.' - enum: - - MO - - TU - - WE - - TH - - FR - - SA - - SU - type: string - required: - - dtstart - - tzid - skipRecurrences: - items: - description: Skips recurrence of rule on this date. - type: string - type: array - required: - - duration - - rRule - type: array - tags: - items: - description: The tags for the rule. - type: string - type: array - throttle: - deprecated: true - description: >- - Deprecated in 8.13.0. Use the `throttle` property in the - action `frequency` object instead. The throttle interval, - which defines how often an alert generates repeated - actions. NOTE: You cannot specify the throttle interval at - both the rule and action level. If you set it at the rule - level then update the rule in Kibana, it is automatically - changed to use action-specific values. - nullable: true - type: string - updated_at: - description: The date and time that the rule was updated most recently. - type: string - updated_by: - description: >- - The identifier for the user that updated this rule most - recently. - nullable: true - type: string - view_in_app_relative_url: - description: Relative URL to view rule in the app. - nullable: true - type: string - required: - - id - - enabled - - name - - tags - - rule_type_id - - consumer - - schedule - - actions - - params - - created_by - - updated_by - - created_at - - updated_at - - api_key_owner - - mute_all - - muted_alert_ids - - execution_status - - revision - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '409': - description: Indicates that the rule id is already in use. - summary: Create a rule - tags: - - alerting - put: - operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D#1' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - actions: - default: [] - items: - additionalProperties: false - description: An action that runs under defined conditions. - type: object - properties: - alerts_filter: - additionalProperties: false - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: >- - A filter written in Elasticsearch Query Domain - Specific Language (DSL). - type: string - filters: - description: >- - A filter written in Elasticsearch Query Domain - Specific Language (DSL) as defined in the - `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: >- - A filter can be either specific to an - application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: {} - type: object - query: - additionalProperties: {} - type: object - required: - - meta - type: array - kql: - description: >- - A filter written in Kibana Query Language - (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - description: >- - Defines a period that limits whether the action - runs. - type: object - properties: - days: - description: >- - Defines the days of the week that the action - can run, represented as an array of numbers. - For example, `1` represents Monday. An empty - array is equivalent to specifying all the days - of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - description: >- - Defines the range of time in a day that the - action can run. If the `start` value is - `00:00` and the `end` value is `24:00`, - actions be generated all day. - type: object - properties: - end: - description: >- - The end of the time frame in 24-hour - notation (`hh:mm`). - type: string - start: - description: >- - The start of the time frame in 24-hour - notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: >- - The ISO time zone for the `hours` values. - Values such as `UTC` and `UTC+1` also work but - lack built-in daylight savings time support - and are not recommended. - type: string - required: - - days - - hours - - timezone - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: >- - Indicates how often alerts generate actions. Valid - values include: `onActionGroupChange`: Actions run - when the alert status changes; `onActiveAlert`: - Actions run when the alert becomes active and at - each check interval while the rule conditions are - met; `onThrottleInterval`: Actions run when the - alert becomes active and at the interval specified - in the throttle property while the rule conditions - are met. NOTE: You cannot specify `notify_when` at - both the rule and action level. The recommended - method is to set it for each action. If you set it - at the rule level then update the rule in Kibana, - it is automatically changed to use action-specific - values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: >- - The throttle interval, which defines how often an - alert generates repeated actions. It is specified - in seconds, minutes, hours, or days and is - applicable only if `notify_when` is set to - `onThrottleInterval`. NOTE: You cannot specify the - throttle interval at both the rule and action - level. The recommended method is to set it for - each action. If you set it at the rule level then - update the rule in Kibana, it is automatically - changed to use action-specific values. - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: >- - The group name, which affects when the action runs - (for example, when the threshold is met or when the - alert is recovered). Each rule type has a list of - valid action group names. If you don't need to group - actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: {} - default: {} - description: >- - The parameters for the action, which are sent to the - connector. The `params` are handled as Mustache - templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: A universally unique identifier (UUID) for the action. - type: string - required: - - id - type: array - alert_delay: - additionalProperties: false - description: >- - Indicates that an alert occurs only when the specified - number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: >- - The number of consecutive runs that must meet the rule - conditions. - type: number - required: - - active - flapping: - additionalProperties: false - nullable: true - type: object - properties: - look_back_window: - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - name: - description: >- - The name of the rule. While this name does not have to be - unique, a distinctive name can help you identify a rule. - type: string - notify_when: - description: >- - Indicates how often alerts generate actions. Valid values - include: `onActionGroupChange`: Actions run when the alert - status changes; `onActiveAlert`: Actions run when the alert - becomes active and at each check interval while the rule - conditions are met; `onThrottleInterval`: Actions run when - the alert becomes active and at the interval specified in - the throttle property while the rule conditions are met. - NOTE: You cannot specify `notify_when` at both the rule and - action level. The recommended method is to set it for each - action. If you set it at the rule level then update the rule - in Kibana, it is automatically changed to use - action-specific values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: {} - default: {} - description: The parameters for the rule. - type: object - schedule: - additionalProperties: false - type: object - properties: - interval: - description: >- - The interval is specified in seconds, minutes, hours, or - days. - type: string - required: - - interval - tags: - default: [] - items: - description: The tags for the rule. - type: string - type: array - throttle: - description: >- - Use the `throttle` property in the action `frequency` object - instead. The throttle interval, which defines how often an - alert generates repeated actions. NOTE: You cannot specify - the throttle interval at both the rule and action level. If - you set it at the rule level then update the rule in Kibana, - it is automatically changed to use action-specific values. - nullable: true - type: string - required: - - name - - schedule - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - actions: - items: - additionalProperties: false - type: object - properties: - alerts_filter: - additionalProperties: false - description: >- - Defines a period that limits whether the action - runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: >- - A filter written in Elasticsearch Query - Domain Specific Language (DSL). - type: string - filters: - description: >- - A filter written in Elasticsearch Query - Domain Specific Language (DSL) as defined in - the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: >- - A filter can be either specific to an - application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: {} - type: object - query: - additionalProperties: {} - type: object - required: - - meta - type: array - kql: - description: >- - A filter written in Kibana Query Language - (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - type: object - properties: - days: - description: >- - Defines the days of the week that the action - can run, represented as an array of numbers. - For example, `1` represents Monday. An empty - array is equivalent to specifying all the - days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - type: object - properties: - end: - description: >- - The end of the time frame in 24-hour - notation (`hh:mm`). - type: string - start: - description: >- - The start of the time frame in 24-hour - notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: >- - The ISO time zone for the `hours` values. - Values such as `UTC` and `UTC+1` also work - but lack built-in daylight savings time - support and are not recommended. - type: string - required: - - days - - hours - - timezone - connector_type_id: - description: >- - The type of connector. This property appears in - responses but cannot be set in requests. - type: string - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: >- - Indicates how often alerts generate actions. - Valid values include: `onActionGroupChange`: - Actions run when the alert status changes; - `onActiveAlert`: Actions run when the alert - becomes active and at each check interval while - the rule conditions are met; - `onThrottleInterval`: Actions run when the alert - becomes active and at the interval specified in - the throttle property while the rule conditions - are met. NOTE: You cannot specify `notify_when` - at both the rule and action level. The - recommended method is to set it for each action. - If you set it at the rule level then update the - rule in Kibana, it is automatically changed to - use action-specific values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: >- - The throttle interval, which defines how often - an alert generates repeated actions. It is - specified in seconds, minutes, hours, or days - and is applicable only if 'notify_when' is set - to 'onThrottleInterval'. NOTE: You cannot - specify the throttle interval at both the rule - and action level. The recommended method is to - set it for each action. If you set it at the - rule level then update the rule in Kibana, it is - automatically changed to use action-specific - values. - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: >- - The group name, which affects when the action runs - (for example, when the threshold is met or when the - alert is recovered). Each rule type has a list of - valid action group names. If you don't need to group - actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: {} - description: >- - The parameters for the action, which are sent to the - connector. The `params` are handled as Mustache - templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: >- - A universally unique identifier (UUID) for the - action. - type: string - required: - - id - - connector_type_id - - params - type: array - active_snoozes: - items: - description: List of active snoozes for the rule. - type: string - type: array - alert_delay: - additionalProperties: false - description: >- - Indicates that an alert occurs only when the specified - number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: >- - The number of consecutive runs that must meet the rule - conditions. - type: number - required: - - active - api_key_created_by_user: - description: >- - Indicates whether the API key that is associated with the - rule was created by the user. - nullable: true - type: boolean - api_key_owner: - description: >- - The owner of the API key that is associated with the rule - and used to run background tasks. - nullable: true - type: string - consumer: - description: >- - The name of the application or feature that owns the rule. - For example: `alerts`, `apm`, `discover`, - `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, - `securitySolution`, `siem`, `stackAlerts`, or `uptime`. - type: string - created_at: - description: The date and time that the rule was created. - type: string - created_by: - description: The identifier for the user that created the rule. - nullable: true - type: string - enabled: - description: >- - Indicates whether you want to run the rule on an interval - basis after it is created. - type: boolean - execution_status: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - description: Error message. - type: string - reason: - description: Reason for error. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - type: string - required: - - reason - - message - last_duration: - description: Duration of last execution of the rule. - type: number - last_execution_date: - description: The date and time when rule was executed last. - type: string - status: - description: Status of rule execution. - enum: - - ok - - active - - error - - warning - - pending - - unknown - type: string - warning: - additionalProperties: false - type: object - properties: - message: - description: Warning message. - type: string - reason: - description: Reason for warning. - enum: - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - type: string - required: - - reason - - message - required: - - status - - last_execution_date - flapping: - additionalProperties: false - nullable: true - type: object - properties: - look_back_window: - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - id: - description: The identifier for the rule. - type: string - is_snoozed_until: - description: The date when the rule will no longer be snoozed. - nullable: true - type: string - last_run: - additionalProperties: false - nullable: true - type: object - properties: - alerts_count: - additionalProperties: false - type: object - properties: - active: - description: Number of active alerts during last run. - nullable: true - type: number - ignored: - description: Number of ignored alerts during last run. - nullable: true - type: number - new: - description: Number of new alerts during last run. - nullable: true - type: number - recovered: - description: Number of recovered alerts during last run. - nullable: true - type: number - outcome: - description: >- - Outcome of last run of the rule. Value could be - succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - outcome_msg: - items: - description: Outcome message generated during last rule run. - type: string - nullable: true - type: array - outcome_order: - description: Order of the outcome. - type: number - warning: - description: Warning of last rule execution. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - nullable: true - type: string - required: - - outcome - - alerts_count - mapped_params: - additionalProperties: {} - type: object - monitoring: - additionalProperties: false - description: Monitoring details of the rule. - type: object - properties: - run: - additionalProperties: false - description: Rule run details. - type: object - properties: - calculated_metrics: - additionalProperties: false - description: >- - Calculation of different percentiles and success - ratio. - type: object - properties: - p50: - type: number - p95: - type: number - p99: - type: number - success_ratio: - type: number - required: - - success_ratio - history: - description: History of the rule run. - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule run. - type: number - outcome: - description: >- - Outcome of last run of the rule. Value could - be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - success: - description: >- - Indicates whether the rule run was - successful. - type: boolean - timestamp: - description: Time of rule run. - type: number - required: - - success - - timestamp - type: array - last_run: - additionalProperties: false - type: object - properties: - metrics: - additionalProperties: false - type: object - properties: - duration: - description: Duration of most recent rule run. - type: number - gap_duration_s: - description: Duration in seconds of rule run gap. - nullable: true - type: number - total_alerts_created: - description: >- - Total number of alerts created during last - rule run. - nullable: true - type: number - total_alerts_detected: - description: >- - Total number of alerts detected during - last rule run. - nullable: true - type: number - total_indexing_duration_ms: - description: >- - Total time spent indexing documents during - last rule run in milliseconds. - nullable: true - type: number - total_search_duration_ms: - description: >- - Total time spent performing Elasticsearch - searches as measured by Kibana; includes - network latency and time spent serializing - or deserializing the request and response. - nullable: true - type: number - timestamp: - description: Time of the most recent rule run. - type: string - required: - - timestamp - - metrics - required: - - history - - calculated_metrics - - last_run - required: - - run - mute_all: - description: Indicates whether all alerts are muted. - type: boolean - muted_alert_ids: - items: - description: 'List of identifiers of muted alerts. ' - type: string - type: array - name: - description: ' The name of the rule.' - type: string - next_run: - description: Date and time of the next run of the rule. - nullable: true - type: string - notify_when: - description: >- - Indicates how often alerts generate actions. Valid values - include: `onActionGroupChange`: Actions run when the alert - status changes; `onActiveAlert`: Actions run when the - alert becomes active and at each check interval while the - rule conditions are met; `onThrottleInterval`: Actions run - when the alert becomes active and at the interval - specified in the throttle property while the rule - conditions are met. NOTE: You cannot specify `notify_when` - at both the rule and action level. The recommended method - is to set it for each action. If you set it at the rule - level then update the rule in Kibana, it is automatically - changed to use action-specific values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: {} - description: The parameters for the rule. - type: object - revision: - description: The rule revision number. - type: number - rule_type_id: - description: The rule type identifier. - type: string - running: - description: Indicates whether the rule is running. - nullable: true - type: boolean - schedule: - additionalProperties: false - type: object - properties: - interval: - description: >- - The interval is specified in seconds, minutes, hours, - or days. - type: string - required: - - interval - scheduled_task_id: - description: Identifier of the scheduled task. - type: string - snooze_schedule: - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule snooze schedule. - type: number - id: - description: Identifier of the rule snooze schedule. - type: string - rRule: - additionalProperties: false - type: object - properties: - byhour: - items: - description: Indicates hours of the day to recur. - type: number - nullable: true - type: array - byminute: - items: - description: Indicates minutes of the hour to recur. - type: number - nullable: true - type: array - bymonth: - items: - description: >- - Indicates months of the year that this rule - should recur. - type: number - nullable: true - type: array - bymonthday: - items: - description: Indicates the days of the month to recur. - type: number - nullable: true - type: array - bysecond: - items: - description: Indicates seconds of the day to recur. - type: number - nullable: true - type: array - bysetpos: - items: - description: >- - A positive or negative integer affecting the - nth day of the month. For example, -2 combined - with `byweekday` of FR is 2nd to last Friday - of the month. It is recommended to not set - this manually and just use `byweekday`. - type: number - nullable: true - type: array - byweekday: - items: - anyOf: - - type: string - - type: number - description: >- - Indicates the days of the week to recur or - else nth-day-of-month strings. For example, - "+2TU" second Tuesday of month, "-1FR" last - Friday of the month, which are internally - converted to a `byweekday/bysetpos` - combination. - nullable: true - type: array - byweekno: - items: - description: Indicates number of the week hours to recur. - type: number - nullable: true - type: array - byyearday: - items: - description: >- - Indicates the days of the year that this rule - should recur. - type: number - nullable: true - type: array - count: - description: >- - Number of times the rule should recur until it - stops. - type: number - dtstart: - description: >- - Rule start date in Coordinated Universal Time - (UTC). - type: string - freq: - description: >- - Indicates frequency of the rule. Options are - YEARLY, MONTHLY, WEEKLY, DAILY. - enum: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - type: integer - interval: - description: >- - Indicates the interval of frequency. For - example, 1 and YEARLY is every 1 year, 2 and - WEEKLY is every 2 weeks. - type: number - tzid: - description: Indicates timezone abbreviation. - type: string - until: - description: Recur the rule until this date. - type: string - wkst: - description: 'Indicates the start of week, defaults to Monday.' - enum: - - MO - - TU - - WE - - TH - - FR - - SA - - SU - type: string - required: - - dtstart - - tzid - skipRecurrences: - items: - description: Skips recurrence of rule on this date. - type: string - type: array - required: - - duration - - rRule - type: array - tags: - items: - description: The tags for the rule. - type: string - type: array - throttle: - deprecated: true - description: >- - Deprecated in 8.13.0. Use the `throttle` property in the - action `frequency` object instead. The throttle interval, - which defines how often an alert generates repeated - actions. NOTE: You cannot specify the throttle interval at - both the rule and action level. If you set it at the rule - level then update the rule in Kibana, it is automatically - changed to use action-specific values. - nullable: true - type: string - updated_at: - description: The date and time that the rule was updated most recently. - type: string - updated_by: - description: >- - The identifier for the user that updated this rule most - recently. - nullable: true - type: string - view_in_app_relative_url: - description: Relative URL to view rule in the app. - nullable: true - type: string - required: - - id - - enabled - - name - - tags - - rule_type_id - - consumer - - schedule - - actions - - params - - created_by - - updated_by - - created_at - - updated_at - - api_key_owner - - mute_all - - muted_alert_ids - - execution_status - - revision - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - '409': - description: Indicates that the rule has already been updated by another user. - summary: Update a rule - tags: - - alerting - '/api/alerting/rule/{id}/_disable': - post: - operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_disable#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - nullable: true - type: object - properties: - untrack: - description: Defines whether this rule's alerts should be untracked. - type: boolean - x-oas-optional: true - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Disable a rule - tags: - - alerting - '/api/alerting/rule/{id}/_enable': - post: - operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_enable#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Enable a rule - tags: - - alerting - '/api/alerting/rule/{id}/_mute_all': - post: - operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_mute_all#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Mute all alerts - tags: - - alerting - '/api/alerting/rule/{id}/_unmute_all': - post: - operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_unmute_all#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - summary: Unmute all alerts - tags: - - alerting - '/api/alerting/rule/{id}/_update_api_key': - post: - operationId: '%2Fapi%2Falerting%2Frule%2F%7Bid%7D%2F_update_api_key#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule with the given ID does not exist. - '409': - description: Indicates that the rule has already been updated by another user. - summary: Update the API key for a rule - tags: - - alerting - '/api/alerting/rule/{rule_id}/alert/{alert_id}/_mute': - post: - operationId: >- - %2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_mute#0 - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: rule_id - required: true - schema: - type: string - - description: The identifier for the alert. - in: path - name: alert_id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule or alert with the given ID does not exist. - summary: Mute an alert - tags: - - alerting - '/api/alerting/rule/{rule_id}/alert/{alert_id}/_unmute': - post: - operationId: >- - %2Fapi%2Falerting%2Frule%2F%7Brule_id%7D%2Falert%2F%7Balert_id%7D%2F_unmute#0 - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The identifier for the rule. - in: path - name: rule_id - required: true - schema: - type: string - - description: The identifier for the alert. - in: path - name: alert_id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - '404': - description: Indicates a rule or alert with the given ID does not exist. - summary: Unmute an alert - tags: - - alerting - /api/alerting/rules/_find: - get: - operationId: '%2Fapi%2Falerting%2Frules%2F_find#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: The number of rules to return per page. - in: query - name: per_page - required: false - schema: - default: 10 - minimum: 0 - type: number - - description: The page number to return. - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: number - - description: >- - An Elasticsearch simple_query_string query that filters the objects - in the response. - in: query - name: search - required: false - schema: - type: string - - description: The default operator to use for the simple_query_string. - in: query - name: default_search_operator - required: false - schema: - default: OR - enum: - - OR - - AND - type: string - - description: The fields to perform the simple_query_string parsed query against. - in: query - name: search_fields - required: false - schema: - anyOf: - - items: - type: string - type: array - - type: string - - description: >- - Determines which field is used to sort the results. The field must - exist in the `attributes` key of the response. - in: query - name: sort_field - required: false - schema: - type: string - - description: Determines the sort order. - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - - description: >- - Filters the rules that have a relation with the reference objects - with a specific type and identifier. - in: query - name: has_reference - required: false - schema: - additionalProperties: false - nullable: true - type: object - properties: - id: - type: string - type: - type: string - required: - - type - - id - - in: query - name: fields - required: false - schema: - items: - description: The fields to return in the `attributes` key of the response. - type: string - type: array - - description: >- - A KQL string that you filter with an attribute from your saved - object. It should look like `savedObjectType.attributes.title: - "myTitle"`. However, if you used a direct attribute of a saved - object, such as `updatedAt`, you must define your filter, for - example, `savedObjectType.updatedAt > 2018-12-22`. - in: query - name: filter - required: false - schema: - type: string - - in: query - name: filter_consumers - required: false - schema: - items: - description: List of consumers to filter. - type: string - type: array - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - actions: - items: - additionalProperties: false - type: object - properties: - alerts_filter: - additionalProperties: false - description: >- - Defines a period that limits whether the action - runs. - type: object - properties: - query: - additionalProperties: false - type: object - properties: - dsl: - description: >- - A filter written in Elasticsearch Query - Domain Specific Language (DSL). - type: string - filters: - description: >- - A filter written in Elasticsearch Query - Domain Specific Language (DSL) as defined in - the `kbn-es-query` package. - items: - additionalProperties: false - type: object - properties: - $state: - additionalProperties: false - type: object - properties: - store: - description: >- - A filter can be either specific to an - application context or applied globally. - enum: - - appState - - globalState - type: string - required: - - store - meta: - additionalProperties: {} - type: object - query: - additionalProperties: {} - type: object - required: - - meta - type: array - kql: - description: >- - A filter written in Kibana Query Language - (KQL). - type: string - required: - - kql - - filters - timeframe: - additionalProperties: false - type: object - properties: - days: - description: >- - Defines the days of the week that the action - can run, represented as an array of numbers. - For example, `1` represents Monday. An empty - array is equivalent to specifying all the - days of the week. - items: - enum: - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - - 7 - type: integer - type: array - hours: - additionalProperties: false - type: object - properties: - end: - description: >- - The end of the time frame in 24-hour - notation (`hh:mm`). - type: string - start: - description: >- - The start of the time frame in 24-hour - notation (`hh:mm`). - type: string - required: - - start - - end - timezone: - description: >- - The ISO time zone for the `hours` values. - Values such as `UTC` and `UTC+1` also work - but lack built-in daylight savings time - support and are not recommended. - type: string - required: - - days - - hours - - timezone - connector_type_id: - description: >- - The type of connector. This property appears in - responses but cannot be set in requests. - type: string - frequency: - additionalProperties: false - type: object - properties: - notify_when: - description: >- - Indicates how often alerts generate actions. - Valid values include: `onActionGroupChange`: - Actions run when the alert status changes; - `onActiveAlert`: Actions run when the alert - becomes active and at each check interval while - the rule conditions are met; - `onThrottleInterval`: Actions run when the alert - becomes active and at the interval specified in - the throttle property while the rule conditions - are met. NOTE: You cannot specify `notify_when` - at both the rule and action level. The - recommended method is to set it for each action. - If you set it at the rule level then update the - rule in Kibana, it is automatically changed to - use action-specific values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - type: string - summary: - description: Indicates whether the action is a summary. - type: boolean - throttle: - description: >- - The throttle interval, which defines how often - an alert generates repeated actions. It is - specified in seconds, minutes, hours, or days - and is applicable only if 'notify_when' is set - to 'onThrottleInterval'. NOTE: You cannot - specify the throttle interval at both the rule - and action level. The recommended method is to - set it for each action. If you set it at the - rule level then update the rule in Kibana, it is - automatically changed to use action-specific - values. - nullable: true - type: string - required: - - summary - - notify_when - - throttle - group: - description: >- - The group name, which affects when the action runs - (for example, when the threshold is met or when the - alert is recovered). Each rule type has a list of - valid action group names. If you don't need to group - actions, set to `default`. - type: string - id: - description: The identifier for the connector saved object. - type: string - params: - additionalProperties: {} - description: >- - The parameters for the action, which are sent to the - connector. The `params` are handled as Mustache - templates and passed a default set of context. - type: object - use_alert_data_for_template: - description: Indicates whether to use alert data as a template. - type: boolean - uuid: - description: >- - A universally unique identifier (UUID) for the - action. - type: string - required: - - id - - connector_type_id - - params - type: array - active_snoozes: - items: - description: List of active snoozes for the rule. - type: string - type: array - alert_delay: - additionalProperties: false - description: >- - Indicates that an alert occurs only when the specified - number of consecutive runs met the rule conditions. - type: object - properties: - active: - description: >- - The number of consecutive runs that must meet the rule - conditions. - type: number - required: - - active - api_key_created_by_user: - description: >- - Indicates whether the API key that is associated with the - rule was created by the user. - nullable: true - type: boolean - api_key_owner: - description: >- - The owner of the API key that is associated with the rule - and used to run background tasks. - nullable: true - type: string - consumer: - description: >- - The name of the application or feature that owns the rule. - For example: `alerts`, `apm`, `discover`, - `infrastructure`, `logs`, `metrics`, `ml`, `monitoring`, - `securitySolution`, `siem`, `stackAlerts`, or `uptime`. - type: string - created_at: - description: The date and time that the rule was created. - type: string - created_by: - description: The identifier for the user that created the rule. - nullable: true - type: string - enabled: - description: >- - Indicates whether you want to run the rule on an interval - basis after it is created. - type: boolean - execution_status: - additionalProperties: false - type: object - properties: - error: - additionalProperties: false - type: object - properties: - message: - description: Error message. - type: string - reason: - description: Reason for error. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - type: string - required: - - reason - - message - last_duration: - description: Duration of last execution of the rule. - type: number - last_execution_date: - description: The date and time when rule was executed last. - type: string - status: - description: Status of rule execution. - enum: - - ok - - active - - error - - warning - - pending - - unknown - type: string - warning: - additionalProperties: false - type: object - properties: - message: - description: Warning message. - type: string - reason: - description: Reason for warning. - enum: - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - type: string - required: - - reason - - message - required: - - status - - last_execution_date - flapping: - additionalProperties: false - nullable: true - type: object - properties: - look_back_window: - maximum: 20 - minimum: 2 - type: number - status_change_threshold: - maximum: 20 - minimum: 2 - type: number - required: - - look_back_window - - status_change_threshold - id: - description: The identifier for the rule. - type: string - is_snoozed_until: - description: The date when the rule will no longer be snoozed. - nullable: true - type: string - last_run: - additionalProperties: false - nullable: true - type: object - properties: - alerts_count: - additionalProperties: false - type: object - properties: - active: - description: Number of active alerts during last run. - nullable: true - type: number - ignored: - description: Number of ignored alerts during last run. - nullable: true - type: number - new: - description: Number of new alerts during last run. - nullable: true - type: number - recovered: - description: Number of recovered alerts during last run. - nullable: true - type: number - outcome: - description: >- - Outcome of last run of the rule. Value could be - succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - outcome_msg: - items: - description: Outcome message generated during last rule run. - type: string - nullable: true - type: array - outcome_order: - description: Order of the outcome. - type: number - warning: - description: Warning of last rule execution. - enum: - - read - - decrypt - - execute - - unknown - - license - - timeout - - disabled - - validate - - maxExecutableActions - - maxAlerts - - maxQueuedActions - - ruleExecution - nullable: true - type: string - required: - - outcome - - alerts_count - mapped_params: - additionalProperties: {} - type: object - monitoring: - additionalProperties: false - description: Monitoring details of the rule. - type: object - properties: - run: - additionalProperties: false - description: Rule run details. - type: object - properties: - calculated_metrics: - additionalProperties: false - description: >- - Calculation of different percentiles and success - ratio. - type: object - properties: - p50: - type: number - p95: - type: number - p99: - type: number - success_ratio: - type: number - required: - - success_ratio - history: - description: History of the rule run. - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule run. - type: number - outcome: - description: >- - Outcome of last run of the rule. Value could - be succeeded, warning or failed. - enum: - - succeeded - - warning - - failed - type: string - success: - description: >- - Indicates whether the rule run was - successful. - type: boolean - timestamp: - description: Time of rule run. - type: number - required: - - success - - timestamp - type: array - last_run: - additionalProperties: false - type: object - properties: - metrics: - additionalProperties: false - type: object - properties: - duration: - description: Duration of most recent rule run. - type: number - gap_duration_s: - description: Duration in seconds of rule run gap. - nullable: true - type: number - total_alerts_created: - description: >- - Total number of alerts created during last - rule run. - nullable: true - type: number - total_alerts_detected: - description: >- - Total number of alerts detected during - last rule run. - nullable: true - type: number - total_indexing_duration_ms: - description: >- - Total time spent indexing documents during - last rule run in milliseconds. - nullable: true - type: number - total_search_duration_ms: - description: >- - Total time spent performing Elasticsearch - searches as measured by Kibana; includes - network latency and time spent serializing - or deserializing the request and response. - nullable: true - type: number - timestamp: - description: Time of the most recent rule run. - type: string - required: - - timestamp - - metrics - required: - - history - - calculated_metrics - - last_run - required: - - run - mute_all: - description: Indicates whether all alerts are muted. - type: boolean - muted_alert_ids: - items: - description: 'List of identifiers of muted alerts. ' - type: string - type: array - name: - description: ' The name of the rule.' - type: string - next_run: - description: Date and time of the next run of the rule. - nullable: true - type: string - notify_when: - description: >- - Indicates how often alerts generate actions. Valid values - include: `onActionGroupChange`: Actions run when the alert - status changes; `onActiveAlert`: Actions run when the - alert becomes active and at each check interval while the - rule conditions are met; `onThrottleInterval`: Actions run - when the alert becomes active and at the interval - specified in the throttle property while the rule - conditions are met. NOTE: You cannot specify `notify_when` - at both the rule and action level. The recommended method - is to set it for each action. If you set it at the rule - level then update the rule in Kibana, it is automatically - changed to use action-specific values. - enum: - - onActionGroupChange - - onActiveAlert - - onThrottleInterval - nullable: true - type: string - params: - additionalProperties: {} - description: The parameters for the rule. - type: object - revision: - description: The rule revision number. - type: number - rule_type_id: - description: The rule type identifier. - type: string - running: - description: Indicates whether the rule is running. - nullable: true - type: boolean - schedule: - additionalProperties: false - type: object - properties: - interval: - description: >- - The interval is specified in seconds, minutes, hours, - or days. - type: string - required: - - interval - scheduled_task_id: - description: Identifier of the scheduled task. - type: string - snooze_schedule: - items: - additionalProperties: false - type: object - properties: - duration: - description: Duration of the rule snooze schedule. - type: number - id: - description: Identifier of the rule snooze schedule. - type: string - rRule: - additionalProperties: false - type: object - properties: - byhour: - items: - description: Indicates hours of the day to recur. - type: number - nullable: true - type: array - byminute: - items: - description: Indicates minutes of the hour to recur. - type: number - nullable: true - type: array - bymonth: - items: - description: >- - Indicates months of the year that this rule - should recur. - type: number - nullable: true - type: array - bymonthday: - items: - description: Indicates the days of the month to recur. - type: number - nullable: true - type: array - bysecond: - items: - description: Indicates seconds of the day to recur. - type: number - nullable: true - type: array - bysetpos: - items: - description: >- - A positive or negative integer affecting the - nth day of the month. For example, -2 combined - with `byweekday` of FR is 2nd to last Friday - of the month. It is recommended to not set - this manually and just use `byweekday`. - type: number - nullable: true - type: array - byweekday: - items: - anyOf: - - type: string - - type: number - description: >- - Indicates the days of the week to recur or - else nth-day-of-month strings. For example, - "+2TU" second Tuesday of month, "-1FR" last - Friday of the month, which are internally - converted to a `byweekday/bysetpos` - combination. - nullable: true - type: array - byweekno: - items: - description: Indicates number of the week hours to recur. - type: number - nullable: true - type: array - byyearday: - items: - description: >- - Indicates the days of the year that this rule - should recur. - type: number - nullable: true - type: array - count: - description: >- - Number of times the rule should recur until it - stops. - type: number - dtstart: - description: >- - Rule start date in Coordinated Universal Time - (UTC). - type: string - freq: - description: >- - Indicates frequency of the rule. Options are - YEARLY, MONTHLY, WEEKLY, DAILY. - enum: - - 0 - - 1 - - 2 - - 3 - - 4 - - 5 - - 6 - type: integer - interval: - description: >- - Indicates the interval of frequency. For - example, 1 and YEARLY is every 1 year, 2 and - WEEKLY is every 2 weeks. - type: number - tzid: - description: Indicates timezone abbreviation. - type: string - until: - description: Recur the rule until this date. - type: string - wkst: - description: 'Indicates the start of week, defaults to Monday.' - enum: - - MO - - TU - - WE - - TH - - FR - - SA - - SU - type: string - required: - - dtstart - - tzid - skipRecurrences: - items: - description: Skips recurrence of rule on this date. - type: string - type: array - required: - - duration - - rRule - type: array - tags: - items: - description: The tags for the rule. - type: string - type: array - throttle: - deprecated: true - description: >- - Deprecated in 8.13.0. Use the `throttle` property in the - action `frequency` object instead. The throttle interval, - which defines how often an alert generates repeated - actions. NOTE: You cannot specify the throttle interval at - both the rule and action level. If you set it at the rule - level then update the rule in Kibana, it is automatically - changed to use action-specific values. - nullable: true - type: string - updated_at: - description: The date and time that the rule was updated most recently. - type: string - updated_by: - description: >- - The identifier for the user that updated this rule most - recently. - nullable: true - type: string - view_in_app_relative_url: - description: Relative URL to view rule in the app. - nullable: true - type: string - required: - - id - - enabled - - name - - tags - - rule_type_id - - consumer - - schedule - - actions - - params - - created_by - - updated_by - - created_at - - updated_at - - api_key_owner - - mute_all - - muted_alert_ids - - execution_status - - revision - description: Indicates a successful call. - '400': - description: Indicates an invalid schema or parameters. - '403': - description: Indicates that this call is forbidden. - summary: Get information about rules - tags: - - alerting - /api/apm/agent_keys: - post: - description: Create a new agent key for APM. - operationId: createAgentKey - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - name: - type: string - privileges: - items: - enum: - - 'event:write' - - 'config_agent:read' - type: string - type: array - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - api_key: - type: string - encoded: - type: string - expiration: - format: int64 - type: integer - id: - type: string - name: - type: string - description: Agent key created successfully - summary: Create an APM agent key - tags: - - APM agent keys - '/api/apm/services/{serviceName}/annotation': - post: - description: Create a new annotation for a specific service. - operationId: createAnnotation - parameters: - - description: The name of the service - in: path - name: serviceName - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - '@timestamp': - type: string - message: - type: string - service: - type: object - properties: - environment: - type: string - version: - type: string - tags: - items: - type: string - type: array - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _id: - type: string - _index: - type: string - _source: - type: object - properties: - '@timestamp': - type: string - annotation: - type: string - event: - type: object - properties: - created: - type: string - message: - type: string - service: - type: object - properties: - environment: - type: string - name: - type: string - version: - type: string - tags: - items: - type: string - type: array - description: Annotation created successfully - summary: Create a service annotation - tags: - - APM annotations - '/api/apm/services/{serviceName}/annotation/search': - get: - description: Search for annotations related to a specific service. - operationId: getAnnotation - parameters: - - description: The name of the service - in: path - name: serviceName - required: true - schema: - type: string - - description: The environment to filter annotations by - in: query - name: environment - required: false - schema: - type: string - - description: The start date for the search - in: query - name: start - required: false - schema: - type: string - - description: The end date for the search - in: query - name: end - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - annotations: - items: - type: object - properties: - '@timestamp': - type: number - id: - type: string - text: - type: string - type: - enum: - - version - type: string - type: array - description: Successful response - summary: Search for annotations - tags: - - APM annotations - /api/asset_criticality: - delete: - description: Delete the asset criticality record for a specific asset if it exists. - operationId: DeleteAssetCriticalityRecord - parameters: - - description: The ID value of the asset. - in: query - name: id_value - required: true - schema: - type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - - description: If 'wait_for' the request will wait for the index refresh. - in: query - name: refresh - required: false - schema: - enum: - - wait_for - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - deleted: - description: >- - True if the record was deleted or false if the record did - not exist. - type: boolean - record: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: The deleted record if it existed. - required: - - deleted - description: Successful response - '400': - description: Invalid request - summary: Delete Criticality Record - tags: - - Security Entity Analytics API - get: - description: Get the criticality record for a specific asset. - operationId: GetAssetCriticalityRecord - parameters: - - description: The ID value of the asset. - in: query - name: id_value - required: true - schema: - type: string - - description: The field representing the ID. - example: host.name - in: query - name: id_field - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - '404': - description: Criticality record not found - summary: Get Criticality Record - tags: - - Security Entity Analytics API - post: - description: Create or update a criticality record for a specific asset. - operationId: CreateAssetCriticalityRecord - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - type: object - properties: - refresh: - description: >- - If 'wait_for' the request will wait for the index - refresh. - enum: - - wait_for - type: string - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - description: Successful response - '400': - description: Invalid request - summary: Upsert Criticality Record - tags: - - Security Entity Analytics API - /api/asset_criticality/bulk: - post: - description: >- - Bulk upsert up to 1000 asset criticality records, creating or updating - them as needed. - operationId: BulkUpsertAssetCriticalityRecords - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - example: - records: - - criticality_level: low_impact - id_field: host.name - id_value: host-1 - - criticality_level: medium_impact - id_field: host.name - id_value: host-2 - type: object - properties: - records: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - maxItems: 1000 - minItems: 1 - type: array - required: - - records - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - example: - errors: - - index: 0 - message: Invalid ID field - stats: - failed: 1 - successful: 1 - total: 2 - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem - type: array - stats: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats - required: - - errors - - stats - description: Bulk upload successful - '413': - description: File too large - summary: Bulk Upsert Asset Criticality Records - tags: - - Security Entity Analytics API - /api/asset_criticality/list: - get: - description: 'List asset criticality records, paging, sorting and filtering as needed.' - operationId: FindAssetCriticalityRecords - parameters: - - description: The field to sort by. - in: query - name: sort_field - required: false - schema: - enum: - - id_value - - id_field - - criticality_level - - \@timestamp - type: string - - description: The order to sort by. - in: query - name: sort_direction - required: false - schema: - enum: - - asc - - desc - type: string - - description: The page number to return. - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: The number of records to return per page. - in: query - name: per_page - required: false - schema: - maximum: 1000 - minimum: 1 - type: integer - - description: The kuery to filter by. - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - page: - minimum: 1 - type: integer - per_page: - maximum: 1000 - minimum: 1 - type: integer - records: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecord - type: array - total: - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Bulk upload successful - summary: List Asset Criticality Records - tags: - - Security Entity Analytics API - /api/data_views: - get: - operationId: getAllDataViewsDefault - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - getAllDataViewsResponse: - $ref: '#/components/examples/Data_views_get_data_views_response' - schema: - type: object - properties: - data_view: - items: - type: object - properties: - id: - type: string - name: - type: string - namespaces: - items: - type: string - type: array - title: - type: string - typeMeta: - type: object - type: array - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get all data views - tags: - - data views - /api/data_views/data_view: - post: - operationId: createDataViewDefaultw - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - createDataViewRequest: - $ref: '#/components/examples/Data_views_create_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_create_data_view_request_object' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create a data view - tags: - - data views - '/api/data_views/data_view/{viewId}': - delete: - description: | - WARNING: When you delete a data view, it cannot be recovered. - operationId: deleteDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '204': - description: Indicates a successful call. - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a data view - tags: - - data views - get: - operationId: getDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - getDataViewResponse: - $ref: '#/components/examples/Data_views_get_data_view_response' - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a data view - tags: - - data views - post: - operationId: updateDataViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - updateDataViewRequest: - $ref: '#/components/examples/Data_views_update_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_update_data_view_request_object' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_data_view_response_object' - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a data view - tags: - - data views - '/api/data_views/data_view/{viewId}/fields': - post: - description: > - Update fields presentation metadata such as count, customLabel, - customDescription, and format. - operationId: updateFieldsMetadataDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - updateFieldsMetadataRequest: - $ref: '#/components/examples/Data_views_update_field_metadata_request' - schema: - type: object - properties: - fields: - description: The field object. - type: object - required: - - fields - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update data view fields metadata - tags: - - data views - '/api/data_views/data_view/{viewId}/runtime_field': - post: - operationId: createRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - createRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - description: Indicates a successful call. - summary: Create a runtime field - tags: - - data views - put: - operationId: createUpdateRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - - description: | - The ID of the data view fields you want to update. - in: path - name: viewId - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_create_runtime_field_request' - schema: - type: object - properties: - name: - description: | - The name for a runtime field. - type: string - runtimeField: - description: | - The runtime field definition object. - type: object - required: - - name - - runtimeField - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Create or update a runtime field - tags: - - data views - '/api/data_views/data_view/{viewId}/runtime_field/{fieldName}': - delete: - operationId: deleteRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - description: Indicates a successful call. - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Delete a runtime field from a data view - tags: - - data views - get: - operationId: getRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - getRuntimeFieldResponse: - $ref: '#/components/examples/Data_views_get_runtime_field_response' - schema: - type: object - properties: - data_view: - type: object - fields: - items: - type: object - type: array - description: Indicates a successful call. - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_404_response' - description: Object is not found. - summary: Get a runtime field - tags: - - data views - post: - operationId: updateRuntimeFieldDefault - parameters: - - $ref: '#/components/parameters/Data_views_field_name' - - $ref: '#/components/parameters/Data_views_view_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - updateRuntimeFieldRequest: - $ref: '#/components/examples/Data_views_update_runtime_field_request' - schema: - type: object - properties: - runtimeField: - description: | - The runtime field definition object. - - You can update following fields: - - - `type` - - `script` - type: object - required: - - runtimeField - required: true - responses: - '200': - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Update a runtime field - tags: - - data views - /api/data_views/default: - get: - operationId: getDefaultDataViewDefault - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - getDefaultDataViewResponse: - $ref: >- - #/components/examples/Data_views_get_default_data_view_response - schema: - type: object - properties: - data_view_id: - type: string - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Get the default data view - tags: - - data views - post: - operationId: setDefaultDatailViewDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - setDefaultDataViewRequest: - $ref: '#/components/examples/Data_views_set_default_data_view_request' - schema: - type: object - properties: - data_view_id: - description: > - The data view identifier. NOTE: The API does not validate - whether it is a valid identifier. Use `null` to unset the - default data view. - nullable: true - type: string - force: - default: false - description: Update an existing default data view identifier. - type: boolean - required: - - data_view_id - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - acknowledged: - type: boolean - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Data_views_400_response' - description: Bad request - summary: Set the default data view - tags: - - data views - /api/data_views/swap_references: - post: - description: > - Changes saved object references from one data view identifier to - another. WARNING: Misuse can break large numbers of saved objects! - Practicing with a backup is recommended. - operationId: swapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - swapDataViewRequest: - $ref: '#/components/examples/Data_views_swap_data_view_request' - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - deleteStatus: - type: object - properties: - deletePerformed: - type: boolean - remainingRefs: - type: integer - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Swap saved object references - tags: - - data views - /api/data_views/swap_references/_preview: - post: - description: > - Preview the impact of swapping saved object references from one data - view identifier to another. - operationId: previewSwapDataViewsDefault - parameters: - - $ref: '#/components/parameters/Data_views_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - previewSwapDataViewRequest: - $ref: >- - #/components/examples/Data_views_preview_swap_data_view_request - schema: - $ref: '#/components/schemas/Data_views_swap_data_view_request_object' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - result: - items: - type: object - properties: - id: - description: A saved object identifier. - type: string - type: - description: The saved object type. - type: string - type: array - description: Indicates a successful call. - summary: Preview a saved object reference swap - tags: - - data views - /api/detection_engine/privileges: - get: - description: > - Retrieves whether or not the user is authenticated, and the user's - Kibana - - space and index privileges, which determine if the user can create an - - index for the Elastic Security alerts generated by - - detection engine rules. - operationId: ReadPrivileges - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - has_encryption_key: - type: boolean - is_authenticated: - type: boolean - required: - - is_authenticated - - has_encryption_key - description: Successful response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Returns user privileges for the Kibana space - tags: - - Security Detections API - - Privileges API - /api/detection_engine/rules: - delete: - description: Delete a detection rule using the `rule_id` or `id` field. - operationId: DeleteRule - parameters: - - description: The rule's `id` value. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. - in: query - name: rule_id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Delete a detection rule - tags: - - Security Detections API - - Rules API - get: - description: Retrieve a detection rule using the `rule_id` or `id` field. - operationId: ReadRule - parameters: - - description: The rule's `id` value. - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - - description: The rule's `rule_id` value. - in: query - name: rule_id - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Retrieve a detection rule - tags: - - Security Detections API - - Rules API - patch: - description: >- - Update specific fields of an existing detection rule using the `rule_id` - or `id` field. - operationId: PatchRule - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RulePatchProps' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Patch a detection rule - tags: - - Security Detections API - - Rules API - post: - description: Create a new detection rule. - operationId: CreateRule - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleCreateProps' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Create a detection rule - tags: - - Security Detections API - - Rules API - put: - description: > - Update a detection rule using the `rule_id` or `id` field. The original - rule is replaced, and all unspecified fields are deleted. - - > info - - > You cannot modify the `id` or `rule_id` values. - operationId: UpdateRule - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleUpdateProps' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - description: Indicates a successful call. - summary: Update a detection rule - tags: - - Security Detections API - - Rules API - /api/detection_engine/rules/_bulk_action: - post: - description: >- - Apply a bulk action, such as bulk edit, duplicate, or delete, to - multiple detection rules. The bulk action is applied to all rules that - match the query or to the rules listed by their IDs. - operationId: PerformRulesBulkAction - parameters: - - description: Enables dry run mode for the request call. - in: query - name: dry_run - required: false - schema: - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_BulkDeleteRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDisableRules - - $ref: '#/components/schemas/Security_Detections_API_BulkEnableRules' - - $ref: '#/components/schemas/Security_Detections_API_BulkExportRules' - - $ref: >- - #/components/schemas/Security_Detections_API_BulkDuplicateRules - - $ref: >- - #/components/schemas/Security_Detections_API_BulkManualRuleRun - - $ref: '#/components/schemas/Security_Detections_API_BulkEditRules' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResponse - - $ref: >- - #/components/schemas/Security_Detections_API_BulkExportActionResponse - description: OK - summary: Apply a bulk action to detection rules - tags: - - Security Detections API - - Bulk API - /api/detection_engine/rules/_export: - post: - description: > - Export detection rules to an `.ndjson` file. The following configuration - items are also included in the `.ndjson` file: - - - Actions - - - Exception lists - - > info - - > You cannot export prebuilt rules. - operationId: ExportRules - parameters: - - description: Determines whether a summary of the exported rules is returned. - in: query - name: exclude_export_details - required: false - schema: - default: false - type: boolean - - description: File name for saving the exported rules. - in: query - name: file_name - required: false - schema: - default: export.ndjson - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - nullable: true - type: object - properties: - objects: - description: >- - Array of `rule_id` fields. Exports all rules when - unspecified. - items: - type: object - properties: - rule_id: - $ref: >- - #/components/schemas/Security_Detections_API_RuleSignatureId - required: - - rule_id - type: array - required: - - objects - required: false - responses: - '200': - content: - application/ndjson; Elastic-Api-Version=2023-10-31: - schema: - description: An `.ndjson` file containing the returned rules. - format: binary - type: string - description: Indicates a successful call. - summary: Export detection rules - tags: - - Security Detections API - - Import/Export API - /api/detection_engine/rules/_find: - get: - description: >- - Retrieve a paginated list of detection rules. By default, the first page - is returned, with 20 results per page. - operationId: FindRules - parameters: - - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Search query - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_FindRulesSortField' - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_Detections_API_SortOrder' - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: Rules per page - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RuleResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Successful response - summary: List all detection rules - tags: - - Security Detections API - - Rules API - /api/detection_engine/rules/_import: - post: - description: > - Import detection rules from an `.ndjson` file, including actions and - exception lists. The request must include: - - - The `Content-Type: multipart/form-data` HTTP header. - - - A link to the `.ndjson` file containing the rules. - operationId: ImportRules - parameters: - - description: >- - Determines whether existing rules with the same `rule_id` are - overwritten. - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - - description: >- - Determines whether existing exception lists with the same `list_id` - are overwritten. - in: query - name: overwrite_exceptions - required: false - schema: - default: false - type: boolean - - description: >- - Determines whether existing actions with the same - `kibana.alert.rule.actions.id` are overwritten. - in: query - name: overwrite_action_connectors - required: false - schema: - default: false - type: boolean - - description: Generates a new list ID for each imported exception list. - in: query - name: as_new_list - required: false - schema: - default: false - type: boolean - requestBody: - content: - multipart/form-data; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - file: - description: The `.ndjson` file containing the rules. - format: binary - type: string - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - action_connectors_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - action_connectors_success: - type: boolean - action_connectors_success_count: - minimum: 0 - type: integer - action_connectors_warnings: - items: - $ref: >- - #/components/schemas/Security_Detections_API_WarningSchema - type: array - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_errors: - items: - $ref: '#/components/schemas/Security_Detections_API_ErrorSchema' - type: array - exceptions_success: - type: boolean - exceptions_success_count: - minimum: 0 - type: integer - rules_count: - minimum: 0 - type: integer - success: - type: boolean - success_count: - minimum: 0 - type: integer - required: - - exceptions_success - - exceptions_success_count - - exceptions_errors - - rules_count - - success - - success_count - - errors - - action_connectors_errors - - action_connectors_warnings - - action_connectors_success - - action_connectors_success_count - description: Indicates a successful call. - summary: Import detection rules - tags: - - Security Detections API - - Import/Export API - '/api/detection_engine/rules/{id}/exceptions': - post: - operationId: CreateRuleExceptionListItems - parameters: - - description: Detection rule's identifier - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_RuleId' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemProps - type: array - required: - - items - description: Rule exception list items - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Creates rule exception list items - tags: - - Security Exceptions API - /api/detection_engine/rules/preview: - post: - operationId: RulePreview - parameters: - - description: >- - Enables logging and returning in response ES queries, performed - during rule execution - in: query - name: enable_logged_requests - required: false - schema: - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - anyOf: - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_EsqlRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewParams - discriminator: - propertyName: type - description: >- - An object containing tags to add or remove and alert ids the changes - will be applied - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - isAborted: - type: boolean - logs: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLogs - type: array - previewId: - $ref: >- - #/components/schemas/Security_Detections_API_NonEmptyString - required: - - logs - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Preview rule alerts generated on specified time range - tags: - - Security Detections API - - Rule preview API - /api/detection_engine/signals/assignees: - post: - description: | - Assign users to detection alerts, and unassign them from alerts. - > info - > You cannot add and remove the same assignee in the same request. - operationId: SetAlertAssignees - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - assignees: - $ref: '#/components/schemas/Security_Detections_API_AlertAssignees' - description: Details about the assignees to assign and unassign. - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - description: List of alerts ids to assign and unassign passed assignees. - required: - - assignees - - ids - required: true - responses: - '200': - description: Indicates a successful call. - '400': - description: Invalid request. - summary: Assign and unassign users from detection alerts - tags: - - Security Detections API - /api/detection_engine/signals/search: - post: - description: Find and/or aggregate detection alerts that match the given query. - operationId: SearchAlerts - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - description: Elasticsearch query and aggregation request - type: object - properties: - _source: - oneOf: - - type: boolean - - type: string - - items: - type: string - type: array - aggs: - additionalProperties: true - type: object - fields: - items: - type: string - type: array - query: - additionalProperties: true - type: object - runtime_mappings: - additionalProperties: true - type: object - size: - minimum: 0 - type: integer - sort: - $ref: '#/components/schemas/Security_Detections_API_AlertsSort' - track_total_hits: - type: boolean - description: Search and/or aggregation query - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: true - description: Elasticsearch search response - type: object - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Find and/or aggregate detection alerts - tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/status: - post: - description: Set the status of one or more detection alerts. - operationId: SetAlertsStatus - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByIds - - $ref: >- - #/components/schemas/Security_Detections_API_SetAlertsStatusByQuery - description: >- - An object containing desired status and explicit alert ids or a query - to select alerts - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Set a detection alert status - tags: - - Security Detections API - - Alerts API - /api/detection_engine/signals/tags: - post: - description: | - And tags to detection alerts, and remove them from alerts. - > info - > You cannot add and remove the same alert tag in the same request. - operationId: SetAlertTags - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - ids: - $ref: '#/components/schemas/Security_Detections_API_AlertIds' - tags: - $ref: '#/components/schemas/Security_Detections_API_SetAlertTags' - required: - - ids - - tags - description: >- - An object containing tags to add or remove and alert ids the changes - will be applied - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: true - description: Elasticsearch update by query response - type: object - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Detections_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Detections_API_PlatformErrorResponse - description: Unsuccessful authentication response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_SiemErrorResponse' - description: Internal server error response - summary: Add and remove detection alert tags - tags: - - Security Detections API - - Alerts API - /api/detection_engine/tags: - get: - description: List all unique tags from all detection rules. - operationId: ReadTags - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - description: Indicates a successful call - summary: List all detection rule tags - tags: - - Security Detections API - - Tags API - /api/endpoint_list: - post: - description: Creates an endpoint list or does nothing if the list already exists - operationId: CreateEndpointList - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointList - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Creates an endpoint list - tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items: - delete: - operationId: DeleteEndpointListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Deletes an endpoint list item - tags: - - Security Endpoint Exceptions API - get: - operationId: ReadEndpointListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - type: array - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Reads an endpoint list item - tags: - - Security Endpoint Exceptions API - post: - operationId: CreateEndpointListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item already exists - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Creates an endpoint list item - tags: - - Security Endpoint Exceptions API - put: - operationId: UpdateEndpointListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list item not found - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Updates an endpoint list item - tags: - - Security Endpoint Exceptions API - /api/endpoint_list/items/_find: - get: - operationId: FindEndpointListItems - parameters: - - description: > - Filters the returned results according to the value of the specified - field, - - using the `:` syntax. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter - - description: The page number to return - in: query - name: page - required: false - schema: - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - minimum: 0 - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString - - description: 'Determines the sort order, which can be `desc` or `asc`' - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_EndpointListItem - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - pit: - type: string - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Invalid input data - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_PlatformErrorResponse - description: Insufficient privileges - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Endpoint list not found - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_SiemErrorResponse - description: Internal server error - summary: Finds endpoint list items - tags: - - Security Endpoint Exceptions API - /api/endpoint/action: - get: - description: Get a list of all response actions. - operationId: EndpointGetActionsList - parameters: - - in: query - name: query - required: true - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListRouteQuery - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get response actions - tags: - - Security Endpoint Management API - '/api/endpoint/action_log/{agent_id}': - get: - deprecated: true - description: Get an action request log for the specified agent ID. - operationId: EndpointGetActionLog - parameters: - - in: path - name: agent_id - required: true - schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' - - in: query - name: query - required: true - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionLogRequestQuery - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get an action request log - tags: - - Security Endpoint Management API - /api/endpoint/action_status: - get: - description: Get the status of response actions for the specified agent IDs. - operationId: EndpointGetActionsStatus - parameters: - - in: query - name: query - required: true - schema: - type: object - properties: - agent_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStatusSuccessResponse - description: OK - summary: Get response actions status - tags: - - Security Endpoint Management API - '/api/endpoint/action/{action_id}': - get: - description: Get the details of a response action using the action ID. - operationId: EndpointGetActionsDetails - parameters: - - in: path - name: action_id - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get action details - tags: - - Security Endpoint Management API - '/api/endpoint/action/{action_id}/file/{file_id}': - get: - description: Get information for the specified file using the file ID. - operationId: EndpointFileInfo - parameters: - - in: path - name: action_id - required: true - schema: - type: string - - in: path - name: file_id - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get file information - tags: - - Security Endpoint Management API - '/api/endpoint/action/{action_id}/file/{file_id}/download': - get: - description: Download a file from an endpoint. - operationId: EndpointFileDownload - parameters: - - in: path - name: action_id - required: true - schema: - type: string - - in: path - name: file_id - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Download a file - tags: - - Security Endpoint Management API - /api/endpoint/action/execute: - post: - description: Run a shell command on an endpoint. - operationId: EndpointExecuteAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ExecuteRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Run a command - tags: - - Security Endpoint Management API - /api/endpoint/action/get_file: - post: - description: Get a file from an endpoint. - operationId: EndpointGetFileAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetFileRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get a file - tags: - - Security Endpoint Management API - /api/endpoint/action/isolate: - post: - description: >- - Isolate an endpoint from the network. The endpoint remains isolated - until it's released. - operationId: EndpointIsolateAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_IsolateRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Isolate an endpoint - tags: - - Security Endpoint Management API - /api/endpoint/action/kill_process: - post: - description: Terminate a running process on an endpoint. - operationId: EndpointKillProcessAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_KillProcessRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Terminate a process - tags: - - Security Endpoint Management API - /api/endpoint/action/running_procs: - post: - description: Get a list of all processes running on an endpoint. - operationId: EndpointGetProcessesAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get running processes - tags: - - Security Endpoint Management API - /api/endpoint/action/scan: - post: - description: Scan a specific file or directory on an endpoint for malware. - operationId: EndpointScanAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ScanRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Scan a file or directory - tags: - - Security Endpoint Management API - /api/endpoint/action/state: - get: - description: >- - Get a response actions state, which reports whether encryption is - enabled. - operationId: EndpointGetActionsState - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ActionStateSuccessResponse - description: OK - summary: Get actions state - tags: - - Security Endpoint Management API - /api/endpoint/action/suspend_process: - post: - description: Suspend a running process on an endpoint. - operationId: EndpointSuspendProcessAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Suspend a process - tags: - - Security Endpoint Management API - /api/endpoint/action/unisolate: - post: - description: 'Release an isolated endpoint, allowing it to rejoin a network.' - operationId: EndpointUnisolateAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UnisolateRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Release an isolated endpoint - tags: - - Security Endpoint Management API - /api/endpoint/action/upload: - post: - description: Upload a file to an endpoint. - operationId: EndpointUploadAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Upload a file - tags: - - Security Endpoint Management API - /api/endpoint/metadata: - get: - operationId: GetEndpointMetadataList - parameters: - - in: query - name: query - required: true - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ListRequestQuery - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get a metadata list - tags: - - Security Endpoint Management API - '/api/endpoint/metadata/{id}': - get: - operationId: GetEndpointMetadata - parameters: - - in: path - name: id - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get metadata - tags: - - Security Endpoint Management API - /api/endpoint/metadata/transforms: - get: - deprecated: true - operationId: GetEndpointMetadataTransform - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get metadata transforms - tags: - - Security Endpoint Management API - /api/endpoint/policy_response: - get: - operationId: GetPolicyResponse - parameters: - - in: query - name: query - required: true - schema: - type: object - properties: - agentId: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get a policy response - tags: - - Security Endpoint Management API - /api/endpoint/policy/summaries: - get: - deprecated: true - operationId: GetAgentPolicySummary - parameters: - - in: query - name: query - required: true - schema: - type: object - properties: - package_name: - type: string - policy_id: - nullable: true - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get an agent policy summary - tags: - - Security Endpoint Management API - '/api/endpoint/protection_updates_note/{package_policy_id}': - get: - operationId: GetProtectionUpdatesNote - parameters: - - in: path - name: package_policy_id - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: OK - summary: Get a protection updates note - tags: - - Security Endpoint Management API - post: - operationId: CreateUpdateProtectionUpdatesNote - parameters: - - in: path - name: package_policy_id - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - note: - type: string - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse - description: OK - summary: Create or update a protection updates note - tags: - - Security Endpoint Management API - '/api/endpoint/suggestions/{suggestion_type}': - post: - deprecated: true - operationId: GetEndpointSuggestions - parameters: - - in: path - name: suggestion_type - required: true - schema: - enum: - - eventFilters - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - field: - type: string - fieldMeta: {} - filters: {} - query: - type: string - required: - - parameters - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_SuccessResponse - description: OK - summary: Get suggestions - tags: - - Security Endpoint Management API - /api/entity_store/engines: - get: - operationId: ListEntityEngines - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - count: - type: integer - engines: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - type: array - description: Successful response - summary: List the Entity Engines - tags: - - Security Entity Analytics API - '/api/entity_store/engines/{entityType}': - delete: - operationId: DeleteEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - - description: Control flag to also delete the entity data. - in: query - name: data - required: false - schema: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - deleted: - type: boolean - description: Successful response - summary: Delete the Entity Engine - tags: - - Security Entity Analytics API - get: - operationId: GetEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - description: Successful response - summary: Get an Entity Engine - tags: - - Security Entity Analytics API - '/api/entity_store/engines/{entityType}/init': - post: - operationId: InitEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - fieldHistoryLength: - default: 10 - description: The number of historical values to keep for each field. - type: integer - filter: - type: string - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - description: Schema for the engine initialization - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDescriptor - description: Successful response - summary: Initialize an Entity Engine - tags: - - Security Entity Analytics API - '/api/entity_store/engines/{entityType}/start': - post: - operationId: StartEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - started: - type: boolean - description: Successful response - summary: Start an Entity Engine - tags: - - Security Entity Analytics API - '/api/entity_store/engines/{entityType}/stats': - post: - operationId: GetEntityEngineStats - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - indexPattern: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_IndexPattern - indices: - items: - type: object - type: array - status: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineStatus - transforms: - items: - type: object - type: array - type: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityType - description: Successful response - summary: Get Entity Engine stats - tags: - - Security Entity Analytics API - '/api/entity_store/engines/{entityType}/stop': - post: - operationId: StopEntityEngine - parameters: - - description: The entity type of the engine (either 'user' or 'host'). - in: path - name: entityType - required: true - schema: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - stopped: - type: boolean - description: Successful response - summary: Stop an Entity Engine - tags: - - Security Entity Analytics API - /api/entity_store/engines/apply_dataview_indices: - post: - operationId: ApplyEntityEngineDataviewIndices - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - result: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - type: boolean - description: Successful response - '207': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - errors: - items: - type: string - type: array - result: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EngineDataviewUpdateResult - type: array - success: - type: boolean - description: Partial successful response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Error response - summary: Apply DataView indices to all installed engines - tags: - - Security Entity Analytics API - /api/entity_store/entities/list: - get: - description: 'List entities records, paging, sorting and filtering as needed.' - operationId: ListEntities - parameters: - - in: query - name: sort_field - required: false - schema: - type: string - - in: query - name: sort_order - required: false - schema: - enum: - - asc - - desc - type: string - - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - in: query - name: per_page - required: false - schema: - maximum: 10000 - minimum: 1 - type: integer - - description: An ES query to filter by. - in: query - name: filterQuery - required: false - schema: - type: string - - in: query - name: entities_types - required: true - schema: - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - type: array - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - inspect: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_InspectQuery - page: - minimum: 1 - type: integer - per_page: - maximum: 1000 - minimum: 1 - type: integer - records: - items: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_Entity - type: array - total: - minimum: 0 - type: integer - required: - - records - - page - - per_page - - total - description: Entities returned successfully - summary: List Entity Store Entities - tags: - - Security Entity Analytics API - /api/exception_lists: - delete: - operationId: DeleteExceptionList - parameters: - - description: Either `id` or `list_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Either `id` or `list_id` must be specified - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Deletes an exception list - tags: - - Security Exceptions API - get: - operationId: ReadExceptionList - parameters: - - description: Either `id` or `list_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Either `id` or `list_id` must be specified - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Retrieves an exception list using its `id` or `list_id` field - tags: - - Security Exceptions API - post: - operationId: CreateExceptionList - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion - default: 1 - required: - - name - - description - - type - description: Exception list's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Creates an exception list - tags: - - Security Exceptions API - put: - operationId: UpdateExceptionList - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListTags - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListType - version: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListVersion - required: - - name - - description - - type - description: Exception list's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Updates an exception list - tags: - - Security Exceptions API - /api/exception_lists/_duplicate: - post: - operationId: DuplicateExceptionList - parameters: - - description: Exception list's human identifier - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - in: query - name: namespace_type - required: true - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the exported - list - in: query - name: include_expired_exceptions - required: true - schema: - default: 'true' - enum: - - 'true' - - 'false' - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '405': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list to duplicate not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Duplicates an exception list - tags: - - Security Exceptions API - /api/exception_lists/_export: - post: - description: Exports an exception list and its associated items to an .ndjson file - operationId: ExportExceptionList - parameters: - - description: Exception list's identifier - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Exception list's human identifier - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - in: query - name: namespace_type - required: true - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - - description: >- - Determines whether to include expired exceptions in the exported - list - in: query - name: include_expired_exceptions - required: true - schema: - default: 'true' - enum: - - 'true' - - 'false' - type: string - responses: - '200': - content: - application/ndjson; Elastic-Api-Version=2023-10-31: - schema: - description: >- - A `.ndjson` file containing specified exception list and its - items - format: binary - type: string - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Exports an exception list - tags: - - Security Exceptions API - /api/exception_lists/_find: - get: - operationId: FindExceptionLists - parameters: - - description: > - Filters the returned results according to the value of the specified - field. - - - Uses the `so type.field name:field` value syntax, where `so type` - can be: - - - - `exception-list`: Specify a space-aware exception list. - - - `exception-list-agnostic`: Specify an exception list that is - shared across spaces. - in: query - name: filter - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListsFilter - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space - - or available in all spaces (`agnostic` or `single`) - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - description: The page number to return - in: query - name: page - required: false - schema: - minimum: 1 - type: integer - - description: The number of exception lists to return per page - in: query - name: per_page - required: false - schema: - minimum: 1 - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - type: string - - description: 'Determines the sort order, which can be `desc` or `asc`' - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionList - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Finds exception lists - tags: - - Security Exceptions API - /api/exception_lists/_import: - post: - description: Imports an exception list and associated items - operationId: ImportExceptionList - parameters: - - description: > - Determines whether existing exception lists with the same `list_id` - are overwritten. - - If any exception items have the same `item_id`, those are also - overwritten. - in: query - name: overwrite - required: false - schema: - default: false - type: boolean - - in: query - name: overwrite_exceptions - required: false - schema: - default: false - type: boolean - - in: query - name: overwrite_action_connectors - required: false - schema: - default: false - type: boolean - - description: > - Determines whether the list being imported will have a new `list_id` - generated. - - Additional `item_id`'s are generated for each exception item. Both - the exception - - list and its items are overwritten. - in: query - name: as_new_list - required: false - schema: - default: false - type: boolean - requestBody: - content: - multipart/form-data; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - file: - description: A `.ndjson` file containing the exception list - format: binary - type: string - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - errors: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkErrorArray - success: - type: boolean - success_count: - minimum: 0 - type: integer - success_count_exception_list_items: - minimum: 0 - type: integer - success_count_exception_lists: - minimum: 0 - type: integer - success_exception_list_items: - type: boolean - success_exception_lists: - type: boolean - required: - - errors - - success - - success_count - - success_exception_lists - - success_count_exception_lists - - success_exception_list_items - - success_count_exception_list_items - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Imports an exception list - tags: - - Security Exceptions API - /api/exception_lists/items: - delete: - operationId: DeleteExceptionListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Deletes an exception list item - tags: - - Security Exceptions API - get: - operationId: ReadExceptionListItem - parameters: - - description: Either `id` or `item_id` must be specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - - description: Either `id` or `item_id` must be specified - in: query - name: item_id - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Gets an exception list item - tags: - - Security Exceptions API - post: - operationId: CreateExceptionListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - expire_time: - format: date-time - type: string - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags - default: [] - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemType - required: - - list_id - - type - - name - - description - - entries - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item already exists response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Creates an exception list item - tags: - - Security Exceptions API - put: - operationId: UpdateExceptionListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - expire_time: - format: date-time - type: string - id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemId - description: Either `id` or `item_id` must be specified - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - description: Either `id` or `item_id` must be specified - list_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemName - namespace_type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemTags - type: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemType - required: - - type - - name - - description - - entries - description: Exception list item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Updates an exception list item - tags: - - Security Exceptions API - /api/exception_lists/items/_find: - get: - operationId: FindExceptionListItems - parameters: - - description: List's id - in: query - name: list_id - required: true - schema: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListHumanId - type: array - - description: > - Filters the returned results according to the value of the specified - field, - - using the `:` syntax. - in: query - name: filter - required: false - schema: - default: [] - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_FindExceptionListItemsFilter - type: array - - description: > - Determines whether the returned containers are Kibana associated - with a Kibana space - - or available in all spaces (`agnostic` or `single`) - in: query - name: namespace_type - required: false - schema: - default: - - single - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - type: array - - in: query - name: search - required: false - schema: - type: string - - description: The page number to return - in: query - name: page - required: false - schema: - minimum: 0 - type: integer - - description: The number of exception list items to return per page - in: query - name: per_page - required: false - schema: - minimum: 0 - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - - description: 'Determines the sort order, which can be `desc` or `asc`' - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItem - type: array - page: - minimum: 1 - type: integer - per_page: - minimum: 1 - type: integer - pit: - type: string - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Finds exception list items - tags: - - Security Exceptions API - /api/exception_lists/summary: - get: - operationId: ReadExceptionListSummary - parameters: - - description: Exception list's identifier generated upon creation - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - - description: Exception list's human readable identifier - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - - in: query - name: namespace_type - required: false - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionNamespaceType - default: single - - description: Search filter clause - in: query - name: filter - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - linux: - minimum: 0 - type: integer - macos: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - windows: - minimum: 0 - type: integer - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Retrieves an exception list summary - tags: - - Security Exceptions API - /api/exceptions/shared: - post: - operationId: CreateSharedExceptionList - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - name: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListName - required: - - name - - description - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionList' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - - $ref: >- - #/components/schemas/Security_Exceptions_API_SiemErrorResponse - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Exceptions_API_PlatformErrorResponse - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Exception list already exists response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Exceptions_API_SiemErrorResponse' - description: Internal server error response - summary: Creates a shared exception list - tags: - - Security Exceptions API - /api/fleet/agent_download_sources: - get: - operationId: get-download-sources - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_download_sources' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent binary download sources - tags: - - Elastic Agent binary download sources - post: - operationId: post-download-sources - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host: - type: string - id: - type: string - is_default: - type: boolean - name: - type: string - required: - - name - - host - - is_default - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_download_sources' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create agent binary download source - tags: - - Elastic Agent binary download sources - '/api/fleet/agent_download_sources/{sourceId}': - delete: - operationId: delete-download-source - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete agent binary download source by ID - tags: - - Elastic Agent binary download sources - get: - operationId: get-one-download-source - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_download_sources' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent binary download source by ID - tags: - - Elastic Agent binary download sources - parameters: - - in: path - name: sourceId - required: true - schema: - type: string - put: - operationId: update-download-source - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host: - type: string - is_default: - type: boolean - name: - type: string - required: - - name - - is_default - - host - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_download_sources' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update agent binary download source by ID - tags: - - Elastic Agent binary download sources - /api/fleet/agent_policies: - get: - description: '' - operationId: agent-policy-list - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - - $ref: '#/components/parameters/Fleet_format' - - description: >- - When set to true, retrieve the related package policies for each - agent policy. - in: query - name: full - schema: - type: boolean - - description: >- - When set to true, do not count how many agents are in the agent - policy, this can improve performance if you are searching over a - large number of agent policies. The "agents" property will always be - 0 if set to true. - in: query - name: noAgentCount - schema: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_agent_policy' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent policies - tags: - - Elastic Agent policies - post: - operationId: create-agent-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_agent_policy_create_request' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create agent policy - tags: - - Elastic Agent policies - /api/fleet/agent_policies/_bulk_get: - post: - operationId: bulk-get-agent-policies - parameters: - - $ref: '#/components/parameters/Fleet_format' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - full: - description: get full policies with package policies populated - type: boolean - ids: - description: list of agent policy ids - items: - type: string - type: array - ignoreMissing: - type: boolean - required: - - ids - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_agent_policy' - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk get agent policies - tags: - - Elastic Agent policies - '/api/fleet/agent_policies/{agentPolicyId}': - get: - description: Get one agent policy - operationId: agent-policy-info - parameters: [] - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent policy by ID - tags: - - Elastic Agent policies - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - $ref: '#/components/parameters/Fleet_format' - put: - operationId: update-agent-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_agent_policy_update_request' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update agent policy by ID - tags: - - Elastic Agent policies - '/api/fleet/agent_policies/{agentPolicyId}/copy': - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - $ref: '#/components/parameters/Fleet_format' - post: - operationId: agent-policy-copy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - description: - type: string - name: - type: string - required: - - name - description: '' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Copy agent policy by ID - tags: - - Elastic Agent policies - '/api/fleet/agent_policies/{agentPolicyId}/download': - get: - operationId: agent-policy-download - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Download agent policy by ID - tags: - - Elastic Agent policies - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: download - required: false - schema: - type: string - - in: query - name: standalone - required: false - schema: - type: string - - in: query - name: kubernetes - required: false - schema: - type: string - '/api/fleet/agent_policies/{agentPolicyId}/full': - get: - operationId: agent-policy-full - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - oneOf: - - type: string - - $ref: '#/components/schemas/Fleet_agent_policy_full' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get full agent policy by ID - tags: - - Elastic Agent policies - parameters: - - in: path - name: agentPolicyId - required: true - schema: - type: string - - in: query - name: download - required: false - schema: - type: string - - in: query - name: standalone - required: false - schema: - type: string - - in: query - name: kubernetes - required: false - schema: - type: string - /api/fleet/agent_policies/delete: - parameters: [] - post: - operationId: delete-agent-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - agentPolicyId: - type: string - force: - description: >- - bypass validation checks that can prevent agent policy - deletion - type: boolean - required: - - agentPolicyId - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - success: - type: boolean - required: - - id - - success - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete agent policy by ID - tags: - - Elastic Agent policies - /api/fleet/agent_status: - get: - operationId: get-agent-status - parameters: - - in: query - name: policyId - required: false - schema: - type: string - - deprecated: true - in: query - name: kuery - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - active: - type: integer - all: - type: integer - error: - type: integer - events: - type: integer - inactive: - type: integer - offline: - type: integer - online: - type: integer - other: - type: integer - total: - deprecated: true - type: integer - unenrolled: - type: integer - updating: - type: integer - required: - - active - - all - - error - - events - - inactive - - offline - - online - - other - - total - - updating - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent status summary - tags: - - Elastic Agent status - /api/fleet/agent_status/data: - get: - operationId: get-agent-data - parameters: - - in: query - name: agentsIds - required: true - schema: - items: - type: string - type: array - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - additionalProperties: - type: object - properties: - data: - type: boolean - type: object - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get incoming agent data - tags: - - Elastic Agent status - /api/fleet/agent-status: - get: - deprecated: true - operationId: get-agent-status-deprecated - parameters: - - in: query - name: policyId - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: integer - events: - type: integer - inactive: - type: integer - offline: - type: integer - online: - type: integer - other: - type: integer - total: - type: integer - updating: - type: integer - required: - - error - - events - - inactive - - offline - - online - - other - - total - - updating - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent status summary - tags: - - Elastic Agent status - /api/fleet/agents: - get: - operationId: get-agents - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - - $ref: '#/components/parameters/Fleet_show_inactive' - - $ref: '#/components/parameters/Fleet_show_upgradeable' - - $ref: '#/components/parameters/Fleet_sort_field' - - $ref: '#/components/parameters/Fleet_sort_order' - - $ref: '#/components/parameters/Fleet_with_metrics' - - in: query - name: getStatusSummary - required: false - schema: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_get_agents_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agents - tags: - - Elastic Agents - post: - operationId: get-agents-by-actions - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionIds: - items: - type: string - type: array - required: - - policy_id - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_agent_get_by_actions' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agents by action ids - tags: - - Elastic Agents - '/api/fleet/agents/{agentId}': - delete: - operationId: delete-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete agent by ID - tags: - - Elastic Agents - get: - operationId: get-agent - parameters: - - $ref: '#/components/parameters/Fleet_with_metrics' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent by ID - tags: - - Elastic Agents - parameters: - - in: path - name: agentId - required: true - schema: - type: string - put: - operationId: update-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - tags: - items: - type: string - type: array - user_provided_metadata: - type: object - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update agent by ID - tags: - - Elastic Agents - '/api/fleet/agents/{agentId}/actions': - parameters: - - in: path - name: agentId - required: true - schema: - type: string - post: - operationId: new-agent-action - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - action: - $ref: '#/components/schemas/Fleet_agent_action' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - items: - type: number - type: array - headers: - type: string - statusCode: - type: number - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create agent action - tags: - - Elastic Agent actions - '/api/fleet/agents/{agentId}/reassign': - parameters: - - in: path - name: agentId - required: true - schema: - type: string - post: - operationId: reassign-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - policy_id: - type: string - required: - - policy_id - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Reassign agent - tags: - - Elastic Agents - put: - deprecated: true - operationId: reassign-agent-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - policy_id: - type: string - required: - - policy_id - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Reassign agent - tags: - - Elastic Agents - '/api/fleet/agents/{agentId}/request_diagnostics': - parameters: - - in: path - name: agentId - required: true - schema: - type: string - post: - operationId: request-diagnostics-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - additional_metrics: - items: - oneOf: - - enum: - - CPU - type: string - type: array - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Request agent diagnostics - tags: - - Elastic Agents - '/api/fleet/agents/{agentId}/unenroll': - parameters: - - in: path - name: agentId - required: true - schema: - type: string - post: - operationId: unenroll-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - revoke: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - description: OK - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - enum: - - 400 - type: number - description: BAD REQUEST - summary: Unenroll agent - tags: - - Elastic Agents - '/api/fleet/agents/{agentId}/upgrade': - parameters: - - in: path - name: agentId - required: true - schema: - type: string - post: - operationId: upgrade-agent - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_upgrade_agent' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_upgrade_agent' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Upgrade agent - tags: - - Elastic Agents - '/api/fleet/agents/{agentId}/uploads': - get: - operationId: list-agent-uploads - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: object - properties: - item: - items: - $ref: '#/components/schemas/Fleet_agent_diagnostics' - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent uploads - tags: - - Elastic Agents - parameters: - - in: path - name: agentId - required: true - schema: - type: string - /api/fleet/agents/action_status: - get: - operationId: agents-action-status - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - in: query - name: errorSize - schema: - default: 5 - type: integer - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - type: object - properties: - actionId: - type: string - cancellationTime: - type: string - completionTime: - type: string - creationTime: - description: creation time of action - type: string - expiration: - type: string - latestErrors: - description: >- - latest errors that happened when the agents executed - the action - items: - type: object - properties: - agentId: - type: string - error: - type: string - timestamp: - type: string - type: array - nbAgentsAck: - description: number of agents that acknowledged the action - type: number - nbAgentsActionCreated: - description: number of agents included in action from kibana - type: number - nbAgentsActioned: - description: number of agents actioned - type: number - nbAgentsFailed: - description: number of agents that failed to execute the action - type: number - newPolicyId: - description: new policy id (POLICY_REASSIGN action) - type: string - policyId: - description: policy id (POLICY_CHANGE action) - type: string - revision: - description: new policy revision (POLICY_CHANGE action) - type: string - startTime: - description: start time of action (scheduled actions) - type: string - status: - enum: - - COMPLETE - - EXPIRED - - CANCELLED - - FAILED - - IN_PROGRESS - - ROLLOUT_PASSED - type: string - type: - enum: - - POLICY_REASSIGN - - UPGRADE - - UNENROLL - - FORCE_UNENROLL - - UPDATE_TAGS - - CANCEL - - REQUEST_DIAGNOSTICS - - SETTINGS - - POLICY_CHANGE - - INPUT_ACTION - type: string - version: - description: agent version number (UPGRADE action) - type: string - required: - - actionId - - complete - - nbAgentsActioned - - nbAgentsActionCreated - - nbAgentsAck - - nbAgentsFailed - - status - - creationTime - - type - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent action status - tags: - - Elastic Agent actions - '/api/fleet/agents/actions/{actionId}/cancel': - parameters: - - in: path - name: actionId - required: true - schema: - type: string - post: - operationId: agent-action-cancel - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_agent_action' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Cancel agent action - tags: - - Elastic Agent actions - /api/fleet/agents/bulk_reassign: - post: - operationId: bulk-reassign-agents - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' - policy_id: policy_id - schema: - type: object - properties: - agents: - oneOf: - - description: 'KQL query string, leave empty to action all agents' - type: string - - description: list of agent IDs - items: - type: string - type: array - policy_id: - description: new agent policy id - type: string - required: - - policy_id - - agents - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk reassign agents - tags: - - Elastic Agents - /api/fleet/agents/bulk_request_diagnostics: - post: - operationId: bulk-request-diagnostics - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: 'fleet-agents.policy_id : ("policy1" or "policy2")' - schema: - type: object - properties: - additional_metrics: - items: - oneOf: - - enum: - - CPU - type: string - type: array - agents: - oneOf: - - description: 'KQL query string, leave empty to action all agents' - type: string - - description: list of agent IDs - items: - type: string - type: array - batchSize: - type: number - required: - - agents - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk request diagnostics from agents - tags: - - Elastic Agents - /api/fleet/agents/bulk_unenroll: - post: - operationId: bulk-unenroll-agents - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: - - agent1 - - agent2 - force: false - revoke: true - schema: - type: object - properties: - agents: - oneOf: - - description: 'KQL query string, leave empty to action all agents' - type: string - - description: list of agent IDs - items: - type: string - type: array - force: - description: Unenrolls hosted agents too - type: boolean - includeInactive: - description: >- - When passing agents by KQL query, unenrolls inactive agents - too - type: boolean - revoke: - description: Revokes API keys of agents - type: boolean - required: - - agents - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk unenroll agents - tags: - - Elastic Agents - /api/fleet/agents/bulk_update_agent_tags: - post: - operationId: bulk-update-agent-tags - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: - - agent1 - - agent2 - tagsToAdd: - - newTag - tagsToRemove: - - existingTag - schema: - type: object - properties: - agents: - oneOf: - - description: 'KQL query string, leave empty to action all agents' - type: string - - description: list of agent IDs - items: - type: string - type: array - batchSize: - type: number - tagsToAdd: - items: - type: string - type: array - tagsToRemove: - items: - type: string - type: array - required: - - agents - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk update agent tags - tags: - - Elastic Agents - /api/fleet/agents/bulk_upgrade: - post: - operationId: bulk-upgrade-agents - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - example: - agents: - - agent1 - - agent2 - rollout_duration_seconds: 3600 - source_uri: 'https://artifacts.elastic.co/downloads/beats/elastic-agent' - start_time: '2022-08-03T14:00:00.000Z' - version: 8.4.0 - schema: - $ref: '#/components/schemas/Fleet_bulk_upgrade_agents' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - actionId: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk upgrade agents - tags: - - Elastic Agents - '/api/fleet/agents/files/{fileId}': - delete: - operationId: delete-agent-upload-file - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: object - properties: - deleted: - type: boolean - id: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete file uploaded by agent - tags: - - Elastic Agents - parameters: - - in: path - name: fileId - required: true - schema: - type: string - '/api/fleet/agents/files/{fileId}/{fileName}': - get: - operationId: get-agent-upload-file - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: object - properties: - items: - type: object - properties: - body: {} - headers: {} - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get file uploaded by agent - tags: - - Elastic Agents - parameters: - - in: path - name: fileId - required: true - schema: - type: string - - in: path - name: fileName - required: true - schema: - type: string - /api/fleet/agents/setup: - get: - operationId: get-agents-setup-status - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_fleet_status_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get agent setup info - tags: - - Elastic Agents - post: - operationId: setup-agents - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - admin_password: - type: string - admin_username: - type: string - required: - - admin_username - - admin_password - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_fleet_setup_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Initiate agent setup - tags: - - Elastic Agents - /api/fleet/agents/tags: - get: - operationId: get-agent-tags - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_get_agent_tags_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List agent tags - tags: - - Elastic Agents - /api/fleet/data_streams: - get: - operationId: data-streams-list - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data_streams: - items: - $ref: '#/components/schemas/Fleet_data_stream' - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List data streams - tags: - - Data streams - parameters: [] - /api/fleet/enrollment_api_keys: - get: - operationId: get-enrollment-api-keys - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - page - - perPage - - total - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List enrollment API keys - tags: - - Fleet enrollment API keys - post: - operationId: create-enrollment-api-keys - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - name: - description: The name of the enrollment API key. Must be unique. - type: string - policy_id: - description: >- - The ID of the agent policy the Elastic Agent will be - enrolled in. - type: string - required: - - policy_id - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - action: - enum: - - created - type: string - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create enrollment API key - tags: - - Fleet enrollment API keys - '/api/fleet/enrollment_api_keys/{keyId}': - delete: - operationId: delete-enrollment-api-key - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Revoke enrollment API key by ID by marking it as inactive - tags: - - Fleet enrollment API keys - get: - operationId: get-enrollment-api-key - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get enrollment API key by ID - tags: - - Fleet enrollment API keys - parameters: - - in: path - name: keyId - required: true - schema: - type: string - /api/fleet/enrollment-api-keys: - get: - deprecated: true - operationId: get-enrollment-api-keys-deprecated - parameters: [] - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - page - - perPage - - total - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List enrollment API keys - tags: - - Fleet enrollment API keys - post: - deprecated: true - operationId: create-enrollment-api-keys-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - action: - enum: - - created - type: string - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create enrollment API key - tags: - - Fleet enrollment API keys - '/api/fleet/enrollment-api-keys/{keyId}': - delete: - deprecated: true - operationId: delete-enrollment-api-key-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - action: - enum: - - deleted - type: string - required: - - action - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete enrollment API key by ID - tags: - - Fleet enrollment API keys - get: - deprecated: true - operationId: get-enrollment-api-key-deprecated - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_enrollment_api_key' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get enrollment API key by ID - tags: - - Fleet enrollment API keys - parameters: - - in: path - name: keyId - required: true - schema: - type: string - /api/fleet/epm/bulk_assets: - post: - operationId: bulk-get-assets - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - assetIds: - description: list of items necessary to fetch assets - items: - type: object - properties: - id: - type: string - type: - type: string - type: array - required: - - assetIds - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_get_bulk_assets_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk get assets - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/categories: - get: - operationId: get-package-categories - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_get_categories_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List package categories - tags: - - Elastic Package Manager (EPM) - parameters: - - description: >- - Whether to include prerelease packages in categories count (e.g. beta, - rc, preview) - in: query - name: prerelease - schema: - default: false - type: boolean - - deprecated: true - in: query - name: experimental - schema: - default: false - type: boolean - - in: query - name: include_policy_templates - schema: - default: false - type: boolean - /api/fleet/epm/packages: - get: - operationId: list-all-packages - parameters: - - description: >- - Whether to exclude the install status of each package. Enabling this - option will opt in to caching for the response via `cache-control` - headers. If you don't need up-to-date installation info for a - package, and are querying for a list of available packages, - providing this flag can improve performance substantially. - in: query - name: excludeInstallStatus - schema: - default: false - type: boolean - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean - - deprecated: true - in: query - name: experimental - schema: - default: false - type: boolean - - in: query - name: category - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_get_packages_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List packages - tags: - - Elastic Package Manager (EPM) - post: - description: '' - operationId: install-package-by-upload - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - description: avoid erroring out on unexpected mapping update errors - in: query - name: ignoreMappingUpdateErrors - schema: - default: false - type: boolean - - description: >- - Skip data stream rollover during index template mapping or settings - update - in: query - name: skipDataStreamRollover - schema: - default: false - type: boolean - requestBody: - content: - application/gzip; Elastic-Api-Version=2023-10-31: - schema: - format: binary - type: string - application/zip; Elastic-Api-Version=2023-10-31: - schema: - format: binary - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _meta: - type: object - properties: - install_source: - enum: - - upload - - registry - - bundled - type: string - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - '429': - $ref: '#/components/responses/Fleet_error' - summary: Install by package by direct upload - tags: - - Elastic Package Manager (EPM) - /api/fleet/epm/packages/_bulk: - post: - operationId: bulk-install-packages - parameters: - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - description: force install to ignore package verification errors - type: boolean - packages: - description: list of packages to install - items: - oneOf: - - description: package name - type: string - - type: object - properties: - name: - description: package name - type: string - version: - description: package version - type: string - type: array - required: - - packages - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_bulk_install_packages_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk install packages - tags: - - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgkey}': - delete: - deprecated: true - operationId: delete-package-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - in: path - name: pkgkey - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - response: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - response - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete ackage - tags: - - Elastic Package Manager (EPM) - get: - deprecated: true - operationId: get-package-deprecated - parameters: - - in: path - name: pkgkey - required: true - schema: - type: string - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - allOf: - - properties: - response: - $ref: '#/components/schemas/Fleet_package_info' - - properties: - savedObject: - type: string - status: - enum: - - installed - - installing - - install_failed - - not_installed - type: string - required: - - status - - savedObject - type: object - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package - tags: - - Elastic Package Manager (EPM) - post: - deprecated: true - description: '' - operationId: install-package-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - in: path - name: pkgkey - required: true - schema: - type: string - - description: avoid erroring out on unexpected mapping update errors - in: query - name: ignoreMappingUpdateErrors - schema: - default: false - type: boolean - - description: >- - Skip data stream rollover during index template mapping or settings - update - in: query - name: skipDataStreamRollover - schema: - default: false - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - response: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - response - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Install package - tags: - - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgName}/{pkgVersion}': - delete: - operationId: delete-package - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - description: delete package even if policies used by agents - in: query - name: force - schema: - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - deprecated: true - type: object - properties: - force: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete package - tags: - - Elastic Package Manager (EPM) - get: - operationId: get-package - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - allOf: - - properties: - item: - $ref: '#/components/schemas/Fleet_package_info' - - properties: - keepPoliciesUpToDate: - type: boolean - latestVersion: - type: string - licensePath: - type: string - notice: - type: string - savedObject: - deprecated: true - type: object - status: - enum: - - installed - - installing - - install_failed - - not_installed - type: string - required: - - status - - savedObject - type: object - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package - tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - description: Ignore if the package is fails signature verification - in: query - name: ignoreUnverified - schema: - type: boolean - - description: >- - Return all fields from the package manifest, not just those supported - by the Elastic Package Registry - in: query - name: full - schema: - type: boolean - - description: >- - Whether to return prerelease versions of packages (e.g. beta, rc, - preview) - in: query - name: prerelease - schema: - default: false - type: boolean - post: - description: '' - operationId: install-package - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - description: avoid erroring out on unexpected mapping update errors - in: query - name: ignoreMappingUpdateErrors - schema: - default: false - type: boolean - - description: >- - Skip data stream rollover during index template mapping or settings - update - in: query - name: skipDataStreamRollover - schema: - default: false - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - ignore_constraints: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _meta: - type: object - properties: - install_source: - enum: - - registry - - upload - - bundled - type: string - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Install package - tags: - - Elastic Package Manager (EPM) - put: - description: '' - operationId: update-package - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - keepPoliciesUpToDate: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - type: object - properties: - id: - type: string - type: - oneOf: - - $ref: >- - #/components/schemas/Fleet_kibana_saved_object_type - - $ref: >- - #/components/schemas/Fleet_elasticsearch_asset_type - required: - - id - - type - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update package settings - tags: - - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgName}/{pkgVersion}/{filePath}': - get: - operationId: packages-get-file - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: object - headers: - type: object - statusCode: - type: number - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package file - tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - in: path - name: filePath - required: true - schema: - type: string - '/api/fleet/epm/packages/{pkgName}/{pkgVersion}/transforms/authorize': - post: - description: '' - operationId: reauthorize-transforms - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - description: >- - Whether to include prerelease packages in categories count (e.g. - beta, rc, preview) - in: query - name: prerelease - schema: - default: false - type: boolean - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - transforms: - items: - type: object - properties: - transformId: - type: string - type: array - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - type: object - properties: - error: - type: string - success: - type: boolean - transformId: - type: string - required: - - transformId - - error - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Authorize transforms - tags: - - Elastic Package Manager (EPM) - '/api/fleet/epm/packages/{pkgName}/stats': - get: - operationId: get-package-stats - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - response: - $ref: '#/components/schemas/Fleet_package_usage_stats' - required: - - response - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package stats - tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - /api/fleet/epm/packages/limited: - get: - operationId: list-limited-packages - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - type: string - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get limited package list - tags: - - Elastic Package Manager (EPM) - parameters: [] - '/api/fleet/epm/templates/{pkgName}/{pkgVersion}/inputs': - get: - operationId: get-inputs-template - responses: - '200': - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get inputs template - tags: - - Elastic Package Manager (EPM) - parameters: - - in: path - name: pkgName - required: true - schema: - type: string - - in: path - name: pkgVersion - required: true - schema: - type: string - - description: Format of response - json or yaml - in: query - name: format - schema: - enum: - - json - - yaml - - yml - type: string - - description: Specify if version is prerelease - in: query - name: prerelease - schema: - type: boolean - - description: Ignore if the package is fails signature verification - in: query - name: ignoreUnverified - schema: - type: boolean - /api/fleet/epm/verification_key_id: - get: - operationId: packages-get-verification-key-id - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: object - properties: - id: - description: >- - the key ID of the GPG key used to verify package - signatures - nullable: true - type: string - headers: - type: object - statusCode: - type: number - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package signature verification key ID - tags: - - Elastic Package Manager (EPM) - parameters: [] - /api/fleet/fleet_server_hosts: - get: - operationId: get-fleet-server-hosts - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_fleet_server_host' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List Fleet Server hosts - tags: - - Fleet Server hosts - post: - operationId: post-fleet-server-hosts - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host_urls: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this fleet server host. See - the proxies API for more information. - type: string - required: - - name - - host_urls - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_fleet_server_host' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create Fleet Server host - tags: - - Fleet Server hosts - '/api/fleet/fleet_server_hosts/{itemId}': - delete: - operationId: delete-fleet-server-hosts - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete Fleet Server host by ID - tags: - - Fleet Server hosts - get: - operationId: get-one-fleet-server-hosts - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_fleet_server_host' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get Fleet Server host by ID - tags: - - Fleet Server hosts - parameters: - - in: path - name: itemId - required: true - schema: - type: string - put: - operationId: update-fleet-server-hosts - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host_urls: - items: - type: string - type: array - is_default: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this fleet server host. See - the proxies API for more information. - nullable: true - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_fleet_server_host' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update Fleet Server host by ID - tags: - - Fleet Server hosts - /api/fleet/health_check: - post: - operationId: fleet-server-health-check - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host: - deprecated: true - type: string - id: - type: string - required: - - id - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - host: - deprecated: true - type: string - id: - description: Fleet Server host id - type: string - status: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Fleet Server health check - tags: - - Fleet internals - /api/fleet/kubernetes: - get: - operationId: get-full-k8s-manifest - parameters: - - in: query - name: download - required: false - schema: - type: boolean - - in: query - name: fleetServer - required: false - schema: - type: string - - in: query - name: enrolToken - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get full K8s agent manifest - tags: - - Fleet Kubernetes - /api/fleet/logstash_api_keys: - post: - operationId: generate-logstash-api-key - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - api_key: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Generate Logstash API key - tags: - - Fleet outputs - /api/fleet/outputs: - get: - operationId: get-outputs - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_output_create_request' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List outputs - tags: - - Fleet outputs - post: - operationId: post-outputs - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_output_create_request' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_output_create_request' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create output - tags: - - Fleet outputs - '/api/fleet/outputs/{outputId}': - delete: - operationId: delete-output - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete output by ID - tags: - - Fleet outputs - get: - operationId: get-output - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_output_create_request' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get output by ID - tags: - - Fleet outputs - parameters: - - in: path - name: outputId - required: true - schema: - type: string - put: - operationId: update-output - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_output_update_request' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_output_update_request' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update output by ID - tags: - - Fleet outputs - '/api/fleet/outputs/{outputId}/health': - get: - operationId: get-output-health - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - message: - description: long message if unhealthy - type: string - state: - description: 'state of output, HEALTHY or DEGRADED' - type: string - timestamp: - description: timestamp of reported state - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get latest output health - tags: - - Fleet outputs - parameters: - - in: path - name: outputId - required: true - schema: - type: string - /api/fleet/package_policies: - get: - operationId: get-package-policies - parameters: - - $ref: '#/components/parameters/Fleet_page_size' - - $ref: '#/components/parameters/Fleet_page_index' - - $ref: '#/components/parameters/Fleet_kuery' - - $ref: '#/components/parameters/Fleet_format' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_package_policy' - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List package policies - tags: - - Fleet package policies - parameters: [] - post: - operationId: create-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - $ref: '#/components/parameters/Fleet_format' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_package_policy_request' - description: >- - You should use inputs as an object and not use the deprecated inputs - array. - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_package_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - '409': - $ref: '#/components/responses/Fleet_error' - summary: Create package policy - tags: - - Fleet package policies - /api/fleet/package_policies/_bulk_get: - post: - operationId: bulk-get-package-policies - parameters: - - $ref: '#/components/parameters/Fleet_format' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - ids: - description: list of package policy ids - items: - type: string - type: array - ignoreMissing: - type: boolean - required: - - ids - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_package_policy' - type: array - required: - - items - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Bulk get package policies - tags: - - Fleet package policies - '/api/fleet/package_policies/{packagePolicyId}': - delete: - operationId: delete-package-policy - parameters: - - in: query - name: force - schema: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete package policy by ID - tags: - - Fleet package policies - get: - operationId: get-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_format' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_package_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get package policy by ID - tags: - - Fleet package policies - parameters: - - in: path - name: packagePolicyId - required: true - schema: - type: string - put: - operationId: update-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - - $ref: '#/components/parameters/Fleet_format' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_package_policy_request' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_package_policy' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update package policy by ID - tags: - - Fleet package policies - /api/fleet/package_policies/delete: - post: - operationId: post-delete-package-policy - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - force: - type: boolean - packagePolicyIds: - items: - type: string - type: array - required: - - packagePolicyIds - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - items: - type: object - properties: - id: - type: string - name: - type: string - success: - type: boolean - required: - - id - - success - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete package policy - tags: - - Fleet package policies - /api/fleet/package_policies/upgrade: - post: - operationId: upgrade-package-policy - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - packagePolicyIds: - items: - type: string - type: array - required: - - packagePolicyIds - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - items: - type: object - properties: - id: - type: string - name: - type: string - success: - type: boolean - required: - - id - - success - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - '409': - $ref: '#/components/responses/Fleet_error' - summary: Upgrade package policy to a newer package version - tags: - - Fleet package policies - /api/fleet/package_policies/upgrade/dryrun: - post: - operationId: upgrade-package-policy-dry-run - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - packagePolicyIds: - items: - type: string - type: array - packageVersion: - type: string - required: - - packagePolicyIds - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - items: - type: object - properties: - agent_diff: - $ref: '#/components/schemas/Fleet_upgrade_agent_diff' - diff: - $ref: '#/components/schemas/Fleet_upgrade_diff' - hasErrors: - type: boolean - required: - - hasErrors - type: array - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Dry run package policy upgrade - tags: - - Fleet package policies - /api/fleet/proxies: - get: - operationId: get-fleet-proxies - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_proxies' - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List proxies - tags: - - Fleet proxies - post: - operationId: post-fleet-proxies - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - certificate: - type: string - certificate_authorities: - type: string - certificate_key: - type: string - id: - type: string - name: - type: string - proxy_headers: - type: object - url: - type: string - required: - - name - - url - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_proxies' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create proxy - tags: - - Fleet proxies - '/api/fleet/proxies/{itemId}': - delete: - operationId: delete-fleet-proxies - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - required: - - id - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Delete proxy by ID - tags: - - Fleet proxies - get: - operationId: get-one-fleet-proxies - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_proxies' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get proxy by ID - tags: - - Fleet proxies - parameters: - - in: path - name: itemId - required: true - schema: - type: string - put: - operationId: update-fleet-proxies - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - certificate: - type: string - certificate_authorities: - type: string - certificate_key: - type: string - name: - type: string - proxy_headers: - type: object - url: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_proxies' - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update proxy by ID - tags: - - Fleet proxies - /api/fleet/service_tokens: - post: - operationId: generate-service-token - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - name: - type: string - value: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create service token - tags: - - Fleet service tokens - /api/fleet/service-tokens: - post: - deprecated: true - operationId: generate-service-token-deprecated - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - name: - type: string - value: - type: string - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Create service token - tags: - - Fleet service tokens - /api/fleet/settings: - get: - operationId: get-settings - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_fleet_settings_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get settings - tags: - - Fleet internals - put: - operationId: update-settings - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - additional_yaml_config: - type: string - delete_unenrolled_agents: - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - fleet_server_hosts: - description: Protocol and path must be the same for each URL - items: - type: string - type: array - has_seen_add_data_notice: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_fleet_settings_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Update settings - tags: - - Fleet internals - /api/fleet/setup: - post: - operationId: setup - parameters: - - $ref: '#/components/parameters/Fleet_kbn_xsrf' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Fleet_fleet_setup_response' - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - message: - type: string - description: Internal Server Error - summary: Initiate Fleet setup - tags: - - Fleet internals - /api/fleet/uninstall_tokens: - get: - operationId: get-uninstall-tokens - parameters: - - description: The number of items to return - in: query - name: perPage - required: false - schema: - default: 20 - minimum: 5 - type: integer - - $ref: '#/components/parameters/Fleet_page_index' - - description: Partial match filtering for policy IDs - in: query - name: policyId - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - items: - items: - type: object - properties: - created_at: - type: string - id: - type: string - policy_id: - type: string - required: - - id - - policy_id - - created_at - type: array - page: - type: number - perPage: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: List metadata for latest uninstall tokens per agent policy - tags: - - Fleet uninstall tokens - '/api/fleet/uninstall_tokens/{uninstallTokenId}': - get: - operationId: get-uninstall-token - parameters: - - in: path - name: uninstallTokenId - required: true - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - item: - type: object - properties: - created_at: - type: string - id: - type: string - policy_id: - type: string - token: - type: string - required: - - id - - token - - policy_id - - created_at - required: - - item - description: OK - '400': - $ref: '#/components/responses/Fleet_error' - summary: Get one decrypted uninstall token by its ID - tags: - - Fleet uninstall tokens - /api/lists: - delete: - operationId: DeleteList - parameters: - - description: List's `id` value - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - in: query - name: deleteReferences - required: false - schema: - default: false - type: boolean - - in: query - name: ignoreReferences - required: false - schema: - default: false - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Deletes a list - tags: - - Security Lists API - get: - operationId: ReadList - parameters: - - description: List's `id` value - in: query - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Retrieves a list using its id field - tags: - - Security Lists API - patch: - operationId: PatchList - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - minimum: 1 - type: integer - required: - - id - description: List's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patches a list - tags: - - Security Lists API - post: - operationId: CreateList - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - deserializer: - type: string - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - serializer: - type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - version: - default: 1 - minimum: 1 - type: integer - required: - - name - - description - - type - description: List's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List already exists response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Creates a list - tags: - - Security Lists API - put: - operationId: UpdateList - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - version: - minimum: 1 - type: integer - required: - - id - - name - - description - description: List's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Updates a list - tags: - - Security Lists API - /api/lists/_find: - get: - operationId: FindLists - parameters: - - description: The page number to return - in: query - name: page - required: false - schema: - type: integer - - description: The number of lists to return per page - in: query - name: per_page - required: false - schema: - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - - description: 'Determines the sort order, which can be `desc` or `asc`' - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - type: string - - description: > - Returns the list that come after the last list returned in the - previous call - - (use the cursor value returned in the previous call). This parameter - uses - - the `tie_breaker_id` field to ensure all lists are sorted and - returned correctly. - in: query - name: cursor - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. - in: query - name: filter - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListsFilter' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - cursor: - $ref: '#/components/schemas/Security_Lists_API_FindListsCursor' - data: - items: - $ref: '#/components/schemas/Security_Lists_API_List' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Finds lists - tags: - - Security Lists API - /api/lists/index: - delete: - operationId: DeleteListIndex - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Deletes list data streams - tags: - - Security Lists API - get: - operationId: ReadListIndex - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - list_index: - type: boolean - list_item_index: - type: boolean - required: - - list_index - - list_item_index - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream(s) not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Get list data stream existence status - tags: - - Security Lists API - post: - operationId: CreateListIndex - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - acknowledged: - type: boolean - required: - - acknowledged - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List data stream exists response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Creates necessary list data streams - tags: - - Security Lists API - /api/lists/items: - delete: - operationId: DeleteListItem - parameters: - - description: Required if `list_id` and `value` are not specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: Required if `id` is not specified - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: Required if `id` is not specified - in: query - name: value - required: false - schema: - type: string - - description: >- - Determines when changes made by the request are made visible to - search - in: query - name: refresh - required: false - schema: - default: 'false' - enum: - - 'true' - - 'false' - - wait_for - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Deletes a list item - tags: - - Security Lists API - get: - operationId: ReadListItem - parameters: - - description: Required if `list_id` and `value` are not specified - in: query - name: id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: Required if `id` is not specified - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: Required if `id` is not specified - in: query - name: value - required: false - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Lists_API_ListItem' - - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Gets a list item - tags: - - Security Lists API - patch: - operationId: PatchListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search - enum: - - 'true' - - 'false' - - wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - description: List item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Patches a list item - tags: - - Security Lists API - post: - operationId: CreateListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - refresh: - description: >- - Determines when changes made by the request are made visible - to search - enum: - - 'true' - - 'false' - - wait_for - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - list_id - - value - description: List item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item already exists response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Creates a list item - tags: - - Security Lists API - put: - operationId: UpdateListItem - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - _version: - type: string - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - - value - description: List item's properties - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List item not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Updates a list item - tags: - - Security Lists API - /api/lists/items/_export: - post: - description: Exports list item values from the specified list - operationId: ExportListItems - parameters: - - description: List's id to export - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - responses: - '200': - content: - application/ndjson; Elastic-Api-Version=2023-10-31: - schema: - description: A `.txt` file containing list items from the specified list - format: binary - type: string - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List not found response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Exports list items - tags: - - Security Lists API - /api/lists/items/_find: - get: - operationId: FindListItems - parameters: - - description: List's id - in: query - name: list_id - required: true - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: The page number to return - in: query - name: page - required: false - schema: - type: integer - - description: The number of list items to return per page - in: query - name: per_page - required: false - schema: - type: integer - - description: Determines which field is used to sort the results - in: query - name: sort_field - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - - description: 'Determines the sort order, which can be `desc` or `asc`' - in: query - name: sort_order - required: false - schema: - enum: - - desc - - asc - type: string - - description: > - Returns the list that come after the last list returned in the - previous call - - (use the cursor value returned in the previous call). This parameter - uses - - the `tie_breaker_id` field to ensure all lists are sorted and - returned correctly. - in: query - name: cursor - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsCursor' - - description: > - Filters the returned results according to the value of the specified - field, - - using the : syntax. - in: query - name: filter - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_FindListItemsFilter' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - cursor: - $ref: >- - #/components/schemas/Security_Lists_API_FindListItemsCursor - data: - items: - $ref: '#/components/schemas/Security_Lists_API_ListItem' - type: array - page: - minimum: 0 - type: integer - per_page: - minimum: 0 - type: integer - total: - minimum: 0 - type: integer - required: - - data - - page - - per_page - - total - - cursor - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Finds list items - tags: - - Security Lists API - /api/lists/items/_import: - post: - description: > - Imports a list of items from a `.txt` or `.csv` file. The maximum file - size is 9 million bytes. - - - You can import items to a new or existing list. - operationId: ImportListItems - parameters: - - description: | - List's id. - - Required when importing to an existing list. - in: query - name: list_id - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListId' - - description: > - Type of the importing list. - - - Required when importing a new list that is `list_id` is not - specified. - in: query - name: type - required: false - schema: - $ref: '#/components/schemas/Security_Lists_API_ListType' - - in: query - name: serializer - required: false - schema: - type: string - - in: query - name: deserializer - required: false - schema: - type: string - - description: >- - Determines when changes made by the request are made visible to - search - in: query - name: refresh - required: false - schema: - enum: - - 'true' - - 'false' - - wait_for - type: string - requestBody: - content: - multipart/form-data; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - file: - description: >- - A `.txt` or `.csv` file containing newline separated list - items - format: binary - type: string - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_List' - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: List with specified list_id does not exist response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Imports list items - tags: - - Security Lists API - /api/lists/privileges: - get: - operationId: ReadListPrivileges - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - is_authenticated: - type: boolean - listItems: - $ref: '#/components/schemas/Security_Lists_API_ListItemPrivileges' - lists: - $ref: '#/components/schemas/Security_Lists_API_ListPrivileges' - required: - - lists - - listItems - - is_authenticated - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: >- - #/components/schemas/Security_Lists_API_PlatformErrorResponse - - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Invalid input data response - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Unsuccessful authentication response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_PlatformErrorResponse' - description: Not enough privileges response - '500': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Lists_API_SiemErrorResponse' - description: Internal server error response - summary: Gets list privileges - tags: - - Security Lists API - /api/ml/saved_objects/sync: - get: - description: > - Synchronizes Kibana saved objects for machine learning jobs and trained - models. This API runs automatically when you start Kibana and - periodically thereafter. - operationId: mlSync - parameters: - - $ref: '#/components/parameters/Machine_learning_APIs_simulateParam' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - syncExample: - $ref: '#/components/examples/Machine_learning_APIs_mlSyncExample' - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync200Response' - description: Indicates a successful call - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Machine_learning_APIs_mlSync4xxResponse' - description: Authorization information is missing or invalid. - summary: Sync machine learning saved objects - tags: - - ml - /api/note: - delete: - operationId: DeleteNote - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - nullable: true - type: object - properties: - noteId: - type: string - required: - - noteId - - nullable: true - type: object - properties: - noteIds: - items: - type: string - nullable: true - type: array - required: - - noteIds - description: The id of the note to delete. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - type: object - description: Indicates the note was successfully deleted. - summary: Deletes a note from a timeline. - tags: - - Security Timeline API - - 'access:securitySolution' - get: - description: Gets notes - operationId: GetNotes - parameters: - - in: query - name: documentIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_DocumentIds' - - in: query - name: savedObjectIds - schema: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectIds' - - in: query - name: page - schema: - nullable: true - type: string - - in: query - name: perPage - schema: - nullable: true - type: string - - in: query - name: search - schema: - nullable: true - type: string - - in: query - name: sortField - schema: - nullable: true - type: string - - in: query - name: sortOrder - schema: - nullable: true - type: string - - in: query - name: filter - schema: - nullable: true - type: string - - in: query - name: createdByFilter - schema: - nullable: true - type: string - - in: query - name: associatedFilter - schema: - $ref: '#/components/schemas/Security_Timeline_API_AssociatedFilterType' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_GetNotesResult' - - type: object - description: Indicates the requested notes were returned. - summary: Get all notes for a given document. - tags: - - Security Timeline API - - 'access:securitySolution' - patch: - operationId: PersistNoteRoute - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - eventDataView: - nullable: true - type: string - eventIngested: - nullable: true - type: string - eventTimestamp: - nullable: true - type: string - note: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - noteId: - nullable: true - type: string - overrideOwner: - nullable: true - type: boolean - version: - nullable: true - type: string - required: - - note - description: The note to persist or update along with additional metadata. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - type: object - properties: - persistNote: - $ref: >- - #/components/schemas/Security_Timeline_API_ResponseNote - required: - - persistNote - required: - - data - description: Indicates the note was successfully created. - summary: Persists a note to a timeline. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/osquery/live_queries: - get: - description: Get a list of all live queries. - operationId: OsqueryFindLiveQueries - parameters: - - in: query - name: query - required: true - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindLiveQueryRequestQuery - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get live queries - tags: - - Security Osquery API - post: - description: Create and run a live query. - operationId: OsqueryCreateLiveQuery - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateLiveQueryRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Create a live query - tags: - - Security Osquery API - '/api/osquery/live_queries/{id}': - get: - description: Get the details of a live query using the query ID. - operationId: OsqueryGetLiveQueryDetails - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_Id' - - in: query - name: query - schema: - additionalProperties: true - type: object - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get live query details - tags: - - Security Osquery API - '/api/osquery/live_queries/{id}/results/{actionId}': - get: - description: Get the results of a live query using the query action ID. - operationId: OsqueryGetLiveQueryResults - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_Id' - - in: path - name: actionId - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_Id' - - in: query - name: query - required: true - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_GetLiveQueryResultsRequestQuery - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get live query results - tags: - - Security Osquery API - /api/osquery/packs: - get: - description: Get a list of all query packs. - operationId: OsqueryFindPacks - parameters: - - in: query - name: query - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_FindPacksRequestQuery' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get packs - tags: - - Security Osquery API - post: - description: Create a query pack. - operationId: OsqueryCreatePacks - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Osquery_API_CreatePacksRequestBody' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Create a pack - tags: - - Security Osquery API - '/api/osquery/packs/{id}': - delete: - description: Delete a query pack using the pack ID. - operationId: OsqueryDeletePacks - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Delete a pack - tags: - - Security Osquery API - get: - description: Get the details of a query pack using the pack ID. - operationId: OsqueryGetPacksDetails - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get pack details - tags: - - Security Osquery API - put: - description: | - Update a query pack using the pack ID. - > info - > You cannot update a prebuilt pack. - operationId: OsqueryUpdatePacks - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_Osquery_API_UpdatePacksRequestBody' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Update a pack - tags: - - Security Osquery API - /api/osquery/saved_queries: - get: - description: Get a list of all saved queries. - operationId: OsqueryFindSavedQueries - parameters: - - in: query - name: query - required: true - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_FindSavedQueryRequestQuery - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get saved queries - tags: - - Security Osquery API - post: - description: Create and run a saved query. - operationId: OsqueryCreateSavedQuery - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_CreateSavedQueryRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Create a saved query - tags: - - Security Osquery API - '/api/osquery/saved_queries/{id}': - delete: - description: Delete a saved query using the query ID. - operationId: OsqueryDeleteSavedQuery - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Delete a saved query - tags: - - Security Osquery API - get: - description: Get the details of a saved query using the query ID. - operationId: OsqueryGetSavedQueryDetails - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Get saved query details - tags: - - Security Osquery API - put: - description: | - Update a saved query using the query ID. - > info - > You cannot update a prebuilt saved query. - operationId: OsqueryUpdateSavedQuery - parameters: - - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_UpdateSavedQueryRequestBody - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Osquery_API_DefaultSuccessResponse - description: OK - summary: Update a saved query - tags: - - Security Osquery API - /api/pinned_event: - patch: - operationId: PersistPinnedEventRoute - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - eventId: - type: string - pinnedEventId: - nullable: true - type: string - timelineId: - type: string - required: - - eventId - - timelineId - description: The pinned event to persist or update along with additional metadata. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - type: object - properties: - persistPinnedEventOnTimeline: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistPinnedEventResponse - required: - - persistPinnedEventOnTimeline - required: - - data - description: Indicate the event was successfully pinned in the timeline. - summary: Persists a pinned event to a timeline. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/risk_score/engine/dangerously_delete_data: - delete: - description: >- - Cleaning up the the Risk Engine by removing the indices, mapping and - transforms - operationId: CleanUpRiskEngine - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - cleanup_successful: - type: boolean - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse - description: Unexpected error - summary: Cleanup the Risk Engine - tags: - - Security Entity Analytics API - /api/risk_score/engine/schedule_now: - post: - operationId: ScheduleRiskEngineNow - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: {} - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowResponse - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_TaskManagerUnavailableResponse - description: Task manager is unavailable - default: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse - description: Unexpected error - summary: Schedule the risk engine to run as soon as possible - tags: - - Security Entity Analytics API - /api/saved_objects/_export: - post: - description: > - Retrieve sets of saved objects that you want to import into Kibana. - - You must include `type` or `objects` in the request body. - - - Exported saved objects are not backwards compatible and cannot be - imported into an older version of Kibana. - - - NOTE: The `savedObjects.maxImportExportSize` configuration setting - limits the number of saved objects which may be exported. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: exportSavedObjectsDefault - parameters: - - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - exportSavedObjectsRequest: - $ref: >- - #/components/examples/Serverless_saved_objects_export_objects_request - schema: - type: object - properties: - excludeExportDetails: - default: false - description: Do not add export details entry at the end of the stream. - type: boolean - includeReferencesDeep: - description: >- - Includes all of the referenced objects in the exported - objects. - type: boolean - objects: - description: A list of objects to export. - items: - type: object - type: array - type: - description: >- - The saved object types to include in the export. Use `*` to - export all the types. - oneOf: - - type: string - - items: - type: string - type: array - required: true - responses: - '200': - content: - application/x-ndjson; Elastic-Api-Version=2023-10-31: - examples: - exportSavedObjectsResponse: - $ref: >- - #/components/examples/Serverless_saved_objects_export_objects_response - schema: - additionalProperties: true - type: object - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Serverless_saved_objects_400_response' - description: Bad request. - summary: Export saved objects - tags: - - saved objects - /api/saved_objects/_import: - post: - description: > - Create sets of Kibana saved objects from a file created by the export - API. - - Saved objects can be imported only into the same version, a newer minor - on the same major, or the next major. Exported saved objects are not - backwards compatible and cannot be imported into an older version of - Kibana. - - - This functionality is in technical preview and may be changed or removed - in a future release. Elastic will work to fix any issues, but features - in technical preview are not subject to the support SLA of official GA - features. - operationId: importSavedObjectsDefault - parameters: - - $ref: '#/components/parameters/Serverless_saved_objects_kbn_xsrf' - - description: > - Creates copies of saved objects, regenerates each object ID, and - resets the origin. When used, potential conflict errors are avoided. - NOTE: This option cannot be used with the `overwrite` and - `compatibilityMode` options. - in: query - name: createNewCopies - required: false - schema: - type: boolean - - description: > - Overwrites saved objects when they already exist. When used, - potential conflict errors are automatically resolved by overwriting - the destination object. NOTE: This option cannot be used with the - `createNewCopies` option. - in: query - name: overwrite - required: false - schema: - type: boolean - - description: > - Applies various adjustments to the saved objects that are being - imported to maintain compatibility between different Kibana - versions. Use this option only if you encounter issues with imported - saved objects. NOTE: This option cannot be used with the - `createNewCopies` option. - in: query - name: compatibilityMode - required: false - schema: - type: boolean - requestBody: - content: - multipart/form-data; Elastic-Api-Version=2023-10-31: - examples: - importObjectsRequest: - $ref: >- - #/components/examples/Serverless_saved_objects_import_objects_request - schema: - type: object - properties: - file: - description: > - A file exported using the export API. NOTE: The - `savedObjects.maxImportExportSize` configuration setting - limits the number of saved objects which may be included in - this file. Similarly, the - `savedObjects.maxImportPayloadBytes` setting limits the - overall size of the file that can be imported. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - examples: - importObjectsResponse: - $ref: >- - #/components/examples/Serverless_saved_objects_import_objects_response - schema: - type: object - properties: - errors: - description: > - Indicates the import was unsuccessful and specifies the - objects that failed to import. - - - NOTE: One object may result in multiple errors, which - requires separate steps to resolve. For instance, a - `missing_references` error and conflict error. - items: - type: object - type: array - success: - description: > - Indicates when the import was successfully completed. When - set to false, some objects may not have been created. For - additional information, refer to the `errors` and - `successResults` properties. - type: boolean - successCount: - description: Indicates the number of successfully imported records. - type: integer - successResults: - description: > - Indicates the objects that are successfully imported, with - any metadata if applicable. - - - NOTE: Objects are created only when all resolvable errors - are addressed, including conflicts and missing references. - If objects are created as new copies, each entry in the - `successResults` array includes a `destinationId` - attribute. - items: - type: object - type: array - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Serverless_saved_objects_400_response' - description: Bad request. - summary: Import saved objects - tags: - - saved objects - x-codeSamples: - - label: Import with createNewCopies - lang: cURL - source: | - curl \ - -X POST api/saved_objects/_import?createNewCopies=true - -H "kbn-xsrf: true" - --form file=@file.ndjson - /api/security_ai_assistant/anonymization_fields/_bulk_action: - post: - description: >- - Apply a bulk action to multiple anonymization fields. The bulk action is - applied to all anonymization fields that match the filter or to the list - of anonymization fields by their IDs. - operationId: PerformAnonymizationFieldsBulkAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - create: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldCreateProps - type: array - delete: - type: object - properties: - ids: - description: Array of anonymization fields IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter anonymization fields - type: string - update: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldUpdateProps - type: array - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Apply a bulk action to anonymization fields - tags: - - Security AI Assistant API - - Bulk API - /api/security_ai_assistant/anonymization_fields/_find: - get: - description: Get a list of all anonymization fields. - operationId: FindAnonymizationFields - parameters: - - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Search query - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindAnonymizationFieldsSortField - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: AnonymizationFields per page - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Get anonymization fields - tags: - - Security AI Assistant API - - AnonymizationFields API - /api/security_ai_assistant/chat/complete: - post: - description: Create a model response for the given chat conversation. - operationId: ChatComplete - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatCompleteProps' - required: true - responses: - '200': - content: - application/octet-stream; Elastic-Api-Version=2023-10-31: - schema: - format: binary - type: string - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Create a model response - tags: - - Security AI Assistant API - - Chat Complete API - /api/security_ai_assistant/current_user/conversations: - post: - description: Create a new Security AI Assistant conversation. - operationId: CreateConversation - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationCreateProps - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Create a conversation - tags: - - Security AI Assistant API - - Conversation API - /api/security_ai_assistant/current_user/conversations/_find: - get: - description: Get a list of all conversations for the current user. - operationId: FindConversations - parameters: - - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Search query - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindConversationsSortField - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: Conversations per page - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Get conversations - tags: - - Security AI Assistant API - - Conversations API - '/api/security_ai_assistant/current_user/conversations/{id}': - delete: - description: Delete an existing conversation using the conversation ID. - operationId: DeleteConversation - parameters: - - description: The conversation's `id` value. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Delete a conversation - tags: - - Security AI Assistant API - - Conversation API - get: - description: Get the details of an existing conversation using the conversation ID. - operationId: ReadConversation - parameters: - - description: The conversation's `id` value. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Get a conversation - tags: - - Security AI Assistant API - - Conversations API - put: - description: Update an existing conversation using the conversation ID. - operationId: UpdateConversation - parameters: - - description: The conversation's `id` value. - in: path - name: id - required: true - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationUpdateProps - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationResponse - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Update a conversation - tags: - - Security AI Assistant API - - Conversation API - /api/security_ai_assistant/prompts/_bulk_action: - post: - description: >- - Apply a bulk action to multiple prompts. The bulk action is applied to - all prompts that match the filter or to the list of prompts by their - IDs. - operationId: PerformPromptsBulkAction - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - create: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptCreateProps - type: array - delete: - type: object - properties: - ids: - description: Array of prompts IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter promps - type: string - update: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptUpdateProps - type: array - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResponse - description: Indicates a successful call. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Apply a bulk action to prompts - tags: - - Security AI Assistant API - - Bulk API - /api/security_ai_assistant/prompts/_find: - get: - description: Get a list of all prompts. - operationId: FindPrompts - parameters: - - in: query - name: fields - required: false - schema: - items: - type: string - type: array - - description: Search query - in: query - name: filter - required: false - schema: - type: string - - description: Field to sort by - in: query - name: sort_field - required: false - schema: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_FindPromptsSortField - - description: Sort order - in: query - name: sort_order - required: false - schema: - $ref: '#/components/schemas/Security_AI_Assistant_API_SortOrder' - - description: Page number - in: query - name: page - required: false - schema: - default: 1 - minimum: 1 - type: integer - - description: Prompts per page - in: query - name: per_page - required: false - schema: - default: 20 - minimum: 0 - type: integer - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptResponse - type: array - page: - type: integer - perPage: - type: integer - total: - type: integer - required: - - page - - perPage - - total - - data - description: Successful response - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - summary: Get prompts - tags: - - Security AI Assistant API - - Prompts API - /api/spaces/space: - get: - operationId: '%2Fapi%2Fspaces%2Fspace#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: >- - Specifies which authorization checks are applied to the API call. - The default value is `any`. - in: query - name: purpose - required: false - schema: - enum: - - any - - copySavedObjectsIntoSpace - - shareSavedObjectsIntoSpace - type: string - - description: >- - When enabled, the API returns any spaces that the user is authorized - to access in any capacity and each space will contain the purposes - for which the user is authorized. This can be useful to determine - which spaces a user can read but not take a specific action in. If - the security plugin is not enabled, this parameter has no effect, - since no authorization checks take place. This parameter cannot be - used in with the `purpose` parameter. - in: query - name: include_authorized_purposes - required: true - schema: - anyOf: - - items: {} - type: array - - type: boolean - - type: number - - type: object - - type: string - nullable: true - oneOf: - - enum: - - false - type: boolean - x-oas-optional: true - - type: boolean - x-oas-optional: true - responses: - '200': - description: Indicates a successful call. - summary: Get all spaces - tags: - - spaces - post: - operationId: '%2Fapi%2Fspaces%2Fspace#1' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - _reserved: - type: boolean - color: - description: >- - The hexadecimal color code used in the space avatar. By - default, the color is automatically generated from the space - name. - type: string - description: - description: A description for the space. - type: string - disabledFeatures: - default: [] - items: - description: The list of features that are turned off in the space. - type: string - type: array - id: - description: >- - The space ID that is part of the Kibana URL when inside the - space. Space IDs are limited to lowercase alphanumeric, - underscore, and hyphen characters (a-z, 0-9, _, and -). You - are cannot change the ID with the update operation. - type: string - imageUrl: - description: >- - The data-URL encoded image to display in the space avatar. - If specified, initials will not be displayed and the color - will be visible as the background color for transparent - images. For best results, your image should be 64x64. Images - will not be optimized by this API call, so care should be - taken when using custom images. - type: string - initials: - description: >- - One or two characters that are shown in the space avatar. By - default, the initials are automatically generated from the - space name. - maxLength: 2 - type: string - name: - description: 'The display name for the space. ' - minLength: 1 - type: string - required: - - id - - name - responses: - '200': - description: Indicates a successful call. - summary: Create a space - tags: - - spaces - '/api/spaces/space/{id}': - delete: - description: >- - When you delete a space, all saved objects that belong to the space are - automatically deleted, which is permanent and cannot be undone. - operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#2' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: The space identifier. - in: path - name: id - required: true - schema: - type: string - responses: - '204': - description: Indicates a successful call. - '404': - description: Indicates that the request failed. - summary: Delete a space - tags: - - spaces - get: - operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: The space identifier. - in: path - name: id - required: true - schema: - type: string - responses: - '200': - description: Indicates a successful call. - summary: Get a space - tags: - - spaces - put: - operationId: '%2Fapi%2Fspaces%2Fspace%2F%7Bid%7D#1' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: A required header to protect against CSRF attacks - in: header - name: kbn-xsrf - required: true - schema: - example: 'true' - type: string - - description: >- - The space identifier. You are unable to change the ID with the - update operation. - in: path - name: id - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - additionalProperties: false - type: object - properties: - _reserved: - type: boolean - color: - description: >- - The hexadecimal color code used in the space avatar. By - default, the color is automatically generated from the space - name. - type: string - description: - description: A description for the space. - type: string - disabledFeatures: - default: [] - items: - description: The list of features that are turned off in the space. - type: string - type: array - id: - description: >- - The space ID that is part of the Kibana URL when inside the - space. Space IDs are limited to lowercase alphanumeric, - underscore, and hyphen characters (a-z, 0-9, _, and -). You - are cannot change the ID with the update operation. - type: string - imageUrl: - description: >- - The data-URL encoded image to display in the space avatar. - If specified, initials will not be displayed and the color - will be visible as the background color for transparent - images. For best results, your image should be 64x64. Images - will not be optimized by this API call, so care should be - taken when using custom images. - type: string - initials: - description: >- - One or two characters that are shown in the space avatar. By - default, the initials are automatically generated from the - space name. - maxLength: 2 - type: string - name: - description: 'The display name for the space. ' - minLength: 1 - type: string - required: - - id - - name - responses: - '200': - description: Indicates a successful call. - summary: Update a space - tags: - - spaces - /api/status: - get: - operationId: '%2Fapi%2Fstatus#0' - parameters: - - description: The version of the API to use - in: header - name: elastic-api-version - schema: - default: '2023-10-31' - enum: - - '2023-10-31' - type: string - - description: Set to "true" to get the response in v7 format. - in: query - name: v7format - required: false - schema: - type: boolean - - description: Set to "true" to get the response in v8 format. - in: query - name: v8format - required: false - schema: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse - description: >- - Kibana's operational status. A minimal response is sent for - unauthorized users. - description: Overall status is OK and Kibana should be functioning normally. - '503': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - anyOf: - - $ref: '#/components/schemas/Kibana_HTTP_APIs_core_status_response' - - $ref: >- - #/components/schemas/Kibana_HTTP_APIs_core_status_redactedResponse - description: >- - Kibana's operational status. A minimal response is sent for - unauthorized users. - description: >- - Kibana or some of it's essential services are unavailable. Kibana - may be degraded or unavailable. - summary: Get Kibana's current status - tags: - - system - /api/timeline: - delete: - operationId: DeleteTimelines - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - savedObjectIds: - items: - type: string - type: array - searchIds: - description: >- - Saved search ids that should be deleted alongside the - timelines - items: - type: string - type: array - required: - - savedObjectIds - description: The ids of the timelines or timeline templates to delete. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - type: object - properties: - deleteTimeline: - type: boolean - required: - - deleteTimeline - required: - - data - description: Indicates the timeline was successfully deleted. - summary: Deletes one or more timelines or timeline templates. - tags: - - Security Timeline API - - 'access:securitySolution' - get: - operationId: GetTimeline - parameters: - - description: The ID of the template timeline to retrieve - in: query - name: template_timeline_id - schema: - type: string - - description: The ID of the timeline to retrieve - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - type: object - properties: - data: - type: object - properties: - getOneTimeline: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineResponse - required: - - getOneTimeline - required: - - data - - additionalProperties: false - type: object - description: Indicates that the (template) timeline was found and returned. - summary: >- - Get an existing saved timeline or timeline template. This API is used to - retrieve an existing saved timeline or timeline template. - tags: - - Security Timeline API - - 'access:securitySolution' - patch: - description: >- - Updates an existing timeline. This API is used to update the title, - description, date range, pinned events, pinned queries, and/or pinned - saved queries of an existing timeline. - operationId: PatchTimeline - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineId: - nullable: true - type: string - version: - nullable: true - type: string - required: - - timelineId - - version - - timeline - description: The timeline updates along with the timeline ID and version. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: >- - Indicates that the draft timeline was successfully created. In the - event the user already has a draft timeline, the existing draft - timeline is cleared and returned. - '405': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: >- - Indicates that the user does not have the required access to create - a draft timeline. - summary: Updates an existing timeline. - tags: - - Security Timeline API - - 'access:securitySolution' - post: - operationId: CreateTimelines - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - status: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineId: - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - version: - nullable: true - type: string - required: - - timeline - description: >- - The required timeline fields used to create a new timeline along with - optional fields that will be created if not provided. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates the timeline was successfully created. - '405': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Indicates that there was an error in the timeline creation. - summary: Creates a new timeline. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/_copy: - get: - description: | - Copies and returns a timeline or timeline template. - operationId: CopyTimeline - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - timelineIdToCopy: - type: string - required: - - timeline - - timelineIdToCopy - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates that the timeline has been successfully copied. - summary: Copies timeline or timeline template - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/_draft: - get: - operationId: GetDraftTimelines - parameters: - - in: query - name: timelineType - required: true - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: Indicates that the draft timeline was successfully retrieved. - '403': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - If a draft timeline was not found and we attempted to create one, it - indicates that the user does not have the required permissions to - create a draft timeline. - '409': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - This should never happen, but if a draft timeline was not found and - we attempted to create one, it indicates that there is already a - draft timeline with the given timelineId. - summary: >- - Retrieves the draft timeline for the current user. If the user does not - have a draft timeline, an empty timeline is returned. - tags: - - Security Timeline API - - 'access:securitySolution' - post: - description: > - Retrieves a clean draft timeline. If a draft timeline does not exist, it - is created and returned. - operationId: CleanDraftTimelines - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - required: - - timelineType - description: >- - The type of timeline to create. Valid values are `default` and - `template`. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_PersistTimelineResponse - description: >- - Indicates that the draft timeline was successfully created. In the - event the user already has a draft timeline, the existing draft - timeline is cleared and returned. - '403': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - Indicates that the user does not have the required permissions to - create a draft timeline. - '409': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - message: - type: string - status_code: - type: number - description: >- - Indicates that there is already a draft timeline with the given - timelineId. - summary: Retrieves a draft timeline or timeline template. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/_export: - post: - operationId: ExportTimelines - parameters: - - description: The name of the file to export - in: query - name: file_name - required: true - schema: - type: string - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - ids: - items: - type: string - nullable: true - type: array - description: The ids of the timelines to export - required: true - responses: - '200': - content: - application/ndjson; Elastic-Api-Version=2023-10-31: - schema: - description: NDJSON of the exported timelines - type: string - description: Indicates the timelines were successfully exported - '400': - content: - application/ndjson; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Indicates that the export size limit was exceeded - summary: Exports timelines as an NDJSON file - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/_favorite: - patch: - operationId: PersistFavoriteRoute - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineId: - nullable: true - type: string - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - required: - - timelineId - - templateTimelineId - - templateTimelineVersion - - timelineType - description: The required fields used to favorite a (template) timeline. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - data: - type: object - properties: - persistFavorite: - $ref: >- - #/components/schemas/Security_Timeline_API_FavoriteTimelineResponse - required: - - persistFavorite - required: - - data - description: Indicates the favorite status was successfully updated. - '403': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: >- - Indicates the user does not have the required permissions to persist - the favorite status. - summary: Persists a given users favorite status of a timeline. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/_import: - post: - operationId: ImportTimelines - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - file: {} - isImmutable: - enum: - - 'true' - - 'false' - type: string - required: - - file - description: The timelines to import as a readable stream. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates the import of timelines was successful. - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: string - id: - type: string - statusCode: - type: number - description: >- - Indicates the import of timelines was unsuccessful because of an - invalid file extension. - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - id: - type: string - statusCode: - type: number - description: >- - Indicates that we were unable to locate the saved object client - necessary to handle the import. - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - body: - type: string - id: - type: string - statusCode: - type: number - description: Indicates the import of timelines was unsuccessful. - summary: Imports timelines. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/_prepackaged: - post: - operationId: InstallPrepackedTimelines - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - prepackagedTimelines: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject - nullable: true - type: array - timelinesToInstall: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - timelinesToUpdate: - items: - $ref: '#/components/schemas/Security_Timeline_API_ImportTimelines' - nullable: true - type: array - required: - - timelinesToInstall - - timelinesToUpdate - - prepackagedTimelines - description: The timelines to install or update. - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: >- - #/components/schemas/Security_Timeline_API_ImportTimelineResult - description: Indicates the installation of prepackaged timelines was successful. - '500': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: >- - Indicates the installation of prepackaged timelines was - unsuccessful. - summary: Installs prepackaged timelines. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timeline/resolve: - get: - operationId: ResolveTimeline - parameters: - - description: The ID of the template timeline to resolve - in: query - name: template_timeline_id - schema: - type: string - - description: The ID of the timeline to resolve - in: query - name: id - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - oneOf: - - type: object - properties: - data: - $ref: >- - #/components/schemas/Security_Timeline_API_ResolvedTimeline - required: - - data - - additionalProperties: false - type: object - description: The (template) timeline has been found - '400': - description: The request is missing parameters - '404': - description: The (template) timeline was not found - summary: Get an existing saved timeline or timeline template. - tags: - - Security Timeline API - - 'access:securitySolution' - /api/timelines: - get: - operationId: GetTimelines - parameters: - - description: >- - If true, only timelines that are marked as favorites by the user are - returned. - in: query - name: only_user_favorite - schema: - enum: - - 'true' - - 'false' - nullable: true - type: string - - in: query - name: timeline_type - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - - in: query - name: sort_field - schema: - $ref: '#/components/schemas/Security_Timeline_API_SortFieldTimeline' - - in: query - name: sort_order - schema: - enum: - - asc - - desc - type: string - - in: query - name: page_size - schema: - nullable: true - type: string - - in: query - name: page_index - schema: - nullable: true - type: string - - in: query - name: search - schema: - nullable: true - type: string - - in: query - name: status - schema: - $ref: '#/components/schemas/Security_Timeline_API_TimelineStatus' - nullable: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - customTemplateTimelineCount: - type: number - defaultTimelineCount: - type: number - elasticTemplateTimelineCount: - type: number - favoriteCount: - type: number - templateTimelineCount: - type: number - timeline: - items: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineResponse - type: array - totalCount: - type: number - required: - - timeline - - totalCount - description: Indicates that the (template) timelines were found and returned. - '400': - content: - 'application:json; Elastic-Api-Version=2023-10-31': - schema: - type: object - properties: - body: - type: string - statusCode: - type: number - description: Bad request. The user supplied invalid data. - summary: >- - This API is used to retrieve a list of existing saved timelines or - timeline templates. - tags: - - Security Timeline API - - 'access:securitySolution' - '/s/{spaceId}/api/observability/slos': - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: findSlosOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - description: A valid kql query to filter the SLO with - example: 'slo.name:latency* and slo.tags : "prod"' - in: query - name: kqlQuery - schema: - type: string - - description: 'The page to use for pagination, must be greater or equal than 1' - example: 1 - in: query - name: page - schema: - default: 1 - type: integer - - description: Number of SLOs returned by page - example: 25 - in: query - name: perPage - schema: - default: 25 - maximum: 5000 - type: integer - - description: Sort by field - example: status - in: query - name: sortBy - schema: - default: status - enum: - - sli_value - - status - - error_budget_consumed - - error_budget_remaining - type: string - - description: Sort order - example: asc - in: query - name: sortDirection - schema: - default: asc - enum: - - asc - - desc - type: string - - description: >- - Hide stale SLOs from the list as defined by stale SLO threshold in - SLO settings - in: query - name: hideStale - schema: - type: boolean - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_find_slo_response' - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get a paginated list of SLOs - tags: - - slo - post: - description: > - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: createSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_create_slo_request' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_create_slo_response' - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '409': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_409_response' - description: Conflict - The SLO id already exists - servers: - - url: 'https://localhost:5601' - summary: Create an SLO - tags: - - slo - '/s/{spaceId}/api/observability/slos/_delete_instances': - post: - description: > - The deletion occurs for the specified list of `sloId` and `instanceId`. - You must have `all` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloInstancesOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_delete_slo_instances_request' - required: true - responses: - '204': - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - servers: - - url: 'https://localhost:5601' - summary: Batch delete rollup and summary data - tags: - - slo - '/s/{spaceId}/api/observability/slos/{sloId}': - delete: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: deleteSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Delete an SLO - tags: - - slo - get: - description: > - You must have the `read` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: getSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - - description: the specific instanceId used by the summary calculation - example: host-abcde - in: query - name: instanceId - schema: - type: string - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Get an SLO - tags: - - slo - put: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: updateSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - requestBody: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_update_slo_request' - required: true - responses: - '200': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Update an SLO - tags: - - slo - '/s/{spaceId}/api/observability/slos/{sloId}/_reset': - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: resetSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_slo_definition_response' - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Reset an SLO - tags: - - slo - '/s/{spaceId}/api/observability/slos/{sloId}/disable': - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: disableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '200': - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Disable an SLO - tags: - - slo - '/s/{spaceId}/api/observability/slos/{sloId}/enable': - post: - description: > - You must have the `write` privileges for the **SLOs** feature in the - **Observability** section of the Kibana feature privileges. - operationId: enableSloOp - parameters: - - $ref: '#/components/parameters/SLOs_kbn_xsrf' - - $ref: '#/components/parameters/SLOs_space_id' - - $ref: '#/components/parameters/SLOs_slo_id' - responses: - '204': - description: Successful request - '400': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_400_response' - description: Bad request - '401': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_401_response' - description: Unauthorized response - '403': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_403_response' - description: Unauthorized response - '404': - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - $ref: '#/components/schemas/SLOs_404_response' - description: Not found response - summary: Enable an SLO - tags: - - slo -components: - examples: - Data_views_create_data_view_request: - summary: Create a data view with runtime fields. - value: - data_view: - name: My Logstash data view - runtimeFieldMap: - runtime_shape_name: - script: - source: 'emit(doc[''shape_name''].value)' - type: keyword - title: logstash-* - Data_views_create_runtime_field_request: - summary: Create a runtime field. - value: - name: runtimeFoo - runtimeField: - script: - source: 'emit(doc["foo"].value)' - type: long - Data_views_get_data_view_response: - summary: >- - The get data view API returns a JSON object that contains information - about the data view. - value: - data_view: - allowNoIndex: false - fieldAttrs: - products.manufacturer: - count: 1 - products.price: - count: 1 - products.product_name: - count: 1 - total_quantity: - count: 1 - fieldFormats: - products.base_price: - id: number - params: - pattern: '$0,0.00' - products.base_unit_price: - id: number - params: - pattern: '$0,0.00' - products.min_price: - id: number - params: - pattern: '$0,0.00' - products.price: - id: number - params: - pattern: '$0,0.00' - products.taxful_price: - id: number - params: - pattern: '$0,0.00' - products.taxless_price: - id: number - params: - pattern: '$0,0.00' - taxful_total_price: - id: number - params: - pattern: '$0,0.[00]' - taxless_total_price: - id: number - params: - pattern: '$0,0.00' - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: category - type: string - currency: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: currency - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_birth_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: customer_birth_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - customer_first_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_first_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_first_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_first_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_first_name - type: string - customer_full_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_full_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_full_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_full_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_full_name - type: string - customer_gender: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_gender - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_last_name: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: customer_last_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - customer_last_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_last_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: customer_last_name - type: string - customer_phone: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: customer_phone - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - day_of_week: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: day_of_week - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - day_of_week_i: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: day_of_week_i - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - email: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: email - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - event.dataset: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: event.dataset - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.city_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.city_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.continent_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.continent_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.country_iso_code: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.country_iso_code - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - geoip.location: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: geoip.location - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - geoip.region_name: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: geoip.region_name - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - manufacturer: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: manufacturer - type: string - order_date: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: order_date - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - order_id: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: order_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - products._id: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products._id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products._id.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products._id.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products._id - type: string - products.base_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: products.base_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.base_unit_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: products.base_unit_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.category: - aggregatable: false - count: 0 - esTypes: - - text - format: - id: string - isMapped: true - name: products.category - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.category.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.category.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.category - type: string - products.created_on: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: products.created_on - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - products.discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.discount_percentage: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.discount_percentage - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.manufacturer: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.manufacturer - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.manufacturer.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.manufacturer.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.manufacturer - type: string - products.min_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: products.min_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.price: - aggregatable: true - count: 1 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: products.price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.product_id: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - isMapped: true - name: products.product_id - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.product_name: - aggregatable: false - count: 1 - esTypes: - - text - format: - id: string - isMapped: true - name: products.product_name - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.product_name.keyword: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.product_name.keyword - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - subType: - multi: - parent: products.product_name - type: string - products.quantity: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: products.quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: products.sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - products.tax_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.tax_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxful_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: products.taxful_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.taxless_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: products.taxless_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - products.unit_discount_amount: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - isMapped: true - name: products.unit_discount_amount - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - sku: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: sku - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - taxful_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.[00]' - isMapped: true - name: taxful_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - taxless_total_price: - aggregatable: true - count: 0 - esTypes: - - half_float - format: - id: number - params: - pattern: '$0,0.00' - isMapped: true - name: taxless_total_price - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_quantity: - aggregatable: true - count: 1 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_quantity - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - total_unique_products: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: total_unique_products - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - type: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: type - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - user: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: user - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - runtimeFieldMap: {} - sourceFilters: [] - timeFieldName: order_date - title: kibana_sample_data_ecommerce - typeMeta: {} - version: WzUsMV0= - Data_views_get_data_views_response: - summary: The get all data views API returns a list of data views. - value: - data_view: - - id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - name: Kibana Sample Data eCommerce - namespaces: - - default - title: kibana_sample_data_ecommerce - typeMeta: {} - - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - namespaces: - - default - title: kibana_sample_data_flights - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: Kibana Sample Data Logs - namespaces: - - default - title: kibana_sample_data_logs - Data_views_get_default_data_view_response: - summary: The get default data view API returns the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - Data_views_get_runtime_field_response: - summary: >- - The get runtime field API returns a JSON object that contains - information about the runtime field (`hour_of_day`) and the data view - (`d3d7af60-4c81-11e8-b3d7-01146121b73d`). - value: - data_view: - allowNoIndex: false - fieldAttrs: {} - fieldFormats: - AvgTicketPrice: - id: number - params: - pattern: '$0,0.[00]' - hour_of_day: - id: number - params: - pattern: '00' - fields: - _id: - aggregatable: false - count: 0 - esTypes: - - _id - format: - id: string - isMapped: true - name: _id - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _index: - aggregatable: true - count: 0 - esTypes: - - _index - format: - id: string - isMapped: true - name: _index - readFromDocValues: false - scripted: false - searchable: true - shortDotsEnable: false - type: string - _score: - aggregatable: false - count: 0 - format: - id: number - isMapped: true - name: _score - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: number - _source: - aggregatable: false - count: 0 - esTypes: - - _source - format: - id: _source - isMapped: true - name: _source - readFromDocValues: false - scripted: false - searchable: false - shortDotsEnable: false - type: _source - AvgTicketPrice: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - params: - pattern: '$0,0.[00]' - isMapped: true - name: AvgTicketPrice - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - Cancelled: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: Cancelled - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: boolean - Carrier: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Carrier - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - dayOfWeek: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: dayOfWeek - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - Dest: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Dest - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: DestLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - DestRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DestWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: DestWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - DistanceKilometers: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceKilometers - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - DistanceMiles: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: DistanceMiles - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelay: - aggregatable: true - count: 0 - esTypes: - - boolean - format: - id: boolean - isMapped: true - name: FlightDelay - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: boolean - FlightDelayMin: - aggregatable: true - count: 0 - esTypes: - - integer - format: - id: number - isMapped: true - name: FlightDelayMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - FlightDelayType: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightDelayType - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightNum: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightNum - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightTimeHour: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: FlightTimeHour - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - FlightTimeMin: - aggregatable: true - count: 0 - esTypes: - - float - format: - id: number - isMapped: true - name: FlightTimeMin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: number - hour_of_day: - aggregatable: true - count: 0 - esTypes: - - long - format: - id: number - params: - pattern: '00' - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: 'emit(doc[''timestamp''].value.getHour());' - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Origin: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: Origin - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginAirportID: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginAirportID - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginCityName: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCityName - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginCountry: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginCountry - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginLocation: - aggregatable: true - count: 0 - esTypes: - - geo_point - format: - id: geo_point - params: - transform: wkt - isMapped: true - name: OriginLocation - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: geo_point - OriginRegion: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginRegion - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - OriginWeather: - aggregatable: true - count: 0 - esTypes: - - keyword - format: - id: string - isMapped: true - name: OriginWeather - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: string - timestamp: - aggregatable: true - count: 0 - esTypes: - - date - format: - id: date - isMapped: true - name: timestamp - readFromDocValues: true - scripted: false - searchable: true - shortDotsEnable: false - type: date - id: d3d7af60-4c81-11e8-b3d7-01146121b73d - name: Kibana Sample Data Flights - runtimeFieldMap: - hour_of_day: - script: - source: 'emit(doc[''timestamp''].value.getHour());' - type: long - sourceFilters: [] - timeFieldName: timestamp - title: kibana_sample_data_flights - version: WzM2LDJd - fields: - - aggregatable: true - count: 0 - esTypes: - - long - name: hour_of_day - readFromDocValues: false - runtimeField: - script: - source: 'emit(doc[''timestamp''].value.getHour());' - type: long - scripted: false - searchable: true - shortDotsEnable: false - type: number - Data_views_preview_swap_data_view_request: - summary: Preview swapping references from data view ID "abcd-efg" to "xyz-123". - value: - fromId: abcd-efg - toId: xyz-123 - Data_views_set_default_data_view_request: - summary: Set the default data view identifier. - value: - data_view_id: ff959d40-b880-11e8-a6d9-e546fe2bba5f - force: true - Data_views_swap_data_view_request: - summary: >- - Swap references from data view ID "abcd-efg" to "xyz-123" and remove the - data view that is no longer referenced. - value: - delete: true - fromId: abcd-efg - toId: xyz-123 - Data_views_update_data_view_request: - summary: Update some properties for a data view. - value: - data_view: - allowNoIndex: false - name: Kibana Sample Data eCommerce - timeFieldName: order_date - title: kibana_sample_data_ecommerce - refresh_fields: true - Data_views_update_field_metadata_request: - summary: Update metadata for multiple fields. - value: - fields: - field1: - count: 123 - customLabel: Field 1 label - field2: - customDescription: Field 2 description - customLabel: Field 2 label - Data_views_update_runtime_field_request: - summary: Update an existing runtime field on a data view. - value: - runtimeField: - script: - source: 'emit(doc["bar"].value)' - Machine_learning_APIs_mlSyncExample: - summary: Two anomaly detection jobs required synchronization in this example. - value: - datafeedsAdded: {} - datafeedsRemoved: {} - savedObjectsCreated: - anomaly-detector: - myjob1: - success: true - myjob2: - success: true - savedObjectsDeleted: {} - Serverless_saved_objects_export_objects_request: - summary: Export a specific saved object. - value: - excludeExportDetails: true - includeReferencesDeep: false - objects: - - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - type: map - Serverless_saved_objects_export_objects_response: - summary: >- - The export objects API response contains a JSON record for each exported - object. - value: - attributes: - description: '' - layerListJSON: >- - [{"id":"0hmz5","alpha":1,"sourceDescriptor":{"type":"EMS_TMS","isAutoSelect":true,"lightModeDefault":"road_map_desaturated"},"visible":true,"style":{},"type":"EMS_VECTOR_TILE","minZoom":0,"maxZoom":24},{"id":"edh66","label":"Total - Requests by - Destination","minZoom":0,"maxZoom":24,"alpha":0.5,"sourceDescriptor":{"type":"EMS_FILE","id":"world_countries","tooltipProperties":["name","iso2"]},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"__kbnjoin__count__673ff994-fc75-4c67-909b-69fcb0e1060e","origin":"join"},"color":"Greys","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"STATIC","options":{"size":10}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR","joins":[{"leftField":"iso2","right":{"type":"ES_TERM_SOURCE","id":"673ff994-fc75-4c67-909b-69fcb0e1060e","indexPatternTitle":"kibana_sample_data_logs","term":"geo.dest","indexPatternRefName":"layer_1_join_0_index_pattern","metrics":[{"type":"count","label":"web - logs - count"}],"applyGlobalQuery":true}}]},{"id":"gaxya","label":"Actual - Requests","minZoom":9,"maxZoom":24,"alpha":1,"sourceDescriptor":{"id":"b7486535-171b-4d3b-bb2e-33c1a0a2854c","type":"ES_SEARCH","geoField":"geo.coordinates","limit":2048,"filterByMapBounds":true,"tooltipProperties":["clientip","timestamp","host","request","response","machine.os","agent","bytes"],"indexPatternRefName":"layer_2_source_index_pattern","applyGlobalQuery":true,"scalingType":"LIMIT"},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"STATIC","options":{"color":"#2200ff"}},"lineColor":{"type":"STATIC","options":{"color":"#FFFFFF"}},"lineWidth":{"type":"STATIC","options":{"size":2}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"bytes","origin":"source"},"minSize":1,"maxSize":23,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"},{"id":"tfi3f","label":"Total - Requests and - Bytes","minZoom":0,"maxZoom":9,"alpha":1,"sourceDescriptor":{"type":"ES_GEO_GRID","resolution":"COARSE","id":"8aaa65b5-a4e9-448b-9560-c98cb1c5ac5b","geoField":"geo.coordinates","requestType":"point","metrics":[{"type":"count","label":"web - logs - count"},{"type":"sum","field":"bytes"}],"indexPatternRefName":"layer_3_source_index_pattern","applyGlobalQuery":true},"visible":true,"style":{"type":"VECTOR","properties":{"fillColor":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"color":"Blues","fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"lineColor":{"type":"STATIC","options":{"color":"#cccccc"}},"lineWidth":{"type":"STATIC","options":{"size":1}},"iconSize":{"type":"DYNAMIC","options":{"field":{"name":"sum_of_bytes","origin":"source"},"minSize":7,"maxSize":25,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelText":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"labelSize":{"type":"DYNAMIC","options":{"field":{"name":"doc_count","origin":"source"},"minSize":12,"maxSize":24,"fieldMetaOptions":{"isEnabled":false,"sigma":3}}},"symbolizeAs":{"options":{"value":"circle"}},"icon":{"type":"STATIC","options":{"value":"marker"}}}},"type":"GEOJSON_VECTOR"}] - mapStateJSON: >- - {"zoom":3.64,"center":{"lon":-88.92107,"lat":42.16337},"timeFilters":{"from":"now-7d","to":"now"},"refreshConfig":{"isPaused":true,"interval":0},"query":{"language":"kuery","query":""},"settings":{"autoFitToDataBounds":false}} - title: '[Logs] Total Requests and Bytes' - uiStateJSON: '{"isDarkMode":false}' - coreMigrationVersion: 8.8.0 - created_at: '2023-08-23T20:03:32.204Z' - id: de71f4f0-1902-11e9-919b-ffe5949a18d2 - managed: false - references: - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_1_join_0_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_2_source_index_pattern - type: index-pattern - - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - name: layer_3_source_index_pattern - type: index-pattern - type: map - typeMigrationVersion: 8.4.0 - updated_at: '2023-08-23T20:03:32.204Z' - version: WzEzLDFd - Serverless_saved_objects_import_objects_request: - value: - file: file.ndjson - Serverless_saved_objects_import_objects_response: - summary: >- - The import objects API response indicates a successful import and the - objects are created. Since these objects are created as new copies, each - entry in the successResults array includes a destinationId attribute. - value: - success: true - successCount: 1 - successResults: - - destinationId: 82d2760c-468f-49cf-83aa-b9a35b6a8943 - id: 90943e30-9a47-11e8-b64d-95841ca0b247 - managed: false - meta: - icon: indexPatternApp - title: Kibana Sample Data Logs - type: index-pattern - parameters: - Data_views_field_name: - description: The name of the runtime field. - in: path - name: fieldName - required: true - schema: - example: hour_of_day - type: string - Data_views_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - Data_views_view_id: - description: An identifier for the data view. - in: path - name: viewId - required: true - schema: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - Fleet_format: - description: Simplified or legacy format for package inputs - in: query - name: format - required: false - schema: - enum: - - simplified - - legacy - type: string - Fleet_kbn_xsrf: - description: Kibana's anti Cross-Site Request Forgery token. Can be any string value. - in: header - name: kbn-xsrf - required: true - schema: - type: string - Fleet_kuery: - in: query - name: kuery - required: false - schema: - type: string - Fleet_page_index: - in: query - name: page - required: false - schema: - default: 1 - type: integer - Fleet_page_size: - description: The number of items to return - in: query - name: perPage - required: false - schema: - default: 20 - type: integer - Fleet_show_inactive: - in: query - name: showInactive - required: false - schema: - type: boolean - Fleet_show_upgradeable: - in: query - name: showUpgradeable - required: false - schema: - type: boolean - Fleet_sort_field: - in: query - name: sortField - required: false - schema: - deprecated: true - type: string - Fleet_sort_order: - in: query - name: sortOrder - required: false - schema: - enum: - - asc - - desc - type: string - Fleet_with_metrics: - description: 'Return agent metrics, false by default' - in: query - name: withMetrics - required: false - schema: - type: boolean - Machine_learning_APIs_simulateParam: - description: >- - When true, simulates the synchronization by returning only the list of - actions that would be performed. - example: 'true' - in: query - name: simulate - required: false - schema: - type: boolean - Serverless_saved_objects_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_kbn_xsrf: - description: Cross-site request forgery protection - in: header - name: kbn-xsrf - required: true - schema: - type: string - SLOs_slo_id: - description: An identifier for the slo. - in: path - name: sloId - required: true - schema: - example: 9c235211-6834-11ea-a78c-6feb38a34414 - type: string - SLOs_space_id: - description: >- - An identifier for the space. If `/s/` and the identifier are omitted - from the path, the default space is used. - in: path - name: spaceId - required: true - schema: - example: default - type: string - responses: - Fleet_error: - content: - application/json; Elastic-Api-Version=2023-10-31: - schema: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: number - description: Generic Error - schemas: - Data_views_400_response: - title: Bad request - type: object - properties: - error: - example: Bad Request - type: string - message: - type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - Data_views_404_response: - type: object - properties: - error: - enum: - - Not Found - example: Not Found - type: string - message: - example: >- - Saved object [index-pattern/caaad6d0-920c-11ed-b36a-874bd1548a00] - not found - type: string - statusCode: - enum: - - 404 - example: 404 - type: integer - Data_views_allownoindex: - description: Allows the data view saved object to exist before the data is available. - type: boolean - Data_views_create_data_view_request_object: - title: Create data view request - type: object - properties: - data_view: - description: The data view object. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - version: - type: string - required: - - title - override: - default: false - description: >- - Override an existing data view if a data view with the provided - title already exists. - type: boolean - required: - - data_view - Data_views_data_view_response_object: - title: Data view response properties - type: object - properties: - data_view: - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldAttrs: - additionalProperties: - $ref: '#/components/schemas/Data_views_fieldattrs' - type: object - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - id: - example: ff959d40-b880-11e8-a6d9-e546fe2bba5f - type: string - name: - description: The data view name. - type: string - namespaces: - $ref: '#/components/schemas/Data_views_namespaces' - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta_response' - version: - example: WzQ2LDJd - type: string - Data_views_fieldattrs: - description: A map of field attributes by field name. - type: object - properties: - count: - description: Popularity count for the field. - type: integer - customDescription: - description: Custom description for the field. - maxLength: 300 - type: string - customLabel: - description: Custom label for the field. - type: string - Data_views_fieldformats: - description: A map of field formats by field name. - type: object - Data_views_namespaces: - description: >- - An array of space identifiers for sharing the data view between multiple - spaces. - items: - default: default - type: string - type: array - Data_views_runtimefieldmap: - description: A map of runtime field definitions by field name. - type: object - properties: - script: - type: object - properties: - source: - description: Script for the runtime field. - type: string - type: - description: Mapping type of the runtime field. - type: string - required: - - script - - type - Data_views_sourcefilters: - description: The array of field names you want to filter out in Discover. - items: - type: object - properties: - value: - type: string - required: - - value - type: array - Data_views_swap_data_view_request_object: - title: Data view reference swap request - type: object - properties: - delete: - description: Deletes referenced saved object if all references are removed. - type: boolean - forId: - description: Limit the affected saved objects to one or more by identifier. - oneOf: - - type: string - - items: - type: string - type: array - forType: - description: Limit the affected saved objects by type. - type: string - fromId: - description: The saved object reference to change. - type: string - fromType: - description: > - Specify the type of the saved object reference to alter. The default - value is `index-pattern` for data views. - type: string - toId: - description: New saved object reference value to replace the old value. - type: string - required: - - fromId - - toId - Data_views_timefieldname: - description: 'The timestamp field name, which you use for time-based data views.' - type: string - Data_views_title: - description: >- - Comma-separated list of data streams, indices, and aliases that you want - to search. Supports wildcards (`*`). - type: string - Data_views_type: - description: 'When set to `rollup`, identifies the rollup data views.' - type: string - Data_views_typemeta: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - type: object - properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - required: - - aggs - - params - Data_views_typemeta_response: - description: >- - When you use rollup indices, contains the field list for the rollup data - view API endpoints. - nullable: true - type: object - properties: - aggs: - description: A map of rollup restrictions by aggregation type and field name. - type: object - params: - description: Properties for retrieving rollup fields. - type: object - Data_views_update_data_view_request_object: - title: Update data view request - type: object - properties: - data_view: - description: > - The data view properties you want to update. Only the specified - properties are updated in the data view. Unspecified fields stay as - they are persisted. - type: object - properties: - allowNoIndex: - $ref: '#/components/schemas/Data_views_allownoindex' - fieldFormats: - $ref: '#/components/schemas/Data_views_fieldformats' - fields: - type: object - name: - type: string - runtimeFieldMap: - additionalProperties: - $ref: '#/components/schemas/Data_views_runtimefieldmap' - type: object - sourceFilters: - $ref: '#/components/schemas/Data_views_sourcefilters' - timeFieldName: - $ref: '#/components/schemas/Data_views_timefieldname' - title: - $ref: '#/components/schemas/Data_views_title' - type: - $ref: '#/components/schemas/Data_views_type' - typeMeta: - $ref: '#/components/schemas/Data_views_typemeta' - refresh_fields: - default: false - description: Reloads the data view fields after the data view is updated. - type: boolean - required: - - data_view - Fleet_agent: - title: Agent - type: object - properties: - access_api_key: - type: string - access_api_key_id: - type: string - active: - type: boolean - components: - items: - $ref: '#/components/schemas/Fleet_agent_component' - type: array - default_api_key: - type: string - default_api_key_id: - type: string - enrolled_at: - type: string - id: - type: string - last_checkin: - type: string - local_metadata: - $ref: '#/components/schemas/Fleet_agent_metadata' - metrics: - type: object - properties: - cpu_avg: - description: >- - Average agent CPU usage during the last 5 minutes, number - between 0-1 - type: number - memory_size_byte_avg: - description: Average agent memory consumption during the last 5 minutes - type: number - policy_id: - type: string - policy_revision: - type: number - status: - $ref: '#/components/schemas/Fleet_agent_status' - type: - $ref: '#/components/schemas/Fleet_agent_type' - unenrolled_at: - type: string - unenrollment_started_at: - type: string - user_provided_metadata: - $ref: '#/components/schemas/Fleet_agent_metadata' - required: - - type - - active - - enrolled_at - - id - - status - Fleet_agent_action: - oneOf: - - properties: - ack_data: - type: string - data: - type: string - type: - enum: - - UNENROLL - - UPGRADE - - POLICY_REASSIGN - type: string - - properties: - data: - type: object - properties: - log_level: - enum: - - debug - - info - - warning - - error - nullable: true - type: string - type: - type: string - title: Agent action - Fleet_agent_component: - title: Agent component - type: object - properties: - id: - type: string - message: - type: string - status: - $ref: '#/components/schemas/Fleet_agent_component_status' - type: - type: string - units: - items: - $ref: '#/components/schemas/Fleet_agent_component_unit' - type: array - Fleet_agent_component_status: - enum: - - starting - - configuring - - healthy - - degraded - - failed - - stopping - - stopped - title: Agent component status - type: string - Fleet_agent_component_unit: - title: Agent component unit - type: object - properties: - id: - type: string - message: - type: string - payload: - type: object - status: - $ref: '#/components/schemas/Fleet_agent_component_status' - type: - $ref: '#/components/schemas/Fleet_agent_component_unit_type' - Fleet_agent_component_unit_type: - enum: - - input - - output - title: Agent component unit type - type: string - Fleet_agent_diagnostics: - title: Agent diagnostics - type: object - properties: - actionId: - type: string - createTime: - type: string - filePath: - type: string - id: - type: string - name: - type: string - status: - enum: - - READY - - AWAITING_UPLOAD - - DELETED - - IN_PROGRESS - required: - - id - - name - - createTime - - filePath - - actionId - - status - Fleet_agent_get_by_actions: - items: - items: - type: string - type: array - title: Agents get by action ids - type: array - Fleet_agent_metadata: - title: Agent metadata - type: object - Fleet_agent_policy: - title: Agent Policy - type: object - properties: - advanced_settings: - description: >- - Advanced settings stored in the agent policy, e.g. - agent_limits_go_max_procs - nullable: true - type: object - agent_features: - items: - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - type: array - agents: - type: number - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - global_data_tags: - items: - additionalProperties: - oneOf: - - type: string - - type: number - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. - type: object - type: array - id: - type: string - inactivity_timeout: - type: integer - is_protected: - description: >- - Indicates whether the agent policy has tamper protection enabled. - Default false. - type: boolean - keep_monitoring_alive: - description: >- - When set to true, monitoring will be enabled but logs/metrics - collection will be disabled - nullable: true - type: boolean - monitoring_diagnostics: - type: object - properties: - limit: - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - monitoring_enabled: - items: - enum: - - metrics - - logs - type: string - type: array - monitoring_http: - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - required: - - enabled - monitoring_output_id: - nullable: true - type: string - monitoring_pprof_enabled: - type: boolean - name: - type: string - namespace: - type: string - overrides: - description: >- - Override settings that are defined in the agent policy. Input - settings cannot be overridden. The override option should be used - only in unusual circumstances and not as a routine procedure. - nullable: true - type: object - package_policies: - description: >- - This field is present only when retrieving a single agent policy, or - when retrieving a list of agent policies with the ?full=true - parameter - items: - $ref: '#/components/schemas/Fleet_package_policy' - type: array - revision: - type: number - supports_agentless: - description: >- - Indicates whether the agent policy supports agentless integrations. - Only allowed in a serverless environment. - type: boolean - unenroll_timeout: - type: integer - unprivileged_agents: - type: number - updated_by: - type: string - updated_on: - format: date-time - type: string - required: - - id - - status - - name - - namespace - Fleet_agent_policy_create_request: - title: Create agent policy request - type: object - properties: - agent_features: - items: - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - type: array - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - description: Force agent policy creation even if packages are not verified. - type: boolean - global_data_tags: - items: - additionalProperties: - oneOf: - - type: string - - type: number - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. - type: object - type: array - id: - type: string - inactivity_timeout: - type: integer - is_protected: - type: boolean - monitoring_enabled: - items: - enum: - - metrics - - logs - type: string - type: array - monitoring_output_id: - nullable: true - type: string - name: - type: string - namespace: - type: string - unenroll_timeout: - type: integer - required: - - name - - namespace - Fleet_agent_policy_full: - oneOf: - - type: object - properties: - item: - type: string - - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_full_agent_policy' - title: Agent policy full response - type: object - Fleet_agent_policy_update_request: - title: Update agent policy request - type: object - properties: - agent_features: - items: - type: object - properties: - enabled: - type: boolean - name: - type: string - required: - - name - - enabled - type: array - data_output_id: - nullable: true - type: string - description: - type: string - download_source_id: - nullable: true - type: string - fleet_server_host_id: - nullable: true - type: string - force: - description: Force agent policy creation even if packages are not verified. - type: boolean - global_data_tags: - items: - additionalProperties: - oneOf: - - type: string - - type: number - description: >- - User defined data tags that are added to all of the inputs. The - values can be strings or numbers. - type: object - type: array - inactivity_timeout: - type: integer - is_protected: - type: boolean - monitoring_enabled: - items: - enum: - - metrics - - logs - type: string - type: array - monitoring_output_id: - nullable: true - type: string - name: - type: string - namespace: - type: string - unenroll_timeout: - type: integer - required: - - name - - namespace - Fleet_agent_status: - enum: - - offline - - error - - online - - inactive - - warning - title: Elastic Agent status - type: string - Fleet_agent_type: - enum: - - PERMANENT - - EPHEMERAL - - TEMPORARY - title: Agent type - type: string - Fleet_bulk_install_packages_response: - title: Bulk install packages response - type: object - properties: - items: - items: - type: object - properties: - name: - type: string - version: - type: string - type: array - response: - deprecated: true - items: - type: object - properties: - name: - type: string - version: - type: string - type: array - required: - - items - Fleet_bulk_upgrade_agents: - title: Bulk upgrade agents - type: object - properties: - agents: - oneOf: - - description: 'KQL query string, leave empty to action all agents' - type: string - - description: list of agent IDs - items: - type: string - type: array - force: - description: 'Force upgrade, skipping validation (should be used with caution)' - type: boolean - rollout_duration_seconds: - description: rolling upgrade window duration in seconds - type: number - skipRateLimitCheck: - description: Skip rate limit check for upgrade - type: boolean - source_uri: - description: alternative upgrade binary download url - type: string - start_time: - description: start time of upgrade in ISO 8601 format - type: string - version: - description: version to upgrade to - type: string - required: - - agents - - version - Fleet_data_stream: - title: Data stream - type: object - properties: - dashboard: - items: - type: object - properties: - id: - type: string - title: - type: string - type: array - dataset: - type: string - index: - type: string - last_activity_ms: - type: number - namespace: - type: string - package: - type: string - package_version: - type: string - size_in_bytes: - type: number - size_in_bytes_formatted: - type: string - type: - type: string - Fleet_download_sources: - title: Download Source - type: object - properties: - host: - type: string - id: - type: string - is_default: - type: boolean - name: - type: string - proxy_id: - description: >- - The ID of the proxy to use for this download source. See the proxies - API for more information. - nullable: true - type: string - required: - - is_default - - name - - host - Fleet_elasticsearch_asset_type: - enum: - - component_template - - ingest_pipeline - - index_template - - ilm_policy - - transform - - data_stream_ilm_policy - title: Elasticsearch asset type - type: string - Fleet_enrollment_api_key: - title: Enrollment API key - type: object - properties: - active: - description: >- - When false, the enrollment API key is revoked and cannot be used for - enrolling Elastic Agents. - type: boolean - api_key: - description: The enrollment API key (token) used for enrolling Elastic Agents. - type: string - api_key_id: - description: The ID of the API key in the Security API. - type: string - created_at: - type: string - id: - type: string - name: - description: The name of the enrollment API key. - type: string - policy_id: - description: The ID of the agent policy the Elastic Agent will be enrolled in. - type: string - required: - - id - - api_key_id - - api_key - - active - - created_at - Fleet_fleet_server_host: - title: Fleet Server Host - type: object - properties: - host_urls: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_internal: - type: boolean - is_preconfigured: - type: boolean - name: - type: string - proxy_id: - type: string - required: - - fleet_server_hosts - - id - - is_default - - is_preconfigured - - host_urls - Fleet_fleet_settings_response: - title: Fleet settings response - type: object - properties: - item: - $ref: '#/components/schemas/Fleet_settings' - required: - - item - Fleet_fleet_setup_response: - title: Fleet Setup response - type: object - properties: - isInitialized: - type: boolean - nonFatalErrors: - items: - type: object - properties: - message: - type: string - name: - type: string - required: - - name - - message - type: array - required: - - isInitialized - - nonFatalErrors - Fleet_fleet_status_response: - title: Fleet status response - type: object - properties: - isReady: - type: boolean - missing_optional_features: - items: - enum: - - encrypted_saved_object_encryption_key_required - type: string - type: array - missing_requirements: - items: - enum: - - tls_required - - api_keys - - fleet_admin_user - - fleet_server - type: string - type: array - package_verification_key_id: - type: string - required: - - isReady - - missing_requirements - - missing_optional_features - Fleet_full_agent_policy: - title: Full agent policy - type: object - properties: - agent: - nullable: true - type: string - fleet: - oneOf: - - type: object - properties: - hosts: - items: - type: string - type: array - proxy_headers: {} - proxy_url: - type: string - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - renegotiation: - type: string - verification_mode: - type: string - - type: object - properties: - kibana: - type: object - properties: - hosts: - items: - type: string - type: array - path: - type: string - protocol: - type: string - id: - type: string - inputs: - type: string - monitoring: - type: object - properties: - diagnostics: - type: object - properties: - limit: - type: object - properties: - burst: - type: number - interval: - type: string - uploader: - type: object - properties: - init_dur: - type: string - max_dur: - type: string - max_retries: - type: number - enabled: - type: boolean - http: - type: object - properties: - enabled: - type: boolean - host: - type: string - port: - type: number - required: - - enabled - logs: - type: boolean - metrics: - type: boolean - namespace: - type: string - pprof: - type: object - properties: - enabled: - type: boolean - required: - - enabled - traces: - type: boolean - use_output: - type: string - required: - - enabled - - metrics - - logs - - traces - output_permissions: - additionalProperties: - type: object - properties: - data: - $ref: >- - #/components/schemas/Fleet_full_agent_policy_output_permissions - output: - type: integer - type: object - outputs: - additionalProperties: - $ref: '#/components/schemas/Fleet_full_agent_policy_output' - type: object - revision: - type: number - secret_references: - items: - type: object - properties: - id: - type: string - type: array - required: - - id - - outputs - - inputs - Fleet_full_agent_policy_input: - allOf: - - additionalProperties: true - type: object - properties: - data_stream: - type: object - properties: - namespace: - type: string - required: - - namespace - id: - type: string - meta: - additionalProperties: true - type: object - properties: - package: - type: object - properties: - name: - type: string - version: - type: string - required: - - name - - version - name: - type: string - revision: - type: number - streams: - $ref: '#/components/schemas/Fleet_full_agent_policy_input_stream' - type: - type: string - use_output: - type: string - required: - - id - - name - - revision - - type - - data_stream - - use_output - title: Full agent policy input - Fleet_full_agent_policy_input_stream: - allOf: - - additionalProperties: true - type: object - properties: - data_stream: - type: object - properties: - dataset: - type: string - type: - type: string - required: - - dataset - - type - id: - type: string - required: - - id - - data_stream - title: Full agent policy input stream - Fleet_full_agent_policy_output: - title: Full agent policy - type: object - properties: - additionalProperties: - type: object - properties: - text: {} - ca_sha256: - nullable: true - type: string - hosts: - items: - type: string - type: array - proxy_headers: {} - proxy_url: - type: string - type: {} - required: - - type - - hosts - - ca_sha256 - Fleet_full_agent_policy_output_permissions: - additionalProperties: - type: object - properties: - data: - type: object - properties: - cluster: - items: - type: string - type: array - indices: - items: - type: object - properties: - names: - items: - type: string - type: array - privileges: - items: - type: string - type: array - type: array - packagePolicyName: - type: string - title: Full agent policy output permissions - Fleet_get_agent_tags_response: - title: Get Agent Tags response - type: object - properties: - items: - items: - type: string - type: array - Fleet_get_agents_response: - title: Get Agent response - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_agent' - type: array - list: - deprecated: true - items: - $ref: '#/components/schemas/Fleet_agent' - type: array - page: - type: number - perPage: - type: number - statusSummary: - type: object - properties: - degraded': - type: number - enrolling: - type: number - error: - type: number - inactive: - type: number - offline: - type: number - online: - type: number - unenrolled: - type: number - unenrolling: - type: number - updating: - type: number - total: - type: number - required: - - items - - total - - page - - perPage - Fleet_get_bulk_assets_response: - deprecated: true - properties: - items: - items: - type: object - properties: - appLink: - type: string - attributes: - type: object - properties: - description: - type: string - title: - type: string - id: - type: string - type: - $ref: '#/components/schemas/Fleet_saved_object_type' - updatedAt: - type: string - type: array - required: - - items - title: Bulk get assets response - type: object - Fleet_get_categories_response: - title: Get categories response - type: object - properties: - items: - items: - type: object - properties: - count: - type: number - id: - type: string - title: - type: string - required: - - id - - title - - count - type: array - response: - items: - deprecated: true - type: object - properties: - count: - type: number - id: - type: string - title: - type: string - required: - - id - - title - - count - type: array - required: - - items - Fleet_get_packages_response: - title: Get Packages response - type: object - properties: - items: - items: - $ref: '#/components/schemas/Fleet_search_result' - type: array - response: - deprecated: true - items: - $ref: '#/components/schemas/Fleet_search_result' - type: array - required: - - items - Fleet_installation_info: - title: Installation info object - type: object - properties: - created_at: - type: string - experimental_data_stream_features: - type: array - properties: - data_stream: - type: string - features: - type: object - properties: - doc_value_only_numeric: - nullable: true - type: boolean - doc_value_only_other: - nullable: true - type: boolean - synthetic_source: - nullable: true - type: boolean - tsdb: - nullable: true - type: boolean - install_format_schema_version: - type: string - install_kibana_space_id: - type: string - install_source: - enum: - - registry - - upload - - bundled - type: string - install_status: - enum: - - installed - - installing - - install_failed - type: string - installed_es: - type: object - properties: - deferred: - type: boolean - id: - type: string - type: - $ref: '#/components/schemas/Fleet_elasticsearch_asset_type' - installed_kibana: - type: object - properties: - id: - type: string - type: - $ref: '#/components/schemas/Fleet_kibana_saved_object_type' - latest_executed_state: - description: Latest successfully executed state in package install state machine - type: object - properties: - error: - type: string - name: - enum: - - create_restart_installation - - install_kibana_assets - - install_ilm_policies - - install_ml_model - - install_index_template_pipelines - - remove_legacy_templates - - update_current_write_indices - - install_transforms - - delete_previous_pipelines - - save_archive_entries_from_assets_map - - update_so - type: string - started_at: - type: string - latest_install_failed_attempts: - description: Latest failed install errors - items: - type: object - properties: - created_at: - type: string - error: - type: object - properties: - message: - type: string - name: - type: string - stack: - type: string - target_version: - type: string - type: array - name: - type: string - namespaces: - items: - type: string - type: array - type: - type: string - updated_at: - type: string - verification_key_id: - nullable: true - type: string - verification_status: - enum: - - verified - - unverified - - unknown - type: string - version: - type: string - required: - - installed_kibana - - installed_es - - name - - version - - install_status - - install_version - - install_started_at - - install_source - - verification_status - - latest_install_failed_attempts - Fleet_kibana_saved_object_type: - enum: - - dashboard - - visualization - - search - - index-pattern - - map - - lens - - ml-module - - security-rule - - csp_rule_template - title: Kibana saved object asset type - type: string - Fleet_new_package_policy: - description: '' - properties: - description: - type: string - enabled: - type: boolean - inputs: - items: - type: object - properties: - config: - type: object - enabled: - type: boolean - processors: - items: - type: string - type: array - streams: - items: {} - type: array - type: - type: string - vars: - type: object - required: - - type - - enabled - type: array - name: - type: string - namespace: - type: string - output_id: - type: string - overrides: - type: object - package: - type: object - properties: - name: - type: string - requires_root: - type: boolean - title: - type: string - version: - type: string - required: - - name - - version - policy_id: - deprecated: true - nullable: true - type: string - policy_ids: - items: - type: string - type: array - required: - - inputs - - name - title: New package policy - type: object - Fleet_output_create_request: - discriminator: - mapping: - elasticsearch: '#/components/schemas/Fleet_output_create_request_elasticsearch' - kafka: '#/components/schemas/Fleet_output_create_request_kafka' - logstash: '#/components/schemas/Fleet_output_create_request_logstash' - remote_elasticsearch: >- - #/components/schemas/Fleet_output_create_request_remote_elasticsearch - propertyName: type - oneOf: - - $ref: '#/components/schemas/Fleet_output_create_request_elasticsearch' - - $ref: '#/components/schemas/Fleet_output_create_request_kafka' - - $ref: '#/components/schemas/Fleet_output_create_request_logstash' - - $ref: >- - #/components/schemas/Fleet_output_create_request_remote_elasticsearch - title: Output - Fleet_output_create_request_elasticsearch: - title: elasticsearch - type: object - properties: - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - config: - type: object - config_yaml: - type: string - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - type: - enum: - - elasticsearch - type: string - required: - - name - Fleet_output_create_request_kafka: - title: kafka - type: object - properties: - auth_type: - type: string - broker_timeout: - type: number - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - client_id: - type: string - compression: - type: string - compression_level: - type: number - config: - type: object - config_yaml: - type: string - connection_type: - enum: - - plaintext - - encryption - type: string - headers: - items: - type: object - properties: - key: - type: string - value: - type: string - type: array - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - key: - type: string - name: - type: string - partition: - type: string - password: - type: string - proxy_id: - type: string - random: - type: object - properties: - group_events: - type: number - required_acks: - type: number - round_robin: - type: object - properties: - group_events: - type: number - sasl: - type: object - properties: - mechanism: - type: string - secrets: - type: object - properties: - password: - type: string - ssl: - type: object - properties: - key: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - verification_mode: - enum: - - none - - full - - certificate - - strict - type: string - timeout: - type: number - topic: - type: string - topics: - deprecated: true - description: Use topic instead. - items: - type: object - properties: - topic: - type: string - when: - deprecated: true - description: >- - Deprecated, kafka output do not support conditionnal topics - anymore. - type: object - properties: - condition: - type: string - type: - type: string - type: array - type: - enum: - - kafka - type: string - username: - type: string - version: - type: string - required: - - name - - type - - topics - - auth_type - - hosts - Fleet_output_create_request_logstash: - title: logstash - type: object - properties: - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - config: - type: object - config_yaml: - type: string - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - type: string - secrets: - type: object - properties: - ssl: - type: object - properties: - key: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - type: - enum: - - logstash - type: string - required: - - name - - hosts - - type - Fleet_output_create_request_remote_elasticsearch: - title: remote_elasticsearch - type: object - properties: - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - secrets: - type: object - properties: - service_token: - type: string - service_token: - type: string - type: - enum: - - remote_elasticsearch - type: string - required: - - name - Fleet_output_update_request: - discriminator: - mapping: - elasticsearch: '#/components/schemas/Fleet_output_update_request_elasticsearch' - kafka: '#/components/schemas/Fleet_output_update_request_kafka' - logstash: '#/components/schemas/Fleet_output_update_request_logstash' - propertyName: type - oneOf: - - $ref: '#/components/schemas/Fleet_output_update_request_elasticsearch' - - $ref: '#/components/schemas/Fleet_output_update_request_kafka' - - $ref: '#/components/schemas/Fleet_output_update_request_logstash' - title: Output - Fleet_output_update_request_elasticsearch: - title: elasticsearch - type: object - properties: - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - config: - type: object - config_yaml: - type: string - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - preset: - enum: - - balanced - - custom - - throughput - - scale - - latency - type: string - proxy_id: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - type: - enum: - - elasticsearch - type: string - required: - - name - - hosts - - type - Fleet_output_update_request_kafka: - title: kafka - type: object - properties: - auth_type: - type: string - broker_timeout: - type: number - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - client_id: - type: string - compression: - type: string - compression_level: - type: number - config: - type: object - config_yaml: - type: string - connection_type: - enum: - - plaintext - - encryption - type: string - headers: - items: - type: object - properties: - key: - type: string - value: - type: string - type: array - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - key: - type: string - name: - type: string - partition: - type: string - password: - type: string - proxy_id: - type: string - random: - type: object - properties: - group_events: - type: number - required_acks: - type: number - round_robin: - type: object - properties: - group_events: - type: number - sasl: - type: object - properties: - mechanism: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - verification_mode: - enum: - - none - - full - - certificate - - strict - type: string - timeout: - type: number - topic: - type: string - topics: - deprecated: true - description: Use topic instead. - items: - type: object - properties: - topic: - type: string - when: - deprecated: true - description: >- - Deprecated, kafka output do not support conditionnal topics - anymore. - type: object - properties: - condition: - type: string - type: - type: string - type: array - type: - enum: - - kafka - type: string - username: - type: string - version: - type: string - required: - - name - Fleet_output_update_request_logstash: - title: logstash - type: object - properties: - ca_sha256: - type: string - ca_trusted_fingerprint: - type: string - config: - type: object - config_yaml: - type: string - hosts: - items: - type: string - type: array - id: - type: string - is_default: - type: boolean - is_default_monitoring: - type: boolean - is_internal: - type: boolean - name: - type: string - proxy_id: - type: string - shipper: - type: object - properties: - compression_level: - type: number - disk_queue_compression_enabled: - type: boolean - disk_queue_enabled: - type: boolean - disk_queue_encryption_enabled: - type: boolean - disk_queue_max_size: - type: number - disk_queue_path: - type: string - loadbalance: - type: boolean - ssl: - type: object - properties: - certificate: - type: string - certificate_authorities: - items: - type: string - type: array - key: - type: string - type: - enum: - - logstash - type: string - required: - - name - Fleet_package_info: - title: Package information - type: object - properties: - agent: - type: object - properties: - privileges: - type: object - properties: - root: - type: boolean - asset_tags: - items: - type: object - properties: - asset_ids: - items: - type: string - type: array - asset_types: - items: - type: string - type: array - text: - type: string - required: - - text - type: array - assets: - items: - type: string - type: array - categories: - items: - type: string - type: array - conditions: - type: object - properties: - elasticsearch: - type: object - properties: - subscription: - enum: - - basic - - gold - - platinum - - enterprise - type: string - kibana: - type: object - properties: - versions: - type: string - data_streams: - items: - type: object - properties: - ingeset_pipeline: - type: string - name: - type: string - package: - type: string - release: - type: string - title: - type: string - type: - type: string - vars: - items: - type: object - properties: - default: - type: string - name: - type: string - required: - - name - - default - type: array - required: - - title - - name - - release - - ingeset_pipeline - - type - - package - type: array - description: - type: string - discovery: - type: object - properties: - fields: - items: - type: object - properties: - name: - type: string - required: - - name - type: array - download: - type: string - elasticsearch: - type: object - properties: - privileges: - type: object - properties: - cluster: - items: - type: string - type: array - format_version: - type: string - icons: - items: - type: string - type: array - internal: - type: boolean - name: - type: string - owner: - type: object - properties: - github: - type: string - type: - enum: - - elastic - - partner - - community - type: string - required: - - github - path: - type: string - readme: - type: string - release: - deprecated: true - description: >- - release label is deprecated, derive from the version instead - (packages follow semver) - enum: - - experimental - - beta - - ga - type: string - screenshots: - items: - type: object - properties: - path: - type: string - size: - type: string - src: - type: string - title: - type: string - type: - type: string - required: - - src - - path - type: array - source: - type: object - properties: - license: - enum: - - Apache-2.0 - - Elastic-2.0 - type: string - title: - type: string - type: - enum: - - integration - - input - - content - type: string - version: - type: string - required: - - name - - title - - version - - description - - type - - categories - - conditions - - assets - - format_version - - download - - path - - owner - Fleet_package_policy: - allOf: - - type: object - properties: - id: - type: string - inputs: - oneOf: - - items: {} - type: array - - type: object - revision: - type: number - required: - - id - - revision - - $ref: '#/components/schemas/Fleet_new_package_policy' - title: Package policy - Fleet_package_policy_request: - title: Package Policy Request - type: object - properties: - description: - description: Package policy description - example: my description - type: string - force: - description: >- - Force package policy creation even if package is not verified, or if - the agent policy is managed. - type: boolean - id: - description: Package policy unique identifier - type: string - inputs: - additionalProperties: - type: object - properties: - enabled: - description: 'enable or disable that input, (default to true)' - type: boolean - streams: - additionalProperties: - type: object - properties: - enabled: - description: 'enable or disable that stream, (default to true)' - type: boolean - vars: - description: >- - Stream level variable (see integration documentation for - more information) - type: object - description: >- - Input streams (see integration documentation to know what - streams are available) - type: object - vars: - description: >- - Input level variable (see integration documentation for more - information) - type: object - description: >- - Package policy inputs (see integration documentation to know what - inputs are available) - example: - nginx-logfile: - enabled: true - streams: - nginx.access: - enabled: true - vars: - ignore_older: 72h - paths: - - /var/log/nginx/access.log* - preserve_original_event: false - tags: - - nginx-access - type: object - name: - description: Package policy name (should be unique) - example: nginx-123 - type: string - namespace: - description: >- - The package policy namespace. Leave blank to inherit the agent - policy's namespace. - example: customnamespace - type: string - output_id: - description: Output ID to send package data to - example: output-id - nullable: true - type: string - overrides: - description: >- - Override settings that are defined in the package policy. The - override option should be used only in unusual circumstances and not - as a routine procedure. - nullable: true - type: object - properties: - inputs: - type: object - package: - type: object - properties: - name: - description: Package name - example: nginx - type: string - version: - description: Package version - example: 1.6.0 - type: string - required: - - name - - version - policy_id: - deprecated: true - description: Agent policy ID where that package policy will be added - example: agent-policy-id - nullable: true - type: string - policy_ids: - description: Agent policy IDs where that package policy will be added - example: - - agent-policy-id - items: - type: string - type: array - vars: - description: >- - Package root level variable (see integration documentation for more - information) - type: object - required: - - name - - package - Fleet_package_usage_stats: - title: Package usage stats - type: object - properties: - agent_policy_count: - type: integer - required: - - agent_policy_count - Fleet_proxies: - title: Fleet Proxy - type: object - properties: - certificate: - type: string - certificate_authorities: - type: string - certificate_key: - type: string - id: - type: string - name: - type: string - proxy_headers: - type: object - url: - type: string - required: - - name - - url - Fleet_saved_object_type: - oneOf: - - enum: - - dashboard - - visualization - - search - - index_pattern - - map - - lens - - security_rule - - csp_rule_template - - ml_module - - tag - - osquery_pack_asset - - osquery_saved_query - type: string - - enum: - - index - - component_template - - ingest_pipeline - - index_template - - ilm_policy - - transform - - data_stream_ilm_policy - - ml_model - type: string - title: Saved Object type - Fleet_search_result: - title: Search result - type: object - properties: - description: - type: string - download: - type: string - icons: - type: string - installationInfo: - $ref: '#/components/schemas/Fleet_installation_info' - name: - type: string - path: - type: string - savedObject: - deprecated: true - type: object - status: - type: string - title: - type: string - type: - type: string - version: - type: string - required: - - description - - download - - icons - - name - - path - - title - - type - - version - - status - Fleet_settings: - title: Settings - type: object - properties: - delete_unenrolled_agents: - type: object - properties: - enabled: - type: boolean - is_preconfigured: - type: boolean - fleet_server_hosts: - deprecated: true - items: - type: string - type: array - has_seen_add_data_notice: - type: boolean - id: - type: string - prerelease_integrations_enabled: - type: boolean - required: - - fleet_server_hosts - - id - Fleet_upgrade_agent: - title: Upgrade agent - type: object - properties: - force: - description: 'Force upgrade, skipping validation (should be used with caution)' - type: boolean - skipRateLimitCheck: - description: Skip rate limit check for upgrade - type: boolean - source_uri: - type: string - version: - type: string - required: - - version - Fleet_upgrade_agent_diff: - items: - items: - $ref: '#/components/schemas/Fleet_full_agent_policy_input' - type: array - title: Package policy Upgrade dryrun - type: array - Fleet_upgrade_diff: - items: - allOf: - - $ref: '#/components/schemas/Fleet_package_policy' - - allOf: - - $ref: '#/components/schemas/Fleet_new_package_policy' - - type: object - properties: - errors: - items: - type: object - properties: - key: - type: string - message: - type: string - type: array - missingVars: - items: - type: string - type: array - type: object - title: Package policy Upgrade dryrun - type: array - Kibana_HTTP_APIs_core_status_redactedResponse: - additionalProperties: false - description: A minimal representation of Kibana's operational status. - type: object - properties: - status: - additionalProperties: false - type: object - properties: - overall: - additionalProperties: false - type: object - properties: - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - required: - - level - required: - - overall - required: - - status - Kibana_HTTP_APIs_core_status_response: - additionalProperties: false - description: >- - Kibana's operational status as well as a detailed breakdown of plugin - statuses indication of various loads (like event loop utilization and - network traffic) at time of request. - type: object - properties: - metrics: - additionalProperties: false - description: Metric groups collected by Kibana. - type: object - properties: - collection_interval_in_millis: - description: The interval at which metrics should be collected. - type: number - elasticsearch_client: - additionalProperties: false - description: Current network metrics of Kibana's Elasticsearch client. - type: object - properties: - totalActiveSockets: - description: Count of network sockets currently in use. - type: number - totalIdleSockets: - description: Count of network sockets currently idle. - type: number - totalQueuedRequests: - description: Count of requests not yet assigned to sockets. - type: number - required: - - totalActiveSockets - - totalIdleSockets - - totalQueuedRequests - last_updated: - description: The time metrics were collected. - type: string - required: - - elasticsearch_client - - last_updated - - collection_interval_in_millis - name: - description: Kibana instance name. - type: string - status: - additionalProperties: false - type: object - properties: - core: - additionalProperties: false - description: Statuses of core Kibana services. - type: object - properties: - elasticsearch: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: >- - An unstructured set of extra metadata about this - service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - savedObjects: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: >- - An unstructured set of extra metadata about this - service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - required: - - elasticsearch - - savedObjects - overall: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: Service status levels as human and machine readable values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - plugins: - additionalProperties: - additionalProperties: false - type: object - properties: - detail: - description: Human readable detail of the service status. - type: string - documentationUrl: - description: A URL to further documentation regarding this service. - type: string - level: - description: >- - Service status levels as human and machine readable - values. - enum: - - available - - degraded - - unavailable - - critical - type: string - meta: - additionalProperties: {} - description: An unstructured set of extra metadata about this service. - type: object - summary: - description: A human readable summary of the service status. - type: string - required: - - level - - summary - - meta - description: A dynamic mapping of plugin ID to plugin status. - type: object - required: - - overall - - core - - plugins - uuid: - description: >- - Unique, generated Kibana instance UUID. This UUID should persist - even if the Kibana process restarts. - type: string - version: - additionalProperties: false - type: object - properties: - build_date: - description: The date and time of this build. - type: string - build_flavor: - description: >- - The build flavour determines configuration and behavior of - Kibana. On premise users will almost always run the - "traditional" flavour, while other flavours are reserved for - Elastic-specific use cases. - enum: - - serverless - - traditional - type: string - build_hash: - description: >- - A unique hash value representing the git commit of this Kibana - build. - type: string - build_number: - description: >- - A monotonically increasing number, each subsequent build will - have a higher number. - type: number - build_snapshot: - description: Whether this build is a snapshot build. - type: boolean - number: - description: A semantic version number. - type: string - required: - - number - - build_hash - - build_number - - build_snapshot - - build_flavor - - build_date - required: - - name - - uuid - - version - - status - - metrics - Machine_learning_APIs_mlSync200Response: - properties: - datafeedsAdded: - additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job is missing a datafeed - identifier, it is added when you run the sync machine learning saved - objects API. - type: object - datafeedsRemoved: - additionalProperties: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseDatafeeds' - description: >- - If a saved object for an anomaly detection job references a datafeed - that no longer exists, it is deleted when you run the sync machine - learning saved objects API. - type: object - savedObjectsCreated: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsCreated - savedObjectsDeleted: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted - title: Successful sync API response - type: object - Machine_learning_APIs_mlSync4xxResponse: - properties: - error: - example: Unauthorized - type: string - message: - type: string - statusCode: - example: 401 - type: integer - title: Unsuccessful sync API response - type: object - Machine_learning_APIs_mlSyncResponseAnomalyDetectors: - description: >- - The sync machine learning saved objects API response contains this - object when there are anomaly detection jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for anomaly detection jobs - type: object - Machine_learning_APIs_mlSyncResponseDatafeeds: - description: >- - The sync machine learning saved objects API response contains this - object when there are datafeeds affected by the synchronization. There - is an object for each relevant datafeed, which contains the - synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for datafeeds - type: object - Machine_learning_APIs_mlSyncResponseDataFrameAnalytics: - description: >- - The sync machine learning saved objects API response contains this - object when there are data frame analytics jobs affected by the - synchronization. There is an object for each relevant job, which - contains the synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for data frame analytics jobs - type: object - Machine_learning_APIs_mlSyncResponseSavedObjectsCreated: - description: >- - If saved objects are missing for machine learning jobs or trained - models, they are created when you run the sync machine learning saved - objects API. - properties: - anomaly-detector: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If saved objects are missing for anomaly detection jobs, they are - created. - type: object - data-frame-analytics: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If saved objects are missing for data frame analytics jobs, they are - created. - type: object - trained-model: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: 'If saved objects are missing for trained models, they are created.' - type: object - title: Sync API response for created saved objects - type: object - Machine_learning_APIs_mlSyncResponseSavedObjectsDeleted: - description: >- - If saved objects exist for machine learning jobs or trained models that - no longer exist, they are deleted when you run the sync machine learning - saved objects API. - properties: - anomaly-detector: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseAnomalyDetectors - description: >- - If there are saved objects exist for nonexistent anomaly detection - jobs, they are deleted. - type: object - data-frame-analytics: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseDataFrameAnalytics - description: >- - If there are saved objects exist for nonexistent data frame - analytics jobs, they are deleted. - type: object - trained-model: - additionalProperties: - $ref: >- - #/components/schemas/Machine_learning_APIs_mlSyncResponseTrainedModels - description: >- - If there are saved objects exist for nonexistent trained models, - they are deleted. - type: object - title: Sync API response for deleted saved objects - type: object - Machine_learning_APIs_mlSyncResponseSuccess: - description: The success or failure of the synchronization. - type: boolean - Machine_learning_APIs_mlSyncResponseTrainedModels: - description: >- - The sync machine learning saved objects API response contains this - object when there are trained models affected by the synchronization. - There is an object for each relevant trained model, which contains the - synchronization status. - properties: - success: - $ref: '#/components/schemas/Machine_learning_APIs_mlSyncResponseSuccess' - title: Sync API response for trained models - type: object - Security_AI_Assistant_API_AnonymizationFieldCreateProps: - type: object - properties: - allowed: - type: boolean - anonymized: - type: boolean - field: - type: string - required: - - field - Security_AI_Assistant_API_AnonymizationFieldDetailsInError: - type: object - properties: - id: - type: string - name: - type: string - required: - - id - Security_AI_Assistant_API_AnonymizationFieldResponse: - type: object - properties: - allowed: - type: boolean - anonymized: - type: boolean - createdAt: - type: string - createdBy: - type: string - field: - type: string - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - namespace: - description: Kibana space - type: string - timestamp: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - updatedAt: - type: string - updatedBy: - type: string - required: - - id - - field - Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason: - enum: - - ANONYMIZATION_FIELD_NOT_MODIFIED - type: string - Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult: - type: object - properties: - id: - type: string - name: - type: string - skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipReason - required: - - id - - skip_reason - Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResponse: - type: object - properties: - anonymization_fields_count: - type: integer - attributes: - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedAnonymizationFieldError - type: array - results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults - summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary - required: - - results - - summary - message: - type: string - status_code: - type: integer - success: - type: boolean - required: - - attributes - Security_AI_Assistant_API_AnonymizationFieldsBulkCrudActionResults: - type: object - properties: - created: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - deleted: - items: - type: string - type: array - skipped: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldsBulkActionSkipResult - type: array - updated: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldResponse - type: array - required: - - updated - - created - - deleted - - skipped - Security_AI_Assistant_API_AnonymizationFieldUpdateProps: - type: object - properties: - allowed: - type: boolean - anonymized: - type: boolean - id: - type: string - required: - - id - Security_AI_Assistant_API_ApiConfig: - type: object - properties: - actionTypeId: - description: action type id - type: string - connectorId: - description: connector id - type: string - defaultSystemPromptId: - description: defaultSystemPromptId - type: string - model: - description: model - type: string - provider: - $ref: '#/components/schemas/Security_AI_Assistant_API_Provider' - description: Provider - required: - - connectorId - - actionTypeId - Security_AI_Assistant_API_BulkCrudActionSummary: - type: object - properties: - failed: - type: integer - skipped: - type: integer - succeeded: - type: integer - total: - type: integer - required: - - failed - - skipped - - succeeded - - total - Security_AI_Assistant_API_ChatCompleteProps: - type: object - properties: - connectorId: - type: string - conversationId: - type: string - isStream: - type: boolean - langSmithApiKey: - type: string - langSmithProject: - type: string - messages: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessage' - type: array - model: - type: string - persist: - type: boolean - promptId: - type: string - responseLanguage: - type: string - required: - - messages - - persist - - connectorId - Security_AI_Assistant_API_ChatMessage: - description: AI assistant message. - type: object - properties: - content: - description: Message content. - type: string - data: - $ref: '#/components/schemas/Security_AI_Assistant_API_MessageData' - description: ECS object to attach to the context of the message. - fields_to_anonymize: - items: - type: string - type: array - role: - $ref: '#/components/schemas/Security_AI_Assistant_API_ChatMessageRole' - description: Message role. - required: - - role - Security_AI_Assistant_API_ChatMessageRole: - description: Message role. - enum: - - system - - user - - assistant - type: string - Security_AI_Assistant_API_ConversationCategory: - description: The conversation category. - enum: - - assistant - - insights - type: string - Security_AI_Assistant_API_ConversationConfidence: - description: The conversation confidence. - enum: - - low - - medium - - high - type: string - Security_AI_Assistant_API_ConversationCreateProps: - type: object - properties: - apiConfig: - $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' - description: LLM API configuration. - category: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' - description: The conversation category. - excludeFromLastConversationStorage: - description: excludeFromLastConversationStorage. - type: boolean - id: - description: The conversation id. - type: string - isDefault: - description: Is default conversation. - type: boolean - messages: - description: The conversation messages. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_Message' - type: array - replacements: - $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' - title: - description: The conversation title. - type: string - required: - - title - Security_AI_Assistant_API_ConversationResponse: - type: object - properties: - apiConfig: - $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' - description: LLM API configuration. - category: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' - description: The conversation category. - createdAt: - description: The last time conversation was updated. - type: string - excludeFromLastConversationStorage: - description: excludeFromLastConversationStorage. - type: boolean - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - isDefault: - description: Is default conversation. - type: boolean - messages: - description: The conversation messages. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_Message' - type: array - namespace: - description: Kibana space - type: string - replacements: - $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' - summary: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' - timestamp: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - title: - description: The conversation title. - type: string - updatedAt: - description: The last time conversation was updated. - type: string - users: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - type: array - required: - - id - - title - - createdAt - - users - - namespace - - category - Security_AI_Assistant_API_ConversationSummary: - type: object - properties: - confidence: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_ConversationConfidence - description: >- - How confident you are about this being a correct and useful - learning. - content: - description: Summary text of the conversation over time. - type: string - public: - description: Define if summary is marked as publicly available. - type: boolean - timestamp: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - description: The timestamp summary was updated. - Security_AI_Assistant_API_ConversationUpdateProps: - type: object - properties: - apiConfig: - $ref: '#/components/schemas/Security_AI_Assistant_API_ApiConfig' - description: LLM API configuration. - category: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationCategory' - description: The conversation category. - excludeFromLastConversationStorage: - description: excludeFromLastConversationStorage. - type: boolean - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - messages: - description: The conversation messages. - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_Message' - type: array - replacements: - $ref: '#/components/schemas/Security_AI_Assistant_API_Replacements' - summary: - $ref: '#/components/schemas/Security_AI_Assistant_API_ConversationSummary' - title: - description: The conversation title. - type: string - required: - - id - Security_AI_Assistant_API_FindAnonymizationFieldsSortField: - enum: - - created_at - - anonymized - - allowed - - field - - updated_at - type: string - Security_AI_Assistant_API_FindConversationsSortField: - enum: - - created_at - - is_default - - title - - updated_at - type: string - Security_AI_Assistant_API_FindPromptsSortField: - enum: - - created_at - - is_default - - name - - updated_at - type: string - Security_AI_Assistant_API_Message: - description: AI assistant conversation message. - type: object - properties: - content: - description: Message content. - type: string - isError: - description: Is error message. - type: boolean - reader: - $ref: '#/components/schemas/Security_AI_Assistant_API_Reader' - description: Message content. - role: - $ref: '#/components/schemas/Security_AI_Assistant_API_MessageRole' - description: Message role. - timestamp: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - description: The timestamp message was sent or received. - traceData: - $ref: '#/components/schemas/Security_AI_Assistant_API_TraceData' - description: trace Data - required: - - timestamp - - content - - role - Security_AI_Assistant_API_MessageData: - additionalProperties: true - type: object - Security_AI_Assistant_API_MessageRole: - description: Message role. - enum: - - system - - user - - assistant - type: string - Security_AI_Assistant_API_NonEmptyString: - description: A string that is not empty and does not contain only whitespace - minLength: 1 - pattern: ^(?! *$).+$ - type: string - Security_AI_Assistant_API_NormalizedAnonymizationFieldError: - type: object - properties: - anonymization_fields: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_AnonymizationFieldDetailsInError - type: array - err_code: - type: string - message: - type: string - status_code: - type: integer - required: - - message - - status_code - - anonymization_fields - Security_AI_Assistant_API_NormalizedPromptError: - type: object - properties: - err_code: - type: string - message: - type: string - prompts: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptDetailsInError - type: array - status_code: - type: integer - required: - - message - - status_code - - prompts - Security_AI_Assistant_API_PromptCreateProps: - type: object - properties: - categories: - items: - type: string - type: array - color: - type: string - consumer: - type: string - content: - type: string - isDefault: - type: boolean - isNewConversationDefault: - type: boolean - name: - type: string - promptType: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' - required: - - name - - content - - promptType - Security_AI_Assistant_API_PromptDetailsInError: - type: object - properties: - id: - type: string - name: - type: string - required: - - id - Security_AI_Assistant_API_PromptResponse: - type: object - properties: - categories: - items: - type: string - type: array - color: - type: string - consumer: - type: string - content: - type: string - createdAt: - type: string - createdBy: - type: string - id: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - isDefault: - type: boolean - isNewConversationDefault: - type: boolean - name: - type: string - namespace: - description: Kibana space - type: string - promptType: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptType' - timestamp: - $ref: '#/components/schemas/Security_AI_Assistant_API_NonEmptyString' - updatedAt: - type: string - updatedBy: - type: string - users: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_User' - type: array - required: - - id - - name - - promptType - - content - Security_AI_Assistant_API_PromptsBulkActionSkipReason: - enum: - - PROMPT_FIELD_NOT_MODIFIED - type: string - Security_AI_Assistant_API_PromptsBulkActionSkipResult: - type: object - properties: - id: - type: string - name: - type: string - skip_reason: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipReason - required: - - id - - skip_reason - Security_AI_Assistant_API_PromptsBulkCrudActionResponse: - type: object - properties: - attributes: - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_NormalizedPromptError - type: array - results: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkCrudActionResults - summary: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_BulkCrudActionSummary - required: - - results - - summary - message: - type: string - prompts_count: - type: integer - status_code: - type: integer - success: - type: boolean - required: - - attributes - Security_AI_Assistant_API_PromptsBulkCrudActionResults: - type: object - properties: - created: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' - type: array - deleted: - items: - type: string - type: array - skipped: - items: - $ref: >- - #/components/schemas/Security_AI_Assistant_API_PromptsBulkActionSkipResult - type: array - updated: - items: - $ref: '#/components/schemas/Security_AI_Assistant_API_PromptResponse' - type: array - required: - - updated - - created - - deleted - - skipped - Security_AI_Assistant_API_PromptType: - description: Prompt type - enum: - - system - - quick - type: string - Security_AI_Assistant_API_PromptUpdateProps: - type: object - properties: - categories: - items: - type: string - type: array - color: - type: string - consumer: - type: string - content: - type: string - id: - type: string - isDefault: - type: boolean - isNewConversationDefault: - type: boolean - required: - - id - Security_AI_Assistant_API_Provider: - description: Provider - enum: - - OpenAI - - Azure OpenAI - - Other - type: string - Security_AI_Assistant_API_Reader: - additionalProperties: true - type: object - Security_AI_Assistant_API_Replacements: - additionalProperties: - type: string - description: Replacements object used to anonymize/deanomymize messsages - type: object - Security_AI_Assistant_API_SortOrder: - enum: - - asc - - desc - type: string - Security_AI_Assistant_API_TraceData: - description: trace Data - type: object - properties: - traceId: - description: 'Could be any string, not necessarily a UUID' - type: string - transactionId: - description: 'Could be any string, not necessarily a UUID' - type: string - Security_AI_Assistant_API_User: - description: 'Could be any string, not necessarily a UUID' - type: object - properties: - id: - description: User id - type: string - name: - description: User name - type: string - Security_Detections_API_AlertAssignees: - type: object - properties: - add: - description: A list of users ids to assign. - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: array - remove: - description: A list of users ids to unassign. - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: array - required: - - add - - remove - Security_Detections_API_AlertIds: - description: A list of alerts ids. - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - minItems: 1 - type: array - Security_Detections_API_AlertsIndex: - deprecated: true - description: (deprecated) Has no effect. - type: string - Security_Detections_API_AlertsIndexNamespace: - description: Has no effect. - type: string - Security_Detections_API_AlertsSort: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_AlertsSortCombinations' - - items: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsSortCombinations - type: array - Security_Detections_API_AlertsSortCombinations: - anyOf: - - type: string - - additionalProperties: true - type: object - Security_Detections_API_AlertStatus: - enum: - - open - - closed - - acknowledged - - in-progress - type: string - Security_Detections_API_AlertSuppression: - type: object - properties: - duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration - group_by: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppressionGroupBy' - missing_fields_strategy: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionMissingFieldsStrategy - required: - - group_by - Security_Detections_API_AlertSuppressionDuration: - type: object - properties: - unit: - enum: - - s - - m - - h - type: string - value: - minimum: 1 - type: integer - required: - - value - - unit - Security_Detections_API_AlertSuppressionGroupBy: - items: - type: string - maxItems: 3 - minItems: 1 - type: array - Security_Detections_API_AlertSuppressionMissingFieldsStrategy: - description: >- - Describes how alerts will be generated for documents with missing - suppress by fields: - - doNotSuppress - per each document a separate alert will be created - - suppress - only alert will be created per suppress by bucket - enum: - - doNotSuppress - - suppress - type: string - Security_Detections_API_AlertTag: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - Security_Detections_API_AlertTags: - items: - $ref: '#/components/schemas/Security_Detections_API_AlertTag' - type: array - Security_Detections_API_AnomalyThreshold: - description: Anomaly threshold - minimum: 0 - type: integer - Security_Detections_API_BuildingBlockType: - description: >- - Determines if the rule acts as a building block. By default, - building-block alerts are not displayed in the UI. These rules are used - as a foundation for other rules that do generate alerts. Its value must - be default. - type: string - Security_Detections_API_BulkActionEditPayload: - anyOf: - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTags - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadIndexPatterns - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadInvestigationFields - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadTimeline - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadRuleActions - - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionEditPayloadSchedule - Security_Detections_API_BulkActionEditPayloadIndexPatterns: - type: object - properties: - overwrite_data_views: - type: boolean - type: - enum: - - add_index_patterns - - delete_index_patterns - - set_index_patterns - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadInvestigationFields: - type: object - properties: - type: - enum: - - add_investigation_fields - - delete_investigation_fields - - set_investigation_fields - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadRuleActions: - type: object - properties: - type: - enum: - - add_rule_actions - - set_rule_actions - type: string - value: - type: object - properties: - actions: - items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleAction - type: array - throttle: - $ref: >- - #/components/schemas/Security_Detections_API_ThrottleForBulkActions - required: - - actions - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadSchedule: - type: object - properties: - type: - enum: - - set_schedule - type: string - value: - type: object - properties: - interval: - description: >- - Interval in which the rule runs. For example, `"1h"` means the - rule runs every hour. - example: 1h - pattern: '^[1-9]\d*[smh]$' - type: string - lookback: - description: Lookback time for the rule - example: 1h - pattern: '^[1-9]\d*[smh]$' - type: string - required: - - interval - - lookback - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadTags: - type: object - properties: - type: - enum: - - add_tags - - delete_tags - - set_tags - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - required: - - type - - value - Security_Detections_API_BulkActionEditPayloadTimeline: - type: object - properties: - type: - enum: - - set_timeline - type: string - value: - type: object - properties: - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - required: - - timeline_id - - timeline_title - required: - - type - - value - Security_Detections_API_BulkActionsDryRunErrCode: - enum: - - IMMUTABLE - - MACHINE_LEARNING_AUTH - - MACHINE_LEARNING_INDEX_PATTERN - - ESQL_INDEX_PATTERN - - MANUAL_RULE_RUN_FEATURE - - MANUAL_RULE_RUN_DISABLED_RULE - type: string - Security_Detections_API_BulkActionSkipResult: - type: object - properties: - id: - type: string - name: - type: string - skip_reason: - $ref: '#/components/schemas/Security_Detections_API_BulkEditSkipReason' - required: - - id - - skip_reason - Security_Detections_API_BulkDeleteRules: - type: object - properties: - action: - enum: - - delete - type: string - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - required: - - action - Security_Detections_API_BulkDisableRules: - type: object - properties: - action: - enum: - - disable - type: string - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - required: - - action - Security_Detections_API_BulkDuplicateRules: - type: object - properties: - action: - enum: - - duplicate - type: string - duplicate: - type: object - properties: - include_exceptions: - description: Whether to copy exceptions from the original rule - type: boolean - include_expired_exceptions: - description: Whether to copy expired exceptions from the original rule - type: boolean - required: - - include_exceptions - - include_expired_exceptions - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - required: - - action - Security_Detections_API_BulkEditActionResponse: - type: object - properties: - attributes: - type: object - properties: - errors: - items: - $ref: >- - #/components/schemas/Security_Detections_API_NormalizedRuleError - type: array - results: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionResults - summary: - $ref: >- - #/components/schemas/Security_Detections_API_BulkEditActionSummary - required: - - results - - summary - message: - type: string - rules_count: - type: integer - status_code: - type: integer - success: - type: boolean - required: - - attributes - Security_Detections_API_BulkEditActionResults: - type: object - properties: - created: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - type: array - deleted: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - type: array - skipped: - items: - $ref: '#/components/schemas/Security_Detections_API_BulkActionSkipResult' - type: array - updated: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleResponse' - type: array - required: - - updated - - created - - deleted - - skipped - Security_Detections_API_BulkEditActionSummary: - type: object - properties: - failed: - type: integer - skipped: - type: integer - succeeded: - type: integer - total: - type: integer - required: - - failed - - skipped - - succeeded - - total - Security_Detections_API_BulkEditRules: - type: object - properties: - action: - enum: - - edit - type: string - edit: - description: Array of objects containing the edit operations - items: - $ref: '#/components/schemas/Security_Detections_API_BulkActionEditPayload' - minItems: 1 - type: array - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - required: - - action - - edit - Security_Detections_API_BulkEditSkipReason: - enum: - - RULE_NOT_MODIFIED - type: string - Security_Detections_API_BulkEnableRules: - type: object - properties: - action: - enum: - - enable - type: string - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - required: - - action - Security_Detections_API_BulkExportActionResponse: - type: string - Security_Detections_API_BulkExportRules: - type: object - properties: - action: - enum: - - export - type: string - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - required: - - action - Security_Detections_API_BulkManualRuleRun: - type: object - properties: - action: - enum: - - run - type: string - ids: - description: Array of rule IDs - items: - type: string - minItems: 1 - type: array - query: - description: Query to filter rules - type: string - run: - type: object - properties: - end_date: - description: End date of the manual rule run - type: string - start_date: - description: Start date of the manual rule run - type: string - required: - - start_date - required: - - action - - run - Security_Detections_API_ConcurrentSearches: - minimum: 1 - type: integer - Security_Detections_API_DataViewId: - type: string - Security_Detections_API_DefaultParams: - type: object - properties: - command: - enum: - - isolate - type: string - comment: - type: string - required: - - command - Security_Detections_API_EcsMapping: - additionalProperties: - type: object - properties: - field: - type: string - value: - oneOf: - - type: string - - items: - type: string - type: array - type: object - Security_Detections_API_EndpointResponseAction: - type: object - properties: - action_type_id: - enum: - - .endpoint - type: string - params: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_DefaultParams' - - $ref: '#/components/schemas/Security_Detections_API_ProcessesParams' - required: - - action_type_id - - params - Security_Detections_API_EqlOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - event_category_override: - $ref: '#/components/schemas/Security_Detections_API_EventCategoryOverride' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - tiebreaker_field: - $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' - timestamp_field: - $ref: '#/components/schemas/Security_Detections_API_TimestampField' - Security_Detections_API_EqlQueryLanguage: - enum: - - eql - type: string - Security_Detections_API_EqlRequiredFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' - description: Query language to use - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - description: EQL query to execute - type: - description: Rule type - enum: - - eql - type: string - required: - - type - - query - - language - Security_Detections_API_EqlRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleResponseFields' - Security_Detections_API_EqlRuleCreateFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' - Security_Detections_API_EqlRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' - Security_Detections_API_EqlRulePatchFields: - allOf: - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_EqlQueryLanguage' - description: Query language to use - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - description: EQL query to execute - type: - description: Rule type - enum: - - eql - type: string - - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' - Security_Detections_API_EqlRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchFields' - Security_Detections_API_EqlRuleResponseFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_EqlOptionalFields' - Security_Detections_API_EqlRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateFields' - Security_Detections_API_ErrorSchema: - additionalProperties: false - type: object - properties: - error: - type: object - properties: - message: - type: string - status_code: - minimum: 400 - type: integer - required: - - status_code - - message - id: - type: string - item_id: - minLength: 1 - type: string - list_id: - minLength: 1 - type: string - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - required: - - error - Security_Detections_API_EsqlQueryLanguage: - enum: - - esql - type: string - Security_Detections_API_EsqlRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleResponseFields' - Security_Detections_API_EsqlRuleCreateFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' - Security_Detections_API_EsqlRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' - Security_Detections_API_EsqlRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - Security_Detections_API_EsqlRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - language: - $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - description: ESQL query to execute - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - type: - description: Rule type - enum: - - esql - type: string - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - Security_Detections_API_EsqlRuleRequiredFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_EsqlQueryLanguage' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - description: ESQL query to execute - type: - description: Rule type - enum: - - esql - type: string - required: - - type - - language - - query - Security_Detections_API_EsqlRuleResponseFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleOptionalFields' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleRequiredFields' - Security_Detections_API_EsqlRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateFields' - Security_Detections_API_EventCategoryOverride: - type: string - Security_Detections_API_ExceptionListType: - description: The exception type - enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists - type: string - Security_Detections_API_ExternalRuleSource: - description: >- - Type of rule source for externally sourced rules, i.e. rules that have - an external source, such as the Elastic Prebuilt rules repo. - type: object - properties: - is_customized: - $ref: >- - #/components/schemas/Security_Detections_API_IsExternalRuleCustomized - type: - enum: - - external - type: string - required: - - type - - is_customized - Security_Detections_API_FindRulesSortField: - enum: - - created_at - - createdAt - - enabled - - execution_summary.last_execution.date - - execution_summary.last_execution.metrics.execution_gap_duration_s - - execution_summary.last_execution.metrics.total_indexing_duration_ms - - execution_summary.last_execution.metrics.total_search_duration_ms - - execution_summary.last_execution.status - - name - - risk_score - - riskScore - - severity - - updated_at - - updatedAt - type: string - Security_Detections_API_HistoryWindowStart: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - Security_Detections_API_IndexPatternArray: - items: - type: string - type: array - Security_Detections_API_InternalRuleSource: - description: >- - Type of rule source for internally sourced rules, i.e. created within - the Kibana apps. - type: object - properties: - type: - enum: - - internal - type: string - required: - - type - Security_Detections_API_InvestigationFields: - description: > - Schema for fields relating to investigation fields. These are user - defined fields we use to highlight - - in various features in the UI such as alert details flyout and - exceptions auto-population from alert. - - Added in PR #163235 - - Right now we only have a single field but anticipate adding more related - fields to store various - - configuration states such as `override` - where a user might say if they - want only these fields to - - display, or if they want these fields + the fields we select. When - expanding this field, it may look - - something like: - - ```typescript - - const investigationFields = z.object({ - field_names: NonEmptyArray(NonEmptyString), - override: z.boolean().optional(), - }); - - ``` - type: object - properties: - field_names: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - minItems: 1 - type: array - required: - - field_names - Security_Detections_API_InvestigationGuide: - description: Notes to help investigate alerts produced by the rule. - type: string - Security_Detections_API_IsExternalRuleCustomized: - description: >- - Determines whether an external/prebuilt rule has been customized by the - user (i.e. any of its fields have been modified and diverged from the - base value). - type: boolean - Security_Detections_API_IsRuleEnabled: - description: Determines whether the rule is enabled. - type: boolean - Security_Detections_API_IsRuleImmutable: - deprecated: true - description: >- - This field determines whether the rule is a prebuilt Elastic rule. It - will be replaced with the `rule_source` field. - type: boolean - Security_Detections_API_ItemsPerSearch: - minimum: 1 - type: integer - Security_Detections_API_KqlQueryLanguage: - enum: - - kuery - - lucene - type: string - Security_Detections_API_MachineLearningJobId: - description: Machine learning job ID - oneOf: - - type: string - - items: - type: string - minItems: 1 - type: array - Security_Detections_API_MachineLearningRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleResponseFields - Security_Detections_API_MachineLearningRuleCreateFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields - Security_Detections_API_MachineLearningRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields - Security_Detections_API_MachineLearningRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - Security_Detections_API_MachineLearningRulePatchFields: - allOf: - - type: object - properties: - anomaly_threshold: - $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' - machine_learning_job_id: - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningJobId - type: - description: Rule type - enum: - - machine_learning - type: string - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields - Security_Detections_API_MachineLearningRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchFields - Security_Detections_API_MachineLearningRuleRequiredFields: - type: object - properties: - anomaly_threshold: - $ref: '#/components/schemas/Security_Detections_API_AnomalyThreshold' - machine_learning_job_id: - $ref: '#/components/schemas/Security_Detections_API_MachineLearningJobId' - type: - description: Rule type - enum: - - machine_learning - type: string - required: - - type - - machine_learning_job_id - - anomaly_threshold - Security_Detections_API_MachineLearningRuleResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleOptionalFields - Security_Detections_API_MachineLearningRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateFields - Security_Detections_API_MaxSignals: - minimum: 1 - type: integer - Security_Detections_API_NewTermsFields: - items: - type: string - maxItems: 3 - minItems: 1 - type: array - Security_Detections_API_NewTermsRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleResponseFields - Security_Detections_API_NewTermsRuleCreateFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields - Security_Detections_API_NewTermsRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields - Security_Detections_API_NewTermsRuleDefaultableFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_NewTermsRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - Security_Detections_API_NewTermsRulePatchFields: - allOf: - - type: object - properties: - history_window_start: - $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' - new_terms_fields: - $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - type: - description: Rule type - enum: - - new_terms - type: string - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleDefaultableFields - Security_Detections_API_NewTermsRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchFields' - Security_Detections_API_NewTermsRuleRequiredFields: - type: object - properties: - history_window_start: - $ref: '#/components/schemas/Security_Detections_API_HistoryWindowStart' - new_terms_fields: - $ref: '#/components/schemas/Security_Detections_API_NewTermsFields' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - type: - description: Rule type - enum: - - new_terms - type: string - required: - - type - - query - - new_terms_fields - - history_window_start - Security_Detections_API_NewTermsRuleResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleOptionalFields - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - required: - - language - Security_Detections_API_NewTermsRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_NewTermsRuleCreateFields - Security_Detections_API_NonEmptyString: - description: A string that is not empty and does not contain only whitespace - minLength: 1 - pattern: ^(?! *$).+$ - type: string - Security_Detections_API_NormalizedRuleAction: - additionalProperties: false - type: object - properties: - alerts_filter: - $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' - frequency: - $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' - group: - $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleActionId' - params: - $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' - required: - - id - - params - Security_Detections_API_NormalizedRuleError: - type: object - properties: - err_code: - $ref: >- - #/components/schemas/Security_Detections_API_BulkActionsDryRunErrCode - message: - type: string - rules: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleDetailsInError' - type: array - status_code: - type: integer - required: - - message - - status_code - - rules - Security_Detections_API_OsqueryParams: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Detections_API_EcsMapping' - pack_id: - type: string - queries: - items: - $ref: '#/components/schemas/Security_Detections_API_OsqueryQuery' - type: array - query: - type: string - saved_query_id: - type: string - timeout: - type: number - Security_Detections_API_OsqueryQuery: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Detections_API_EcsMapping' - id: - description: Query ID - type: string - platform: - type: string - query: - description: Query to run - type: string - removed: - type: boolean - snapshot: - type: boolean - version: - description: Query version - type: string - required: - - id - - query - Security_Detections_API_OsqueryResponseAction: - type: object - properties: - action_type_id: - enum: - - .osquery - type: string - params: - $ref: '#/components/schemas/Security_Detections_API_OsqueryParams' - required: - - action_type_id - - params - Security_Detections_API_PlatformErrorResponse: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: integer - required: - - statusCode - - error - - message - Security_Detections_API_ProcessesParams: - type: object - properties: - command: - enum: - - kill-process - - suspend-process - type: string - comment: - type: string - config: - type: object - properties: - field: - description: Field to use instead of process.pid - type: string - overwrite: - default: true - description: Whether to overwrite field with process.pid - type: boolean - required: - - field - required: - - command - - config - Security_Detections_API_QueryRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleResponseFields' - Security_Detections_API_QueryRuleCreateFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields - Security_Detections_API_QueryRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' - Security_Detections_API_QueryRuleDefaultableFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - Security_Detections_API_QueryRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - Security_Detections_API_QueryRulePatchFields: - allOf: - - type: object - properties: - type: - description: Rule type - enum: - - query - type: string - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - $ref: >- - #/components/schemas/Security_Detections_API_QueryRuleDefaultableFields - Security_Detections_API_QueryRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchFields' - Security_Detections_API_QueryRuleRequiredFields: - type: object - properties: - type: - description: Rule type - enum: - - query - type: string - required: - - type - Security_Detections_API_QueryRuleResponseFields: - allOf: - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleRequiredFields' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleOptionalFields' - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - required: - - query - - language - Security_Detections_API_QueryRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateFields' - Security_Detections_API_RelatedIntegration: - description: > - Related integration is a potential dependency of a rule. It's assumed - that if the user installs - - one of the related integrations of a rule, the rule might start to work - properly because it will - - have source events (generated by this integration) potentially matching - the rule's query. - - - NOTE: Proper work is not guaranteed, because a related integration, if - installed, can be - - configured differently or generate data that is not necessarily relevant - for this rule. - - - Related integration is a combination of a Fleet package and (optionally) - one of the - - package's "integrations" that this package contains. It is represented - by 3 properties: - - - - `package`: name of the package (required, unique id) - - - `version`: version of the package (required, semver-compatible) - - - `integration`: name of the integration of this package (optional, id - within the package) - - - There are Fleet packages like `windows` that contain only one - integration; in this case, - - `integration` should be unspecified. There are also packages like `aws` - and `azure` that contain - - several integrations; in this case, `integration` should be specified. - - - @example - - const x: RelatedIntegration = { - package: 'windows', - version: '1.5.x', - }; - - - @example - - const x: RelatedIntegration = { - package: 'azure', - version: '~1.1.6', - integration: 'activitylogs', - }; - type: object - properties: - integration: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - package: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - version: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - package - - version - Security_Detections_API_RelatedIntegrationArray: - items: - $ref: '#/components/schemas/Security_Detections_API_RelatedIntegration' - type: array - Security_Detections_API_RequiredField: - description: > - Describes an Elasticsearch field that is needed for the rule to - function. - - - Almost all types of Security rules check source event documents for a - match to some kind of - - query or filter. If a document has certain field with certain values, - then it's a match and - - the rule will generate an alert. - - - Required field is an event field that must be present in the source - indices of a given rule. - - - @example - - const standardEcsField: RequiredField = { - name: 'event.action', - type: 'keyword', - ecs: true, - }; - - - @example - - const nonEcsField: RequiredField = { - name: 'winlog.event_data.AttributeLDAPDisplayName', - type: 'keyword', - ecs: false, - }; - type: object - properties: - ecs: - description: Whether the field is an ECS field - type: boolean - name: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - description: Name of an Elasticsearch field - type: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - description: Type of the Elasticsearch field - required: - - name - - type - - ecs - Security_Detections_API_RequiredFieldArray: - items: - $ref: '#/components/schemas/Security_Detections_API_RequiredField' - type: array - Security_Detections_API_RequiredFieldInput: - description: >- - Input parameters to create a RequiredField. Does not include the `ecs` - field, because `ecs` is calculated on the backend based on the field - name and type. - type: object - properties: - name: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - description: Name of an Elasticsearch field - type: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - description: Type of an Elasticsearch field - required: - - name - - type - Security_Detections_API_ResponseAction: - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_OsqueryResponseAction' - - $ref: '#/components/schemas/Security_Detections_API_EndpointResponseAction' - Security_Detections_API_ResponseFields: - type: object - properties: - created_at: - format: date-time - type: string - created_by: - type: string - execution_summary: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionSummary' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - immutable: - $ref: '#/components/schemas/Security_Detections_API_IsRuleImmutable' - required_fields: - $ref: '#/components/schemas/Security_Detections_API_RequiredFieldArray' - revision: - minimum: 0 - type: integer - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_source: - $ref: '#/components/schemas/Security_Detections_API_RuleSource' - updated_at: - format: date-time - type: string - updated_by: - type: string - required: - - id - - rule_id - - immutable - - rule_source - - updated_at - - updated_by - - created_at - - created_by - - revision - - related_integrations - - required_fields - Security_Detections_API_RiskScore: - description: Risk score (0 to 100) - maximum: 100 - minimum: 0 - type: integer - Security_Detections_API_RiskScoreMapping: - description: >- - Overrides generated alerts' risk_score with a value from the source - event - items: - type: object - properties: - field: - type: string - operator: - enum: - - equals - type: string - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - value: - type: string - required: - - field - - operator - - value - type: array - Security_Detections_API_RuleAction: - type: object - properties: - action_type_id: - description: The action type used for sending notifications. - type: string - alerts_filter: - $ref: '#/components/schemas/Security_Detections_API_RuleActionAlertsFilter' - frequency: - $ref: '#/components/schemas/Security_Detections_API_RuleActionFrequency' - group: - $ref: '#/components/schemas/Security_Detections_API_RuleActionGroup' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleActionId' - params: - $ref: '#/components/schemas/Security_Detections_API_RuleActionParams' - uuid: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - action_type_id - - id - - params - Security_Detections_API_RuleActionAlertsFilter: - additionalProperties: true - type: object - Security_Detections_API_RuleActionFrequency: - description: >- - The action frequency defines when the action runs (for example, only on - rule execution or at specific time intervals). - type: object - properties: - notifyWhen: - $ref: '#/components/schemas/Security_Detections_API_RuleActionNotifyWhen' - summary: - description: >- - Action summary indicates whether we will send a summary notification - about all the generate alerts or notification per individual alert - type: boolean - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - nullable: true - required: - - summary - - notifyWhen - - throttle - Security_Detections_API_RuleActionGroup: - description: >- - Optionally groups actions by use cases. Use `default` for alert - notifications. - type: string - Security_Detections_API_RuleActionId: - description: The connector ID. - type: string - Security_Detections_API_RuleActionNotifyWhen: - description: >- - The condition for throttling the notification: `onActionGroupChange`, - `onActiveAlert`, or `onThrottleInterval` - enum: - - onActiveAlert - - onThrottleInterval - - onActionGroupChange - type: string - Security_Detections_API_RuleActionParams: - additionalProperties: true - description: >- - Object containing the allowed connector fields, which varies according - to the connector type. - type: object - Security_Detections_API_RuleActionThrottle: - description: Defines how often rule actions are taken. - oneOf: - - enum: - - no_actions - - rule - type: string - - description: 'Time interval in seconds, minutes, hours, or days.' - example: 1h - pattern: '^[1-9]\d*[smhd]$' - type: string - Security_Detections_API_RuleAuthorArray: - items: - type: string - type: array - Security_Detections_API_RuleCreateProps: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleCreateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleCreateProps - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleCreateProps' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleCreateProps' - discriminator: - propertyName: type - Security_Detections_API_RuleDescription: - minLength: 1 - type: string - Security_Detections_API_RuleDetailsInError: - type: object - properties: - id: - type: string - name: - type: string - required: - - id - Security_Detections_API_RuleExceptionList: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - description: ID of the exception container - list_id: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - description: List ID of the exception container - namespace_type: - description: Determines the exceptions validity in rule's Kibana space - enum: - - agnostic - - single - type: string - type: - $ref: '#/components/schemas/Security_Detections_API_ExceptionListType' - required: - - id - - list_id - - type - - namespace_type - Security_Detections_API_RuleExecutionMetrics: - type: object - properties: - execution_gap_duration_s: - description: Duration in seconds of execution gap - minimum: 0 - type: integer - total_enrichment_duration_ms: - description: >- - Total time spent enriching documents during current rule execution - cycle - minimum: 0 - type: integer - total_indexing_duration_ms: - description: >- - Total time spent indexing documents during current rule execution - cycle - minimum: 0 - type: integer - total_search_duration_ms: - description: >- - Total time spent performing ES searches as measured by Kibana; - includes network latency and time spent serializing/deserializing - request/response - minimum: 0 - type: integer - Security_Detections_API_RuleExecutionStatus: - description: >- - Custom execution status of Security rules that is different from the - status used in the Alerting Framework. We merge our custom status with - the Framework's status to determine the resulting status of a rule. - - - going to run - @deprecated Replaced by the 'running' status but left - for backwards compatibility with rule execution events already written - to Event Log in the prior versions of Kibana. Don't use when writing - rule status changes. - - - running - Rule execution started but not reached any intermediate or - final status. - - - partial failure - Rule can partially fail for various reasons either - in the middle of an execution (in this case we update its status right - away) or in the end of it. So currently this status can be both - intermediate and final at the same time. A typical reason for a partial - failure: not all the indices that the rule searches over actually exist. - - - failed - Rule failed to execute due to unhandled exception or a reason - defined in the business logic of its executor function. - - - succeeded - Rule executed successfully without any issues. Note: this - status is just an indication of a rule's "health". The rule might or - might not generate any alerts despite of it. - enum: - - going to run - - running - - partial failure - - failed - - succeeded - type: string - Security_Detections_API_RuleExecutionStatusOrder: - type: integer - Security_Detections_API_RuleExecutionSummary: - type: object - properties: - last_execution: - type: object - properties: - date: - description: Date of the last execution - format: date-time - type: string - message: - type: string - metrics: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionMetrics - status: - $ref: '#/components/schemas/Security_Detections_API_RuleExecutionStatus' - description: Status of the last execution - status_order: - $ref: >- - #/components/schemas/Security_Detections_API_RuleExecutionStatusOrder - required: - - date - - status - - status_order - - message - - metrics - required: - - last_execution - Security_Detections_API_RuleFalsePositiveArray: - items: - type: string - type: array - Security_Detections_API_RuleFilterArray: - items: {} - type: array - Security_Detections_API_RuleInterval: - description: >- - Frequency of rule execution, using a date math range. For example, "1h" - means the rule runs every hour. Defaults to 5m (5 minutes). - type: string - Security_Detections_API_RuleIntervalFrom: - description: >- - Time from which data is analyzed each time the rule runs, using a date - math range. For example, now-4200s means the rule analyzes data from 70 - minutes before its start time. Defaults to now-6m (analyzes data from 6 - minutes before the start time). - format: date-math - type: string - Security_Detections_API_RuleIntervalTo: - type: string - Security_Detections_API_RuleLicense: - description: The rule's license. - type: string - Security_Detections_API_RuleMetadata: - additionalProperties: true - type: object - Security_Detections_API_RuleName: - minLength: 1 - type: string - Security_Detections_API_RuleNameOverride: - description: Sets the source field for the alert's signal.rule.name value - type: string - Security_Detections_API_RuleObjectId: - $ref: '#/components/schemas/Security_Detections_API_UUID' - Security_Detections_API_RulePatchProps: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_QueryRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchProps - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRulePatchProps' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRulePatchProps - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRulePatchProps' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRulePatchProps' - Security_Detections_API_RulePreviewLoggedRequest: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - duration: - type: integer - request: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - request - Security_Detections_API_RulePreviewLogs: - type: object - properties: - duration: - description: Execution duration in milliseconds - type: integer - errors: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: array - requests: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RulePreviewLoggedRequest - type: array - startedAt: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - warnings: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: array - required: - - errors - - warnings - - duration - Security_Detections_API_RulePreviewParams: - type: object - properties: - invocationCount: - type: integer - timeframeEnd: - format: date-time - type: string - required: - - invocationCount - - timeframeEnd - Security_Detections_API_RuleQuery: - type: string - Security_Detections_API_RuleReferenceArray: - items: - type: string - type: array - Security_Detections_API_RuleResponse: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRule' - - $ref: '#/components/schemas/Security_Detections_API_QueryRule' - - $ref: '#/components/schemas/Security_Detections_API_SavedQueryRule' - - $ref: '#/components/schemas/Security_Detections_API_ThresholdRule' - - $ref: '#/components/schemas/Security_Detections_API_ThreatMatchRule' - - $ref: '#/components/schemas/Security_Detections_API_MachineLearningRule' - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRule' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRule' - discriminator: - propertyName: type - Security_Detections_API_RuleSignatureId: - description: 'Could be any string, not necessarily a UUID' - type: string - Security_Detections_API_RuleSource: - description: >- - Discriminated union that determines whether the rule is internally - sourced (created within the Kibana app) or has an external source, such - as the Elastic Prebuilt rules repo. - discriminator: - propertyName: type - oneOf: - - $ref: '#/components/schemas/Security_Detections_API_ExternalRuleSource' - - $ref: '#/components/schemas/Security_Detections_API_InternalRuleSource' - Security_Detections_API_RuleTagArray: - description: >- - String array containing words and phrases to help categorize, filter, - and search rules. Defaults to an empty array. - items: - type: string - type: array - Security_Detections_API_RuleUpdateProps: - anyOf: - - $ref: '#/components/schemas/Security_Detections_API_EqlRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_QueryRuleUpdateProps' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleUpdateProps - - $ref: >- - #/components/schemas/Security_Detections_API_MachineLearningRuleUpdateProps - - $ref: '#/components/schemas/Security_Detections_API_NewTermsRuleUpdateProps' - - $ref: '#/components/schemas/Security_Detections_API_EsqlRuleUpdateProps' - discriminator: - propertyName: type - Security_Detections_API_RuleVersion: - description: The rule's version number. - minimum: 1 - type: integer - Security_Detections_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Detections_API_SavedObjectResolveAliasTargetId: - type: string - Security_Detections_API_SavedObjectResolveOutcome: - enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Detections_API_SavedQueryId: - type: string - Security_Detections_API_SavedQueryRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleResponseFields - Security_Detections_API_SavedQueryRuleCreateFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields - Security_Detections_API_SavedQueryRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields - Security_Detections_API_SavedQueryRuleDefaultableFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_SavedQueryRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - Security_Detections_API_SavedQueryRulePatchFields: - allOf: - - type: object - properties: - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - type: - description: Rule type - enum: - - saved_query - type: string - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleDefaultableFields - Security_Detections_API_SavedQueryRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRulePatchFields - Security_Detections_API_SavedQueryRuleRequiredFields: - type: object - properties: - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - type: - description: Rule type - enum: - - saved_query - type: string - required: - - type - - saved_id - Security_Detections_API_SavedQueryRuleResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleOptionalFields - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - required: - - language - Security_Detections_API_SavedQueryRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_SavedQueryRuleCreateFields - Security_Detections_API_SetAlertsStatusByIds: - type: object - properties: - signal_ids: - items: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - minItems: 1 - type: array - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatus' - required: - - signal_ids - - status - Security_Detections_API_SetAlertsStatusByQuery: - type: object - properties: - conflicts: - default: abort - enum: - - abort - - proceed - type: string - query: - additionalProperties: true - type: object - status: - $ref: '#/components/schemas/Security_Detections_API_AlertStatus' - required: - - query - - status - Security_Detections_API_SetAlertTags: - type: object - properties: - tags_to_add: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - tags_to_remove: - $ref: '#/components/schemas/Security_Detections_API_AlertTags' - required: - - tags_to_add - - tags_to_remove - Security_Detections_API_SetupGuide: - type: string - Security_Detections_API_Severity: - description: Severity of the rule - enum: - - low - - medium - - high - - critical - type: string - Security_Detections_API_SeverityMapping: - description: Overrides generated alerts' severity with values from the source event - items: - type: object - properties: - field: - type: string - operator: - enum: - - equals - type: string - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - value: - type: string - required: - - field - - operator - - severity - - value - type: array - Security_Detections_API_SiemErrorResponse: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - Security_Detections_API_SortOrder: - enum: - - asc - - desc - type: string - Security_Detections_API_Threat: - type: object - properties: - framework: - description: Relevant attack framework - type: string - tactic: - $ref: '#/components/schemas/Security_Detections_API_ThreatTactic' - technique: - description: Array containing information on the attack techniques (optional) - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatTechnique' - type: array - required: - - framework - - tactic - Security_Detections_API_ThreatArray: - items: - $ref: '#/components/schemas/Security_Detections_API_Threat' - type: array - Security_Detections_API_ThreatFilters: - items: - description: >- - Query and filter context array used to filter documents from the - Elasticsearch index containing the threat values - type: array - Security_Detections_API_ThreatIndex: - items: - type: string - type: array - Security_Detections_API_ThreatIndicatorPath: - description: >- - Defines the path to the threat indicator in the indicator documents - (optional) - type: string - Security_Detections_API_ThreatMapping: - items: - type: object - properties: - entries: - items: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - type: - enum: - - mapping - type: string - value: - $ref: '#/components/schemas/Security_Detections_API_NonEmptyString' - required: - - field - - type - - value - type: array - required: - - entries - minItems: 1 - type: array - Security_Detections_API_ThreatMatchRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleResponseFields - Security_Detections_API_ThreatMatchRuleCreateFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields - Security_Detections_API_ThreatMatchRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields - Security_Detections_API_ThreatMatchRuleDefaultableFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_ThreatMatchRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - concurrent_searches: - $ref: '#/components/schemas/Security_Detections_API_ConcurrentSearches' - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - items_per_search: - $ref: '#/components/schemas/Security_Detections_API_ItemsPerSearch' - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - threat_filters: - $ref: '#/components/schemas/Security_Detections_API_ThreatFilters' - threat_indicator_path: - $ref: '#/components/schemas/Security_Detections_API_ThreatIndicatorPath' - threat_language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_ThreatMatchRulePatchFields: - allOf: - - type: object - properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threat_index: - $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' - threat_mapping: - $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' - threat_query: - $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' - type: - description: Rule type - enum: - - threat_match - type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleDefaultableFields - Security_Detections_API_ThreatMatchRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRulePatchFields - Security_Detections_API_ThreatMatchRuleRequiredFields: - type: object - properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threat_index: - $ref: '#/components/schemas/Security_Detections_API_ThreatIndex' - threat_mapping: - $ref: '#/components/schemas/Security_Detections_API_ThreatMapping' - threat_query: - $ref: '#/components/schemas/Security_Detections_API_ThreatQuery' - type: - description: Rule type - enum: - - threat_match - type: string - required: - - type - - query - - threat_query - - threat_mapping - - threat_index - Security_Detections_API_ThreatMatchRuleResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleOptionalFields - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - required: - - language - Security_Detections_API_ThreatMatchRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThreatMatchRuleCreateFields - Security_Detections_API_ThreatQuery: - description: Query to run - type: string - Security_Detections_API_ThreatSubtechnique: - type: object - properties: - id: - description: Subtechnique ID - type: string - name: - description: Subtechnique name - type: string - reference: - description: Subtechnique reference - type: string - required: - - id - - name - - reference - Security_Detections_API_ThreatTactic: - type: object - properties: - id: - description: Tactic ID - type: string - name: - description: Tactic name - type: string - reference: - description: Tactic reference - type: string - required: - - id - - name - - reference - Security_Detections_API_ThreatTechnique: - type: object - properties: - id: - description: Technique ID - type: string - name: - description: Technique name - type: string - reference: - description: Technique reference - type: string - subtechnique: - description: Array containing more specific information on the attack technique - items: - $ref: '#/components/schemas/Security_Detections_API_ThreatSubtechnique' - type: array - required: - - id - - name - - reference - Security_Detections_API_Threshold: - type: object - properties: - cardinality: - $ref: '#/components/schemas/Security_Detections_API_ThresholdCardinality' - field: - $ref: '#/components/schemas/Security_Detections_API_ThresholdField' - value: - $ref: '#/components/schemas/Security_Detections_API_ThresholdValue' - required: - - field - - value - Security_Detections_API_ThresholdAlertSuppression: - type: object - properties: - duration: - $ref: >- - #/components/schemas/Security_Detections_API_AlertSuppressionDuration - required: - - duration - Security_Detections_API_ThresholdCardinality: - items: - type: object - properties: - field: - type: string - value: - minimum: 0 - type: integer - required: - - field - - value - type: array - Security_Detections_API_ThresholdField: - description: Field to aggregate on - oneOf: - - type: string - - items: - type: string - type: array - Security_Detections_API_ThresholdRule: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - version - - tags - - enabled - - risk_score_mapping - - severity_mapping - - interval - - from - - to - - actions - - exceptions_list - - author - - false_positives - - references - - max_signals - - threat - - setup - - related_integrations - - required_fields - - $ref: '#/components/schemas/Security_Detections_API_ResponseFields' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleResponseFields - Security_Detections_API_ThresholdRuleCreateFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields - Security_Detections_API_ThresholdRuleCreateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields - Security_Detections_API_ThresholdRuleDefaultableFields: - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - Security_Detections_API_ThresholdRuleOptionalFields: - type: object - properties: - alert_suppression: - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdAlertSuppression - data_view_id: - $ref: '#/components/schemas/Security_Detections_API_DataViewId' - filters: - $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' - index: - $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - saved_id: - $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' - Security_Detections_API_ThresholdRulePatchFields: - allOf: - - type: object - properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threshold: - $ref: '#/components/schemas/Security_Detections_API_Threshold' - type: - description: Rule type - enum: - - threshold - type: string - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleDefaultableFields - Security_Detections_API_ThresholdRulePatchProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRulePatchFields - Security_Detections_API_ThresholdRuleRequiredFields: - type: object - properties: - query: - $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - threshold: - $ref: '#/components/schemas/Security_Detections_API_Threshold' - type: - description: Rule type - enum: - - threshold - type: string - required: - - type - - query - - threshold - Security_Detections_API_ThresholdRuleResponseFields: - allOf: - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleRequiredFields - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleOptionalFields - - type: object - properties: - language: - $ref: '#/components/schemas/Security_Detections_API_KqlQueryLanguage' - required: - - language - Security_Detections_API_ThresholdRuleUpdateProps: - allOf: - - type: object - properties: - actions: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleAction' - type: array - alias_purpose: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasPurpose - alias_target_id: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveAliasTargetId - author: - $ref: '#/components/schemas/Security_Detections_API_RuleAuthorArray' - building_block_type: - $ref: '#/components/schemas/Security_Detections_API_BuildingBlockType' - description: - $ref: '#/components/schemas/Security_Detections_API_RuleDescription' - enabled: - $ref: '#/components/schemas/Security_Detections_API_IsRuleEnabled' - exceptions_list: - items: - $ref: '#/components/schemas/Security_Detections_API_RuleExceptionList' - type: array - false_positives: - $ref: >- - #/components/schemas/Security_Detections_API_RuleFalsePositiveArray - from: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalFrom' - id: - $ref: '#/components/schemas/Security_Detections_API_RuleObjectId' - interval: - $ref: '#/components/schemas/Security_Detections_API_RuleInterval' - investigation_fields: - $ref: '#/components/schemas/Security_Detections_API_InvestigationFields' - license: - $ref: '#/components/schemas/Security_Detections_API_RuleLicense' - max_signals: - $ref: '#/components/schemas/Security_Detections_API_MaxSignals' - meta: - $ref: '#/components/schemas/Security_Detections_API_RuleMetadata' - name: - $ref: '#/components/schemas/Security_Detections_API_RuleName' - namespace: - $ref: >- - #/components/schemas/Security_Detections_API_AlertsIndexNamespace - note: - $ref: '#/components/schemas/Security_Detections_API_InvestigationGuide' - outcome: - $ref: >- - #/components/schemas/Security_Detections_API_SavedObjectResolveOutcome - output_index: - $ref: '#/components/schemas/Security_Detections_API_AlertsIndex' - references: - $ref: '#/components/schemas/Security_Detections_API_RuleReferenceArray' - related_integrations: - $ref: >- - #/components/schemas/Security_Detections_API_RelatedIntegrationArray - required_fields: - items: - $ref: >- - #/components/schemas/Security_Detections_API_RequiredFieldInput - type: array - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array - risk_score: - $ref: '#/components/schemas/Security_Detections_API_RiskScore' - risk_score_mapping: - $ref: '#/components/schemas/Security_Detections_API_RiskScoreMapping' - rule_id: - $ref: '#/components/schemas/Security_Detections_API_RuleSignatureId' - rule_name_override: - $ref: '#/components/schemas/Security_Detections_API_RuleNameOverride' - setup: - $ref: '#/components/schemas/Security_Detections_API_SetupGuide' - severity: - $ref: '#/components/schemas/Security_Detections_API_Severity' - severity_mapping: - $ref: '#/components/schemas/Security_Detections_API_SeverityMapping' - tags: - $ref: '#/components/schemas/Security_Detections_API_RuleTagArray' - threat: - $ref: '#/components/schemas/Security_Detections_API_ThreatArray' - throttle: - $ref: '#/components/schemas/Security_Detections_API_RuleActionThrottle' - timeline_id: - $ref: '#/components/schemas/Security_Detections_API_TimelineTemplateId' - timeline_title: - $ref: >- - #/components/schemas/Security_Detections_API_TimelineTemplateTitle - timestamp_override: - $ref: '#/components/schemas/Security_Detections_API_TimestampOverride' - timestamp_override_fallback_disabled: - $ref: >- - #/components/schemas/Security_Detections_API_TimestampOverrideFallbackDisabled - to: - $ref: '#/components/schemas/Security_Detections_API_RuleIntervalTo' - version: - $ref: '#/components/schemas/Security_Detections_API_RuleVersion' - required: - - name - - description - - risk_score - - severity - - $ref: >- - #/components/schemas/Security_Detections_API_ThresholdRuleCreateFields - Security_Detections_API_ThresholdValue: - description: Threshold value - minimum: 1 - type: integer - Security_Detections_API_ThrottleForBulkActions: - description: >- - The condition for throttling the notification: 'rule', 'no_actions', or - time duration - enum: - - rule - - 1h - - 1d - - 7d - type: string - Security_Detections_API_TiebreakerField: - description: Sets a secondary field for sorting events - type: string - Security_Detections_API_TimelineTemplateId: - description: Timeline template ID - type: string - Security_Detections_API_TimelineTemplateTitle: - description: Timeline template title - type: string - Security_Detections_API_TimestampField: - description: Contains the event timestamp used for sorting a sequence of events - type: string - Security_Detections_API_TimestampOverride: - description: Sets the time field used to query indices - type: string - Security_Detections_API_TimestampOverrideFallbackDisabled: - description: Disables the fallback to the event's @timestamp field - type: boolean - Security_Detections_API_UUID: - description: A universally unique identifier - format: uuid - type: string - Security_Detections_API_WarningSchema: - type: object - properties: - actionPath: - type: string - buttonLabel: - type: string - message: - type: string - type: - type: string - required: - - type - - message - - actionPath - Security_Endpoint_Exceptions_API_EndpointList: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionList' - - additionalProperties: false - type: object - Security_Endpoint_Exceptions_API_EndpointListItem: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItem' - Security_Endpoint_Exceptions_API_ExceptionList: - type: object - properties: - _version: - type: string - created_at: - format: date-time - type: string - created_by: - type: string - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListDescription - id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListId - immutable: - type: boolean - list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListName - namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListTags - tie_breaker_id: - type: string - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListType - updated_at: - format: date-time - type: string - updated_by: - type: string - version: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListVersion - required: - - id - - list_id - - type - - name - - description - - immutable - - namespace_type - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Endpoint_Exceptions_API_ExceptionListDescription: - type: string - Security_Endpoint_Exceptions_API_ExceptionListHumanId: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - description: 'Human readable string identifier, e.g. `trusted-linux-processes`' - Security_Endpoint_Exceptions_API_ExceptionListId: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ExceptionListItem: - type: object - properties: - _version: - type: string - comments: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray - created_at: - format: date-time - type: string - created_by: - type: string - description: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray - expire_time: - format: date-time - type: string - id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemId - item_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemHumanId - list_id: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListHumanId - meta: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemMeta - name: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemName - namespace_type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionNamespaceType - os_types: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray - tags: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemTags - tie_breaker_id: - type: string - type: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemType - updated_at: - format: date-time - type: string - updated_by: - type: string - required: - - id - - item_id - - list_id - - type - - name - - description - - entries - - namespace_type - - comments - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Endpoint_Exceptions_API_ExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - created_at: - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - updated_at: - format: date-time - type: string - updated_by: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - required: - - id - - comment - - created_at - - created_by - Security_Endpoint_Exceptions_API_ExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemComment - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemDescription: - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemEntry: - anyOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard - discriminator: - propertyName: type - Security_Endpoint_Exceptions_API_ExceptionListItemEntryArray: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntry - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - exists - type: string - required: - - type - - field - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryList: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - list: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListId' - type: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_ListType' - required: - - id - - type - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - list - type: string - required: - - type - - field - - list - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match - type: string - value: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match_any - type: string - value: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString - minItems: 1 - type: array - required: - - type - - field - - value - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchWildcard: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - wildcard - type: string - value: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Endpoint_Exceptions_API_ExceptionListItemEntryNested: - type: object - properties: - entries: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem - minItems: 1 - type: array - field: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - type: - enum: - - nested - type: string - required: - - type - - field - - entries - Security_Endpoint_Exceptions_API_ExceptionListItemEntryNestedEntryItem: - oneOf: - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListItemEntryExists - Security_Endpoint_Exceptions_API_ExceptionListItemEntryOperator: - enum: - - excluded - - included - type: string - Security_Endpoint_Exceptions_API_ExceptionListItemHumanId: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ExceptionListItemId: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ExceptionListItemMeta: - additionalProperties: true - type: object - Security_Endpoint_Exceptions_API_ExceptionListItemName: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ExceptionListItemOsTypeArray: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemTags: - items: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - type: array - Security_Endpoint_Exceptions_API_ExceptionListItemType: - enum: - - simple - type: string - Security_Endpoint_Exceptions_API_ExceptionListMeta: - additionalProperties: true - type: object - Security_Endpoint_Exceptions_API_ExceptionListName: - type: string - Security_Endpoint_Exceptions_API_ExceptionListOsType: - enum: - - linux - - macos - - windows - type: string - Security_Endpoint_Exceptions_API_ExceptionListOsTypeArray: - items: - $ref: >- - #/components/schemas/Security_Endpoint_Exceptions_API_ExceptionListOsType - type: array - Security_Endpoint_Exceptions_API_ExceptionListTags: - items: - type: string - type: array - Security_Endpoint_Exceptions_API_ExceptionListType: - enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists - type: string - Security_Endpoint_Exceptions_API_ExceptionListVersion: - minimum: 1 - type: integer - Security_Endpoint_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - - in which it is created, where: - - - - `single`: Only available in the Kibana space in which it is created. - - - `agnostic`: Available in all Kibana spaces. - enum: - - agnostic - - single - type: string - Security_Endpoint_Exceptions_API_FindEndpointListItemsFilter: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ListId: - $ref: '#/components/schemas/Security_Endpoint_Exceptions_API_NonEmptyString' - Security_Endpoint_Exceptions_API_ListType: - enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text - type: string - Security_Endpoint_Exceptions_API_NonEmptyString: - description: A string that is not empty and does not contain only whitespace - minLength: 1 - pattern: ^(?! *$).+$ - type: string - Security_Endpoint_Exceptions_API_PlatformErrorResponse: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: integer - required: - - statusCode - - error - - message - Security_Endpoint_Exceptions_API_SiemErrorResponse: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - Security_Endpoint_Management_API_ActionLogRequestQuery: - type: object - properties: - end_date: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - page: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - page_size: - $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' - start_date: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - Security_Endpoint_Management_API_ActionStateSuccessResponse: - type: object - properties: - body: - type: object - properties: - data: - type: object - properties: - canEncrypt: - type: boolean - required: - - data - required: - - body - Security_Endpoint_Management_API_ActionStatusSuccessResponse: - type: object - properties: - body: - type: object - properties: - data: - type: object - properties: - agent_id: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_AgentId - pending_actions: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionsSchema - required: - - agent_id - - pending_actions - required: - - data - required: - - body - Security_Endpoint_Management_API_AgentId: - description: Agent ID - type: string - Security_Endpoint_Management_API_AgentIds: - minLength: 1 - oneOf: - - items: - minLength: 1 - type: string - maxItems: 50 - minItems: 1 - type: array - - minLength: 1 - type: string - Security_Endpoint_Management_API_AgentTypes: - enum: - - endpoint - - sentinel_one - - crowdstrike - type: string - Security_Endpoint_Management_API_AlertIds: - description: A list of alerts ids. - items: - $ref: '#/components/schemas/Security_Endpoint_Management_API_NonEmptyString' - minItems: 1 - type: array - Security_Endpoint_Management_API_CaseIds: - description: Case IDs to be updated (cannot contain empty strings) - items: - minLength: 1 - type: string - minItems: 1 - type: array - Security_Endpoint_Management_API_Command: - description: The command to be executed (cannot be an empty string) - enum: - - isolate - - unisolate - - kill-process - - suspend-process - - running-processes - - get-file - - execute - - upload - - scan - minLength: 1 - type: string - Security_Endpoint_Management_API_Commands: - items: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' - type: array - Security_Endpoint_Management_API_Comment: - description: Optional comment - type: string - Security_Endpoint_Management_API_EndDate: - description: End date - type: string - Security_Endpoint_Management_API_EndpointIds: - description: List of endpoint IDs (cannot contain empty strings) - items: - minLength: 1 - type: string - minItems: 1 - type: array - Security_Endpoint_Management_API_EntityId: - type: object - properties: - entity_id: - minLength: 1 - type: string - Security_Endpoint_Management_API_ExecuteRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - type: object - properties: - command: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Command - timeout: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_Timeout - required: - - command - required: - - parameters - Security_Endpoint_Management_API_GetEndpointActionListRouteQuery: - type: object - properties: - agentIds: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - agentTypes: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - commands: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - endDate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - page: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - pageSize: - default: 10 - description: Number of items per page - maximum: 10000 - minimum: 1 - type: integer - startDate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - types: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' - userIds: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - withOutputs: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' - Security_Endpoint_Management_API_GetFileRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - type: object - properties: - path: - type: string - required: - - path - required: - - parameters - Security_Endpoint_Management_API_GetProcessesRouteRequestBody: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema - Security_Endpoint_Management_API_IsolateRouteRequestBody: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema - Security_Endpoint_Management_API_KillProcessRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EntityId - - type: object - properties: - process_name: - description: Valid for SentinelOne agent type only - minLength: 1 - type: string - required: - - parameters - Security_Endpoint_Management_API_ListRequestQuery: - type: object - properties: - hostStatuses: - items: - enum: - - healthy - - offline - - updating - - inactive - - unenrolled - type: string - type: array - kuery: - nullable: true - type: string - page: - default: 0 - description: Page number - minimum: 0 - type: integer - pageSize: - default: 10 - description: Number of items per page - maximum: 10000 - minimum: 1 - type: integer - sortDirection: - enum: - - asc - - desc - nullable: true - type: string - sortField: - enum: - - enrolled_at - - metadata.host.hostname - - host_status - - metadata.Endpoint.policy.applied.name - - metadata.Endpoint.policy.applied.status - - metadata.host.os.name - - metadata.host.ip - - metadata.agent.version - - last_checkin - type: string - required: - - hostStatuses - Security_Endpoint_Management_API_NonEmptyString: - description: A string that is not empty and does not contain only whitespace - minLength: 1 - pattern: ^(?! *$).+$ - type: string - Security_Endpoint_Management_API_NoParametersRequestSchema: - type: object - properties: - body: - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - required: - - body - Security_Endpoint_Management_API_Page: - default: 1 - description: Page number - minimum: 1 - type: integer - Security_Endpoint_Management_API_PageSize: - default: 10 - description: Number of items per page - maximum: 100 - minimum: 1 - type: integer - Security_Endpoint_Management_API_Parameters: - description: Optional parameters object - type: object - Security_Endpoint_Management_API_PendingActionDataType: - type: integer - Security_Endpoint_Management_API_PendingActionsSchema: - oneOf: - - type: object - properties: - execute: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - get-file: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - isolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - kill-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - running-processes: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - scan: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - suspend-process: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - unisolate: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - upload: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_PendingActionDataType - - additionalProperties: true - type: object - Security_Endpoint_Management_API_Pid: - type: object - properties: - pid: - minimum: 1 - type: integer - Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: - type: object - properties: - note: - type: string - Security_Endpoint_Management_API_ScanRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - type: object - properties: - path: - type: string - required: - - path - required: - - parameters - Security_Endpoint_Management_API_StartDate: - description: Start date - type: string - Security_Endpoint_Management_API_SuccessResponse: - type: object - properties: {} - Security_Endpoint_Management_API_SuspendProcessRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - parameters: - oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' - - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EntityId - required: - - parameters - Security_Endpoint_Management_API_Timeout: - description: The maximum timeout value in milliseconds (optional) - minimum: 1 - type: integer - Security_Endpoint_Management_API_Type: - description: Type of response action - enum: - - automated - - manual - type: string - Security_Endpoint_Management_API_Types: - description: List of types of response actions - items: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' - maxLength: 2 - minLength: 1 - type: array - Security_Endpoint_Management_API_UnisolateRouteRequestBody: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_NoParametersRequestSchema - Security_Endpoint_Management_API_UploadRouteRequestBody: - allOf: - - type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: >- - #/components/schemas/Security_Endpoint_Management_API_EndpointIds - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids - - type: object - properties: - file: - format: binary - type: string - parameters: - type: object - properties: - overwrite: - default: false - type: boolean - required: - - parameters - - file - Security_Endpoint_Management_API_UserIds: - description: User IDs - oneOf: - - items: - minLength: 1 - type: string - minItems: 1 - type: array - - minLength: 1 - type: string - Security_Endpoint_Management_API_WithOutputs: - description: Shows detailed outputs for an action response - oneOf: - - items: - minLength: 1 - type: string - minItems: 1 - type: array - - minLength: 1 - type: string - Security_Entity_Analytics_API_AssetCriticalityBulkUploadErrorItem: - type: object - properties: - index: - type: integer - message: - type: string - required: - - message - - index - Security_Entity_Analytics_API_AssetCriticalityBulkUploadStats: - type: object - properties: - failed: - type: integer - successful: - type: integer - total: - type: integer - required: - - successful - - failed - - total - Security_Entity_Analytics_API_AssetCriticalityLevel: - description: The criticality level of the asset. - enum: - - low_impact - - medium_impact - - high_impact - - extreme_impact - type: string - Security_Entity_Analytics_API_AssetCriticalityRecord: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_CreateAssetCriticalityRecord - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts - - type: object - properties: - '@timestamp': - description: The time the record was created or updated. - example: '2017-07-21T17:32:28Z' - format: date-time - type: string - required: - - '@timestamp' - Security_Entity_Analytics_API_AssetCriticalityRecordEcsParts: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - asset - host: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality - name: - type: string - required: - - name - user: - type: object - properties: - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality - name: - type: string - required: - - name - required: - - asset - Security_Entity_Analytics_API_AssetCriticalityRecordIdParts: - type: object - properties: - id_field: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IdField' - description: The field representing the ID. - example: host.name - id_value: - description: The ID value of the asset. - type: string - required: - - id_value - - id_field - Security_Entity_Analytics_API_CleanUpRiskEngineErrorResponse: - type: object - properties: - cleanup_successful: - example: false - type: boolean - errors: - items: - type: object - properties: - error: - type: string - seq: - type: integer - required: - - seq - - error - type: array - required: - - cleanup_successful - - errors - Security_Entity_Analytics_API_CreateAssetCriticalityRecord: - allOf: - - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityRecordIdParts - - type: object - properties: - criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality_level - Security_Entity_Analytics_API_EngineDataviewUpdateResult: - type: object - properties: - changes: - type: object - properties: - indexPatterns: - items: - type: string - type: array - type: - type: string - required: - - type - Security_Entity_Analytics_API_EngineDescriptor: - type: object - properties: - fieldHistoryLength: - type: integer - filter: - type: string - indexPattern: - $ref: '#/components/schemas/Security_Entity_Analytics_API_IndexPattern' - status: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EngineStatus' - type: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityType' - required: - - type - - indexPattern - - status - - fieldHistoryLength - Security_Entity_Analytics_API_EngineStatus: - enum: - - installing - - started - - stopped - - updating - - error - type: string - Security_Entity_Analytics_API_Entity: - oneOf: - - $ref: '#/components/schemas/Security_Entity_Analytics_API_UserEntity' - - $ref: '#/components/schemas/Security_Entity_Analytics_API_HostEntity' - Security_Entity_Analytics_API_EntityRiskLevels: - enum: - - Unknown - - Low - - Moderate - - High - - Critical - type: string - Security_Entity_Analytics_API_EntityRiskScoreRecord: - type: object - properties: - '@timestamp': - description: The time at which the risk score was calculated. - example: '2017-07-21T17:32:28Z' - format: date-time - type: string - calculated_level: - $ref: '#/components/schemas/Security_Entity_Analytics_API_EntityRiskLevels' - description: Lexical description of the entity's risk. - example: Critical - calculated_score: - description: The raw numeric value of the given entity's risk score. - format: double - type: number - calculated_score_norm: - description: >- - The normalized numeric value of the given entity's risk score. - Useful for comparing with other entities. - format: double - maximum: 100 - minimum: 0 - type: number - category_1_count: - description: >- - The number of risk input documents that contributed to the Category - 1 score (`category_1_score`). - format: integer - type: number - category_1_score: - description: >- - The contribution of Category 1 to the overall risk score - (`calculated_score`). Category 1 contains Detection Engine Alerts. - format: double - type: number - category_2_count: - format: integer - type: number - category_2_score: - format: double - type: number - criticality_level: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - criticality_modifier: - format: double - type: number - id_field: - description: >- - The identifier field defining this risk score. Coupled with - `id_value`, uniquely identifies the entity being scored. - example: host.name - type: string - id_value: - description: >- - The identifier value defining this risk score. Coupled with - `id_field`, uniquely identifies the entity being scored. - example: example.host - type: string - inputs: - description: >- - A list of the highest-risk documents contributing to this risk - score. Useful for investigative purposes. - items: - $ref: '#/components/schemas/Security_Entity_Analytics_API_RiskScoreInput' - type: array - notes: - items: - type: string - type: array - required: - - '@timestamp' - - id_field - - id_value - - calculated_level - - calculated_score - - calculated_score_norm - - category_1_score - - category_1_count - - inputs - - notes - Security_Entity_Analytics_API_EntityType: - enum: - - user - - host - type: string - Security_Entity_Analytics_API_HostEntity: - type: object - properties: - '@timestamp': - format: date-time - type: string - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality - entity: - type: object - properties: - name: - type: string - source: - type: string - required: - - name - - source - host: - type: object - properties: - architecture: - items: - type: string - type: array - domain: - items: - type: string - type: array - hostname: - items: - type: string - type: array - id: - items: - type: string - type: array - ip: - items: - type: string - type: array - mac: - items: - type: string - type: array - name: - type: string - risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord - type: - items: - type: string - type: array - required: - - name - required: - - '@timestamp' - - host - - entity - Security_Entity_Analytics_API_IdField: - enum: - - host.name - - user.name - type: string - Security_Entity_Analytics_API_IndexPattern: - type: string - Security_Entity_Analytics_API_InspectQuery: - type: object - properties: - dsl: - items: - type: string - type: array - response: - items: - type: string - type: array - required: - - dsl - - response - Security_Entity_Analytics_API_RiskEngineScheduleNowErrorResponse: - type: object - properties: - full_error: - type: string - message: - type: string - required: - - message - - full_error - Security_Entity_Analytics_API_RiskEngineScheduleNowResponse: - type: object - properties: - success: - type: boolean - Security_Entity_Analytics_API_RiskScoreInput: - description: A generic representation of a document contributing to a Risk Score. - type: object - properties: - category: - description: The risk category of the risk input document. - example: category_1 - type: string - contribution_score: - format: double - type: number - description: - description: A human-readable description of the risk input document. - example: 'Generated from Detection Engine Rule: Malware Prevention Alert' - type: string - id: - description: The unique identifier (`_id`) of the original source document - example: 91a93376a507e86cfbf282166275b89f9dbdb1f0be6c8103c6ff2909ca8e1a1c - type: string - index: - description: The unique index (`_index`) of the original source document - example: .internal.alerts-security.alerts-default-000001 - type: string - risk_score: - description: The weighted risk score of the risk input document. - format: double - maximum: 100 - minimum: 0 - type: number - timestamp: - description: The @timestamp of the risk input document. - example: '2017-07-21T17:32:28Z' - type: string - required: - - id - - index - - description - - category - Security_Entity_Analytics_API_TaskManagerUnavailableResponse: - description: Task manager is unavailable - type: object - properties: - message: - type: string - status_code: - minimum: 400 - type: integer - required: - - status_code - - message - Security_Entity_Analytics_API_UserEntity: - type: object - properties: - '@timestamp': - format: date-time - type: string - asset: - type: object - properties: - criticality: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_AssetCriticalityLevel - required: - - criticality - entity: - type: object - properties: - name: - type: string - source: - type: string - required: - - name - - source - user: - type: object - properties: - domain: - items: - type: string - type: array - email: - items: - type: string - type: array - full_name: - items: - type: string - type: array - hash: - items: - type: string - type: array - id: - items: - type: string - type: array - name: - type: string - risk: - $ref: >- - #/components/schemas/Security_Entity_Analytics_API_EntityRiskScoreRecord - roles: - items: - type: string - type: array - required: - - name - required: - - '@timestamp' - - user - - entity - Security_Exceptions_API_CreateExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_CreateExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateExceptionListItemComment - type: array - Security_Exceptions_API_CreateRuleExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_CreateRuleExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemComment - type: array - Security_Exceptions_API_CreateRuleExceptionListItemProps: - type: object - properties: - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_CreateRuleExceptionListItemCommentArray - default: [] - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - expire_time: - format: date-time - type: string - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - default: single - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - default: [] - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - default: [] - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - required: - - type - - name - - description - - entries - Security_Exceptions_API_ExceptionList: - type: object - properties: - _version: - type: string - created_at: - format: date-time - type: string - created_by: - type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListDescription - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - immutable: - type: boolean - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListOsTypeArray - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListTags' - tie_breaker_id: - type: string - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListType' - updated_at: - format: date-time - type: string - updated_by: - type: string - version: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListVersion' - required: - - id - - list_id - - type - - name - - description - - immutable - - namespace_type - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Exceptions_API_ExceptionListDescription: - type: string - Security_Exceptions_API_ExceptionListHumanId: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - description: 'Human readable string identifier, e.g. `trusted-linux-processes`' - Security_Exceptions_API_ExceptionListId: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_ExceptionListItem: - type: object - properties: - _version: - type: string - comments: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemCommentArray - created_at: - format: date-time - type: string - created_by: - type: string - description: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemDescription - entries: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryArray - expire_time: - format: date-time - type: string - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemId' - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - meta: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemMeta' - name: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemName' - namespace_type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionNamespaceType' - os_types: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemOsTypeArray - tags: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemTags' - tie_breaker_id: - type: string - type: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemType' - updated_at: - format: date-time - type: string - updated_by: - type: string - required: - - id - - item_id - - list_id - - type - - name - - description - - entries - - namespace_type - - comments - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Exceptions_API_ExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - created_at: - format: date-time - type: string - created_by: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - updated_at: - format: date-time - type: string - updated_by: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - id - - comment - - created_at - - created_by - Security_Exceptions_API_ExceptionListItemCommentArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemComment' - type: array - Security_Exceptions_API_ExceptionListItemDescription: - type: string - Security_Exceptions_API_ExceptionListItemEntry: - anyOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryList - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNested - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchWildcard - discriminator: - propertyName: type - Security_Exceptions_API_ExceptionListItemEntryArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListItemEntry' - type: array - Security_Exceptions_API_ExceptionListItemEntryExists: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - exists - type: string - required: - - type - - field - - operator - Security_Exceptions_API_ExceptionListItemEntryList: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - list: - type: object - properties: - id: - $ref: '#/components/schemas/Security_Exceptions_API_ListId' - type: - $ref: '#/components/schemas/Security_Exceptions_API_ListType' - required: - - id - - type - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - list - type: string - required: - - type - - field - - list - - operator - Security_Exceptions_API_ExceptionListItemEntryMatch: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match - type: string - value: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryMatchAny: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - match_any - type: string - value: - items: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - minItems: 1 - type: array - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryMatchWildcard: - type: object - properties: - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - operator: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryOperator - type: - enum: - - wildcard - type: string - value: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - type - - field - - value - - operator - Security_Exceptions_API_ExceptionListItemEntryNested: - type: object - properties: - entries: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem - minItems: 1 - type: array - field: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - type: - enum: - - nested - type: string - required: - - type - - field - - entries - Security_Exceptions_API_ExceptionListItemEntryNestedEntryItem: - oneOf: - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatch - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryMatchAny - - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemEntryExists - Security_Exceptions_API_ExceptionListItemEntryOperator: - enum: - - excluded - - included - type: string - Security_Exceptions_API_ExceptionListItemHumanId: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_ExceptionListItemId: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_ExceptionListItemMeta: - additionalProperties: true - type: object - Security_Exceptions_API_ExceptionListItemName: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_ExceptionListItemOsTypeArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' - type: array - Security_Exceptions_API_ExceptionListItemTags: - items: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - type: array - Security_Exceptions_API_ExceptionListItemType: - enum: - - simple - type: string - Security_Exceptions_API_ExceptionListMeta: - additionalProperties: true - type: object - Security_Exceptions_API_ExceptionListName: - type: string - Security_Exceptions_API_ExceptionListOsType: - enum: - - linux - - macos - - windows - type: string - Security_Exceptions_API_ExceptionListOsTypeArray: - items: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListOsType' - type: array - Security_Exceptions_API_ExceptionListsImportBulkError: - type: object - properties: - error: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListId' - item_id: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListItemHumanId - list_id: - $ref: '#/components/schemas/Security_Exceptions_API_ExceptionListHumanId' - required: - - error - Security_Exceptions_API_ExceptionListsImportBulkErrorArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_ExceptionListsImportBulkError - type: array - Security_Exceptions_API_ExceptionListTags: - items: - type: string - type: array - Security_Exceptions_API_ExceptionListType: - enum: - - detection - - rule_default - - endpoint - - endpoint_trusted_apps - - endpoint_events - - endpoint_host_isolation_exceptions - - endpoint_blocklists - type: string - Security_Exceptions_API_ExceptionListVersion: - minimum: 1 - type: integer - Security_Exceptions_API_ExceptionNamespaceType: - description: > - Determines whether the exception container is available in all Kibana - spaces or just the space - - in which it is created, where: - - - - `single`: Only available in the Kibana space in which it is created. - - - `agnostic`: Available in all Kibana spaces. - enum: - - agnostic - - single - type: string - Security_Exceptions_API_FindExceptionListItemsFilter: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_FindExceptionListsFilter: - type: string - Security_Exceptions_API_ListId: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - Security_Exceptions_API_ListType: - enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text - type: string - Security_Exceptions_API_NonEmptyString: - description: A string that is not empty and does not contain only whitespace - minLength: 1 - pattern: ^(?! *$).+$ - type: string - Security_Exceptions_API_PlatformErrorResponse: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: integer - required: - - statusCode - - error - - message - Security_Exceptions_API_RuleId: - $ref: '#/components/schemas/Security_Exceptions_API_UUID' - Security_Exceptions_API_SiemErrorResponse: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - Security_Exceptions_API_UpdateExceptionListItemComment: - type: object - properties: - comment: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - id: - $ref: '#/components/schemas/Security_Exceptions_API_NonEmptyString' - required: - - comment - Security_Exceptions_API_UpdateExceptionListItemCommentArray: - items: - $ref: >- - #/components/schemas/Security_Exceptions_API_UpdateExceptionListItemComment - type: array - Security_Exceptions_API_UUID: - description: A universally unique identifier - format: uuid - type: string - Security_Lists_API_FindListItemsCursor: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_FindListItemsFilter: - type: string - Security_Lists_API_FindListsCursor: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_FindListsFilter: - type: string - Security_Lists_API_List: - type: object - properties: - _version: - type: string - '@timestamp': - format: date-time - type: string - created_at: - format: date-time - type: string - created_by: - type: string - description: - $ref: '#/components/schemas/Security_Lists_API_ListDescription' - deserializer: - type: string - id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - immutable: - type: boolean - meta: - $ref: '#/components/schemas/Security_Lists_API_ListMetadata' - name: - $ref: '#/components/schemas/Security_Lists_API_ListName' - serializer: - type: string - tie_breaker_id: - type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - updated_at: - format: date-time - type: string - updated_by: - type: string - version: - minimum: 1 - type: integer - required: - - id - - type - - name - - description - - immutable - - version - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Lists_API_ListDescription: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_ListId: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_ListItem: - type: object - properties: - _version: - type: string - '@timestamp': - format: date-time - type: string - created_at: - format: date-time - type: string - created_by: - type: string - deserializer: - type: string - id: - $ref: '#/components/schemas/Security_Lists_API_ListItemId' - list_id: - $ref: '#/components/schemas/Security_Lists_API_ListId' - meta: - $ref: '#/components/schemas/Security_Lists_API_ListItemMetadata' - serializer: - type: string - tie_breaker_id: - type: string - type: - $ref: '#/components/schemas/Security_Lists_API_ListType' - updated_at: - format: date-time - type: string - updated_by: - type: string - value: - $ref: '#/components/schemas/Security_Lists_API_ListItemValue' - required: - - id - - type - - list_id - - value - - tie_breaker_id - - created_at - - created_by - - updated_at - - updated_by - Security_Lists_API_ListItemId: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_ListItemMetadata: - additionalProperties: true - type: object - Security_Lists_API_ListItemPrivileges: - type: object - properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - username: - type: string - required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListItemValue: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_ListMetadata: - additionalProperties: true - type: object - Security_Lists_API_ListName: - $ref: '#/components/schemas/Security_Lists_API_NonEmptyString' - Security_Lists_API_ListPrivileges: - type: object - properties: - application: - additionalProperties: - type: boolean - type: object - cluster: - additionalProperties: - type: boolean - type: object - has_all_requested: - type: boolean - index: - additionalProperties: - additionalProperties: - type: boolean - type: object - type: object - username: - type: string - required: - - username - - has_all_requested - - cluster - - index - - application - Security_Lists_API_ListType: - enum: - - binary - - boolean - - byte - - date - - date_nanos - - date_range - - double - - double_range - - float - - float_range - - geo_point - - geo_shape - - half_float - - integer - - integer_range - - ip - - ip_range - - keyword - - long - - long_range - - shape - - short - - text - type: string - Security_Lists_API_NonEmptyString: - description: A string that is not empty and does not contain only whitespace - minLength: 1 - pattern: ^(?! *$).+$ - type: string - Security_Lists_API_PlatformErrorResponse: - type: object - properties: - error: - type: string - message: - type: string - statusCode: - type: integer - required: - - statusCode - - error - - message - Security_Lists_API_SiemErrorResponse: - type: object - properties: - message: - type: string - status_code: - type: integer - required: - - status_code - - message - Security_Osquery_API_ArrayQueries: - items: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueriesItem' - type: array - Security_Osquery_API_ArrayQueriesItem: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_Id' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_CreateLiveQueryRequestBody: - type: object - properties: - agent_all: - type: boolean - agent_ids: - items: - type: string - type: array - agent_platforms: - items: - type: string - type: array - agent_policy_ids: - items: - type: string - type: array - alert_ids: - items: - type: string - type: array - case_ids: - items: - type: string - type: array - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - event_ids: - items: - type: string - type: array - metadata: - nullable: true - type: object - pack_id: - $ref: '#/components/schemas/Security_Osquery_API_PackIdOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ArrayQueries' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' - Security_Osquery_API_CreatePacksRequestBody: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - name: - $ref: '#/components/schemas/Security_Osquery_API_PackName' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_CreateSavedQueryRequestBody: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - platform: - $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_DefaultSuccessResponse: - type: object - properties: {} - Security_Osquery_API_Description: - type: string - Security_Osquery_API_DescriptionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Description' - nullable: true - Security_Osquery_API_ECSMapping: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingItem' - type: object - Security_Osquery_API_ECSMappingItem: - type: object - properties: - field: - type: string - value: - oneOf: - - type: string - - items: - type: string - type: array - Security_Osquery_API_ECSMappingOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_ECSMapping' - nullable: true - Security_Osquery_API_Enabled: - type: boolean - Security_Osquery_API_EnabledOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Enabled' - nullable: true - Security_Osquery_API_FindLiveQueryRequestQuery: - type: object - properties: - kuery: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - page: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - pageSize: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - sort: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - sortOrder: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - Security_Osquery_API_FindPacksRequestQuery: - type: object - properties: - page: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - pageSize: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - sort: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - sortOrder: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - Security_Osquery_API_FindSavedQueryRequestQuery: - type: object - properties: - page: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - pageSize: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - sort: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - sortOrder: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - Security_Osquery_API_GetLiveQueryResultsRequestQuery: - type: object - properties: - kuery: - $ref: '#/components/schemas/Security_Osquery_API_KueryOrUndefined' - page: - $ref: '#/components/schemas/Security_Osquery_API_PageOrUndefined' - pageSize: - $ref: '#/components/schemas/Security_Osquery_API_PageSizeOrUndefined' - sort: - $ref: '#/components/schemas/Security_Osquery_API_SortOrUndefined' - sortOrder: - $ref: '#/components/schemas/Security_Osquery_API_SortOrderOrUndefined' - Security_Osquery_API_Id: - type: string - Security_Osquery_API_Interval: - type: string - Security_Osquery_API_IntervalOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Interval' - nullable: true - Security_Osquery_API_KueryOrUndefined: - nullable: true - type: string - Security_Osquery_API_ObjectQueries: - additionalProperties: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueriesItem' - type: object - Security_Osquery_API_ObjectQueriesItem: - type: object - properties: - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_Id' - platform: - $ref: '#/components/schemas/Security_Osquery_API_PlatformOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_Query' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - saved_query_id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryIdOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_PackId: - type: string - Security_Osquery_API_PackIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - nullable: true - Security_Osquery_API_PackName: - type: string - Security_Osquery_API_PageOrUndefined: - nullable: true - type: integer - Security_Osquery_API_PageSizeOrUndefined: - nullable: true - type: integer - Security_Osquery_API_Platform: - type: string - Security_Osquery_API_PlatformOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Platform' - nullable: true - Security_Osquery_API_PolicyIds: - items: - type: string - type: array - Security_Osquery_API_PolicyIdsOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIds' - nullable: true - Security_Osquery_API_Query: - type: string - Security_Osquery_API_QueryOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Query' - nullable: true - Security_Osquery_API_Removed: - type: boolean - Security_Osquery_API_RemovedOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Removed' - nullable: true - Security_Osquery_API_SavedQueryId: - type: string - Security_Osquery_API_SavedQueryIdOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - nullable: true - Security_Osquery_API_Shards: - additionalProperties: - type: number - type: object - Security_Osquery_API_Snapshot: - type: boolean - Security_Osquery_API_SnapshotOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Snapshot' - nullable: true - Security_Osquery_API_SortOrderOrUndefined: - oneOf: - - nullable: true - type: string - - enum: - - asc - - desc - Security_Osquery_API_SortOrUndefined: - nullable: true - type: string - Security_Osquery_API_UpdatePacksRequestBody: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' - enabled: - $ref: '#/components/schemas/Security_Osquery_API_EnabledOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_PackId' - policy_ids: - $ref: '#/components/schemas/Security_Osquery_API_PolicyIdsOrUndefined' - queries: - $ref: '#/components/schemas/Security_Osquery_API_ObjectQueries' - shards: - $ref: '#/components/schemas/Security_Osquery_API_Shards' - Security_Osquery_API_UpdateSavedQueryRequestBody: - type: object - properties: - description: - $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' - ecs_mapping: - $ref: '#/components/schemas/Security_Osquery_API_ECSMappingOrUndefined' - id: - $ref: '#/components/schemas/Security_Osquery_API_SavedQueryId' - interval: - $ref: '#/components/schemas/Security_Osquery_API_IntervalOrUndefined' - platform: - $ref: '#/components/schemas/Security_Osquery_API_DescriptionOrUndefined' - query: - $ref: '#/components/schemas/Security_Osquery_API_QueryOrUndefined' - removed: - $ref: '#/components/schemas/Security_Osquery_API_RemovedOrUndefined' - snapshot: - $ref: '#/components/schemas/Security_Osquery_API_SnapshotOrUndefined' - version: - $ref: '#/components/schemas/Security_Osquery_API_VersionOrUndefined' - Security_Osquery_API_Version: - type: string - Security_Osquery_API_VersionOrUndefined: - $ref: '#/components/schemas/Security_Osquery_API_Version' - nullable: true - Security_Timeline_API_AssociatedFilterType: - description: Filter notes based on their association with a document or saved object. - enum: - - all - - document_only - - saved_object_only - - document_and_saved_object - - orphan - type: string - Security_Timeline_API_BareNote: - type: object - properties: - created: - nullable: true - type: number - createdBy: - nullable: true - type: string - eventId: - nullable: true - type: string - note: - nullable: true - type: string - timelineId: - type: string - updated: - nullable: true - type: number - updatedBy: - nullable: true - type: string - required: - - timelineId - Security_Timeline_API_BarePinnedEvent: - type: object - properties: - created: - nullable: true - type: number - createdBy: - nullable: true - type: string - eventId: - type: string - timelineId: - type: string - updated: - nullable: true - type: number - updatedBy: - nullable: true - type: string - required: - - eventId - - timelineId - Security_Timeline_API_ColumnHeaderResult: - type: object - properties: - aggregatable: - nullable: true - type: boolean - category: - nullable: true - type: string - columnHeaderType: - nullable: true - type: string - description: - nullable: true - type: string - example: - nullable: true - type: string - id: - nullable: true - type: string - indexes: - items: - type: string - nullable: true - type: array - name: - nullable: true - type: string - placeholder: - nullable: true - type: string - searchable: - nullable: true - type: boolean - type: - nullable: true - type: string - Security_Timeline_API_DataProviderQueryMatch: - type: object - properties: - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true - type: string - kqlQuery: - nullable: true - type: string - name: - nullable: true - type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderResult: - type: object - properties: - and: - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderQueryMatch' - nullable: true - type: array - enabled: - nullable: true - type: boolean - excluded: - nullable: true - type: boolean - id: - nullable: true - type: string - kqlQuery: - nullable: true - type: string - name: - nullable: true - type: string - queryMatch: - $ref: '#/components/schemas/Security_Timeline_API_QueryMatchResult' - nullable: true - type: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderType' - nullable: true - Security_Timeline_API_DataProviderType: - description: >- - The type of data provider to create. Valid values are `default` and - `template`. - enum: - - default - - template - type: string - Security_Timeline_API_DocumentIds: - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_FavoriteTimelineResponse: - type: object - properties: - code: - nullable: true - type: number - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - type: array - message: - nullable: true - type: string - savedObjectId: - type: string - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - version: - type: string - required: - - savedObjectId - - version - Security_Timeline_API_FavoriteTimelineResult: - type: object - properties: - favoriteDate: - nullable: true - type: number - fullName: - nullable: true - type: string - userName: - nullable: true - type: string - Security_Timeline_API_FilterTimelineResult: - type: object - properties: - exists: - nullable: true - type: string - match_all: - nullable: true - type: string - meta: - nullable: true - type: object - properties: - alias: - nullable: true - type: string - controlledBy: - nullable: true - type: string - disabled: - nullable: true - type: boolean - field: - nullable: true - type: string - formattedValue: - nullable: true - type: string - index: - nullable: true - type: string - key: - nullable: true - type: string - negate: - nullable: true - type: boolean - params: - nullable: true - type: string - type: - nullable: true - type: string - value: - nullable: true - type: string - missing: - nullable: true - type: string - query: - nullable: true - type: string - range: - nullable: true - type: string - script: - nullable: true - type: string - Security_Timeline_API_GetNotesResult: - type: object - properties: - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - type: array - totalCount: - type: number - required: - - totalCount - - notes - Security_Timeline_API_ImportTimelineResult: - type: object - properties: - errors: - items: - type: object - properties: - error: - type: object - properties: - message: - type: string - status_code: - type: number - id: - type: string - type: array - success: - type: boolean - success_count: - type: number - timelines_installed: - type: number - timelines_updated: - type: number - Security_Timeline_API_ImportTimelines: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - eventNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - globalNotes: - items: - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - nullable: true - type: array - pinnedEventIds: - items: - type: string - nullable: true - type: array - savedObjectId: - nullable: true - type: string - version: - nullable: true - type: string - required: - - savedObjectId - - version - - pinnedEventIds - - eventNotes - - globalNotes - Security_Timeline_API_Note: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BareNote' - - type: object - properties: - noteId: - type: string - version: - type: string - required: - - noteId - - version - Security_Timeline_API_PersistPinnedEventResponse: - oneOf: - - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - - $ref: >- - #/components/schemas/Security_Timeline_API_PinnedEventBaseResponseBody - - nullable: true - type: object - Security_Timeline_API_PersistTimelineResponse: - type: object - properties: - data: - type: object - properties: - persistTimeline: - type: object - properties: - timeline: - $ref: '#/components/schemas/Security_Timeline_API_TimelineResponse' - required: - - timeline - required: - - persistTimeline - required: - - data - Security_Timeline_API_PinnedEvent: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_BarePinnedEvent' - - type: object - properties: - pinnedEventId: - type: string - version: - type: string - required: - - pinnedEventId - - version - Security_Timeline_API_PinnedEventBaseResponseBody: - type: object - properties: - code: - type: number - message: - type: string - required: - - code - Security_Timeline_API_QueryMatchResult: - type: object - properties: - displayField: - nullable: true - type: string - displayValue: - nullable: true - type: string - field: - nullable: true - type: string - operator: - nullable: true - type: string - value: - oneOf: - - nullable: true - type: string - - items: - type: string - nullable: true - type: array - Security_Timeline_API_ResolvedTimeline: - type: object - properties: - alias_purpose: - $ref: >- - #/components/schemas/Security_Timeline_API_SavedObjectResolveAliasPurpose - alias_target_id: - type: string - outcome: - $ref: '#/components/schemas/Security_Timeline_API_SavedObjectResolveOutcome' - timeline: - $ref: >- - #/components/schemas/Security_Timeline_API_TimelineSavedToReturnObject - required: - - timeline - - outcome - Security_Timeline_API_ResponseNote: - type: object - properties: - code: - type: number - message: - type: string - note: - $ref: '#/components/schemas/Security_Timeline_API_Note' - required: - - code - - message - - note - Security_Timeline_API_RowRendererId: - enum: - - alert - - alerts - - auditd - - auditd_file - - library - - netflow - - plain - - registry - - suricata - - system - - system_dns - - system_endgame_process - - system_file - - system_fim - - system_security_event - - system_socket - - threat_match - - zeek - type: string - Security_Timeline_API_SavedObjectIds: - oneOf: - - items: - type: string - type: array - - type: string - Security_Timeline_API_SavedObjectResolveAliasPurpose: - enum: - - savedObjectConversion - - savedObjectImport - type: string - Security_Timeline_API_SavedObjectResolveOutcome: - enum: - - exactMatch - - aliasMatch - - conflict - type: string - Security_Timeline_API_SavedTimeline: - type: object - properties: - columns: - items: - $ref: '#/components/schemas/Security_Timeline_API_ColumnHeaderResult' - nullable: true - type: array - created: - nullable: true - type: number - createdBy: - nullable: true - type: string - dataProviders: - items: - $ref: '#/components/schemas/Security_Timeline_API_DataProviderResult' - nullable: true - type: array - dataViewId: - nullable: true - type: string - dateRange: - nullable: true - type: object - properties: - end: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - start: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - description: - nullable: true - type: string - eqlOptions: - nullable: true - type: object - properties: - eventCategoryField: - nullable: true - type: string - query: - nullable: true - type: string - size: - oneOf: - - nullable: true - type: string - - nullable: true - type: number - tiebreakerField: - nullable: true - type: string - timestampField: - nullable: true - type: string - eventType: - nullable: true - type: string - excludedRowRendererIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_RowRendererId' - nullable: true - type: array - favorite: - items: - $ref: '#/components/schemas/Security_Timeline_API_FavoriteTimelineResult' - nullable: true - type: array - filters: - items: - $ref: '#/components/schemas/Security_Timeline_API_FilterTimelineResult' - nullable: true - type: array - indexNames: - items: - type: string - nullable: true - type: array - kqlMode: - nullable: true - type: string - kqlQuery: - $ref: >- - #/components/schemas/Security_Timeline_API_SerializedFilterQueryResult - nullable: true - savedQueryId: - nullable: true - type: string - savedSearchId: - nullable: true - type: string - sort: - $ref: '#/components/schemas/Security_Timeline_API_Sort' - nullable: true - status: - enum: - - active - - draft - - immutable - nullable: true - type: string - templateTimelineId: - nullable: true - type: string - templateTimelineVersion: - nullable: true - type: number - timelineType: - $ref: '#/components/schemas/Security_Timeline_API_TimelineType' - nullable: true - title: - nullable: true - type: string - updated: - nullable: true - type: number - updatedBy: - nullable: true - type: string - Security_Timeline_API_SavedTimelineWithSavedObjectId: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - savedObjectId: - type: string - version: - type: string - required: - - savedObjectId - - version - Security_Timeline_API_SerializedFilterQueryResult: - type: object - properties: - filterQuery: - nullable: true - type: object - properties: - kuery: - nullable: true - type: object - properties: - expression: - nullable: true - type: string - kind: - nullable: true - type: string - serializedQuery: - nullable: true - type: string - Security_Timeline_API_Sort: - oneOf: - - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - - items: - $ref: '#/components/schemas/Security_Timeline_API_SortObject' - type: array - Security_Timeline_API_SortFieldTimeline: - description: The field to sort the timelines by. - enum: - - title - - description - - updated - - created - type: string - Security_Timeline_API_SortObject: - type: object - properties: - columnId: - nullable: true - type: string - columnType: - nullable: true - type: string - sortDirection: - nullable: true - type: string - Security_Timeline_API_TimelineResponse: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - $ref: >- - #/components/schemas/Security_Timeline_API_SavedTimelineWithSavedObjectId - - type: object - properties: - eventIdToNoteIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - items: - type: string - nullable: true - type: array - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true - type: array - Security_Timeline_API_TimelineSavedToReturnObject: - allOf: - - $ref: '#/components/schemas/Security_Timeline_API_SavedTimeline' - - type: object - properties: - eventIdToNoteIds: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - noteIds: - items: - type: string - nullable: true - type: array - notes: - items: - $ref: '#/components/schemas/Security_Timeline_API_Note' - nullable: true - type: array - pinnedEventIds: - items: - type: string - nullable: true - type: array - pinnedEventsSaveObject: - items: - $ref: '#/components/schemas/Security_Timeline_API_PinnedEvent' - nullable: true - type: array - savedObjectId: - type: string - version: - type: string - required: - - savedObjectId - - version - Security_Timeline_API_TimelineStatus: - description: >- - The status of the timeline. Valid values are `active`, `draft`, and - `immutable`. - enum: - - active - - draft - - immutable - type: string - Security_Timeline_API_TimelineType: - description: >- - The type of timeline to create. Valid values are `default` and - `template`. - enum: - - default - - template - type: string - Serverless_saved_objects_400_response: - title: Bad request - type: object - properties: - error: - enum: - - Bad Request - type: string - message: - type: string - statusCode: - enum: - - 400 - type: integer - required: - - error - - message - - statusCode - SLOs_400_response: - title: Bad request - type: object - properties: - error: - example: Bad Request - type: string - message: - example: 'Invalid value ''foo'' supplied to: [...]' - type: string - statusCode: - example: 400 - type: number - required: - - statusCode - - error - - message - SLOs_401_response: - title: Unauthorized - type: object - properties: - error: - example: Unauthorized - type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" - type: string - statusCode: - example: 401 - type: number - required: - - statusCode - - error - - message - SLOs_403_response: - title: Unauthorized - type: object - properties: - error: - example: Unauthorized - type: string - message: - example: "[security_exception\n\tRoot causes:\n\t\tsecurity_exception: unable to authenticate user [elastics] for REST request [/_security/_authenticate]]: unable to authenticate user [elastics] for REST request [/_security/_authenticate]" - type: string - statusCode: - example: 403 - type: number - required: - - statusCode - - error - - message - SLOs_404_response: - title: Not found - type: object - properties: - error: - example: Not Found - type: string - message: - example: 'SLO [3749f390-03a3-11ee-8139-c7ff60a1692d] not found' - type: string - statusCode: - example: 404 - type: number - required: - - statusCode - - error - - message - SLOs_409_response: - title: Conflict - type: object - properties: - error: - example: Conflict - type: string - message: - example: 'SLO [d077e940-1515-11ee-9c50-9d096392f520] already exists' - type: string - statusCode: - example: 409 - type: number - required: - - statusCode - - error - - message - SLOs_budgeting_method: - description: The budgeting method to use when computing the rollup data. - enum: - - occurrences - - timeslices - example: occurrences - title: Budgeting method - type: string - SLOs_create_slo_request: - description: > - The create SLO API request body varies depending on the type of - indicator, time window and budgeting method. - properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. - type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: >- - A optional and unique identifier for the SLO. Must be between 8 and - 36 chars - example: my-super-slo-id - type: string - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. - type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - required: - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - title: Create SLO request - type: object - SLOs_create_slo_response: - title: Create SLO response - type: object - properties: - id: - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - required: - - id - SLOs_delete_slo_instances_request: - description: > - The delete SLO instances request takes a list of SLO id and instance id, - then delete the rollup and summary data. This API can be used to remove - the staled data of an instance SLO that no longer get updated. - properties: - list: - description: An array of slo id and instance id - items: - type: object - properties: - instanceId: - description: The SLO instance identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - sloId: - description: The SLO unique identifier - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - required: - - sloId - - instanceId - type: array - required: - - list - title: Delete SLO instances request - type: object - SLOs_error_budget: - title: Error budget - type: object - properties: - consumed: - description: 'The error budget consummed, as a percentage of the initial value.' - example: 0.8 - type: number - initial: - description: 'The initial error budget, as 1 - objective' - example: 0.02 - type: number - isEstimated: - description: >- - Only for SLO defined with occurrences budgeting method and calendar - aligned time window. - example: true - type: boolean - remaining: - description: 'The error budget remaining, as a percentage of the initial value.' - example: 0.2 - type: number - required: - - initial - - consumed - - remaining - - isEstimated - SLOs_filter: - description: Defines properties for a filter - properties: - meta: - $ref: '#/components/schemas/SLOs_filter_meta' - query: - type: object - title: Filter - type: object - SLOs_filter_meta: - description: Defines properties for a filter - properties: - alias: - nullable: true - type: string - controlledBy: - type: string - disabled: - type: boolean - field: - type: string - group: - type: string - index: - type: string - isMultiIndex: - type: boolean - key: - type: string - negate: - type: boolean - params: - type: object - type: - type: string - value: - type: string - title: FilterMeta - type: object - SLOs_find_slo_response: - description: | - A paginated response of SLOs matching the query. - properties: - page: - example: 1 - type: number - perPage: - example: 25 - type: number - results: - items: - $ref: '#/components/schemas/SLOs_slo_with_summary_response' - type: array - total: - example: 34 - type: number - title: Find SLO response - type: object - SLOs_group_by: - description: >- - optional group by field or fields to use to generate an SLO per distinct - value - example: - - - service.name - - service.name - - - service.name - - service.environment - oneOf: - - type: string - - items: - type: string - type: array - title: Group by - SLOs_indicator_properties_apm_availability: - description: Defines properties for the APM availability indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: 'metrics-apm*,apm*' - type: string - service: - description: The APM service name - example: o11y-app - type: string - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - type: - description: The type of indicator. - example: sli.apm.transactionDuration - type: string - required: - - type - - params - title: APM availability - SLOs_indicator_properties_apm_latency: - description: Defines properties for the APM latency indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - environment: - description: The APM service environment or "*" - example: production - type: string - filter: - description: KQL query used for filtering the data - example: 'service.foo : "bar"' - type: string - index: - description: The index used by APM metrics - example: 'metrics-apm*,apm*' - type: string - service: - description: The APM service name - example: o11y-app - type: string - threshold: - description: The latency threshold in milliseconds - example: 250 - type: number - transactionName: - description: The APM transaction name or "*" - example: GET /my/api - type: string - transactionType: - description: The APM transaction type or "*" - example: request - type: string - required: - - service - - environment - - transactionType - - transactionName - - index - - threshold - type: - description: The type of indicator. - example: sli.apm.transactionDuration - type: string - required: - - type - - params - title: APM latency - SLOs_indicator_properties_custom_kql: - description: Defines properties for a custom query indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - $ref: '#/components/schemas/SLOs_kql_with_filters' - good: - $ref: '#/components/schemas/SLOs_kql_with_filters_good' - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - $ref: '#/components/schemas/SLOs_kql_with_filters_total' - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.kql.custom - type: string - required: - - type - - params - title: Custom Query - SLOs_indicator_properties_custom_metric: - description: Defines properties for a custom metric indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" metrics and equation - type: object - properties: - equation: - description: The equation to calculate the "good" metric. - example: A - type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - type: object - properties: - aggregation: - description: >- - The aggregation type of the metric. Only valid option - is "sum" - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: '^[A-Z]$' - type: string - required: - - name - - aggregation - - field - type: array - required: - - metrics - - equation - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" metrics and equation - type: object - properties: - equation: - description: The equation to calculate the "total" metric. - example: A - type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - type: object - properties: - aggregation: - description: >- - The aggregation type of the metric. Only valid option - is "sum" - enum: - - sum - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: *' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: '^[A-Z]$' - type: string - required: - - name - - aggregation - - field - type: array - required: - - metrics - - equation - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.metric.custom - type: string - required: - - type - - params - title: Custom metric - SLOs_indicator_properties_histogram: - description: Defines properties for a histogram indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - good: - description: | - An object defining the "good" events - type: object - properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count - type: string - field: - description: The field use to aggregate the good events. - example: processor.latency - type: string - filter: - description: The filter for good events. - example: 'processor.outcome: "success"' - type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number - required: - - aggregation - - field - index: - description: The index or index pattern to use - example: my-service-* - type: string - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - total: - description: | - An object defining the "total" events - type: object - properties: - aggregation: - description: The type of aggregation to use. - enum: - - value_count - - range - example: value_count - type: string - field: - description: The field use to aggregate the good events. - example: processor.latency - type: string - filter: - description: The filter for total events. - example: 'processor.outcome : *' - type: string - from: - description: >- - The starting value of the range. Only required for "range" - aggregations. - example: 0 - type: number - to: - description: >- - The ending value of the range. Only required for "range" - aggregations. - example: 100 - type: number - required: - - aggregation - - field - required: - - index - - timestampField - - good - - total - type: - description: The type of indicator. - example: sli.histogram.custom - type: string - required: - - type - - params - title: Histogram indicator - SLOs_indicator_properties_timeslice_metric: - description: Defines properties for a timeslice metric indicator type - type: object - properties: - params: - description: An object containing the indicator parameters. - nullable: false - type: object - properties: - dataViewId: - description: >- - The kibana data view id to use, primarily used to include data - view runtime mappings. Make sure to save SLO again if you - add/update run time fields to the data view and if those fields - are being used in slo queries. - example: 03b80ab3-003d-498b-881c-3beedbaf1162 - type: string - filter: - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - index: - description: The index or index pattern to use - example: my-service-* - type: string - metric: - description: > - An object defining the metrics, equation, and threshold to - determine if it's a good slice or not - type: object - properties: - comparator: - description: >- - The comparator to use to compare the equation to the - threshold. - enum: - - GT - - GTE - - LT - - LTE - example: GT - type: string - equation: - description: The equation to calculate the metric. - example: A - type: string - metrics: - description: >- - List of metrics with their name, aggregation type, and - field. - items: - anyOf: - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_basic_metric_with_field - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_percentile_metric - - $ref: >- - #/components/schemas/SLOs_timeslice_metric_doc_count_metric - type: array - threshold: - description: >- - The threshold used to determine if the metric is a good - slice or not. - example: 100 - type: number - required: - - metrics - - equation - - comparator - - threshold - timestampField: - description: | - The timestamp field used in the source indice. - example: timestamp - type: string - required: - - index - - timestampField - - metric - type: - description: The type of indicator. - example: sli.metric.timeslice - type: string - required: - - type - - params - title: Timeslice metric - SLOs_kql_with_filters: - description: Defines properties for a filter - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL with filters - SLOs_kql_with_filters_good: - description: The KQL query used to define the good events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'request.latency <= 150 and request.status_code : "2xx"' - type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for good events - SLOs_kql_with_filters_total: - description: The KQL query used to define all events. - oneOf: - - description: the KQL query to filter the documents with. - example: 'field.environment : "production" and service.name : "my-service"' - type: string - - type: object - properties: - filters: - items: - $ref: '#/components/schemas/SLOs_filter' - type: array - kqlQuery: - type: string - title: KQL query for all events - SLOs_objective: - description: Defines properties for the SLO objective - type: object - properties: - target: - description: the target objective between 0 and 1 excluded - example: 0.99 - exclusiveMaximum: true - exclusiveMinimum: true - maximum: 100 - minimum: 0 - type: number - timesliceTarget: - description: >- - the target objective for each slice when using a timeslices - budgeting method - example: 0.995 - maximum: 100 - minimum: 0 - type: number - timesliceWindow: - description: >- - the duration of each slice when using a timeslices budgeting method, - as {duraton}{unit} - example: 5m - type: string - required: - - target - title: Objective - SLOs_settings: - description: Defines properties for SLO settings. - properties: - frequency: - default: 1m - description: 'Configure how often the transform runs, default 1m' - example: 5m - type: string - preventInitialBackfill: - default: false - description: Prevents the transform from backfilling data when it starts. - example: true - type: boolean - syncDelay: - default: 1m - description: The synch delay to apply to the transform. Default 1m - example: 5m - type: string - title: Settings - type: object - SLOs_slo_definition_response: - title: SLO definition response - type: object - properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' - type: string - description: - description: The description of the SLO. - example: My SLO description - type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: The name of the SLO. - example: My Service SLO - type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' - type: string - version: - description: The internal SLO version - example: 2 - type: number - required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - enabled - - groupBy - - tags - - createdAt - - updatedAt - - version - SLOs_slo_with_summary_response: - title: SLO response - type: object - properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - createdAt: - description: The creation date - example: '2023-01-12T10:03:19.000Z' - type: string - description: - description: The description of the SLO. - example: My SLO description - type: string - enabled: - description: Indicate if the SLO is enabled - example: true - type: boolean - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - id: - description: The identifier of the SLO. - example: 8853df00-ae2e-11ed-90af-09bb6422b258 - type: string - indicator: - discriminator: - mapping: - sli.apm.transactionDuration: '#/components/schemas/SLOs_indicator_properties_apm_latency' - sli.apm.transactionErrorRate: '#/components/schemas/SLOs_indicator_properties_apm_availability' - sli.histogram.custom: '#/components/schemas/SLOs_indicator_properties_histogram' - sli.kql.custom: '#/components/schemas/SLOs_indicator_properties_custom_kql' - sli.metric.custom: '#/components/schemas/SLOs_indicator_properties_custom_metric' - sli.metric.timeslice: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - propertyName: type - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - instanceId: - description: 'the value derived from the groupBy field, if present, otherwise ''*''' - example: host-abcde - type: string - name: - description: The name of the SLO. - example: My Service SLO - type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - revision: - description: The SLO revision - example: 2 - type: number - settings: - $ref: '#/components/schemas/SLOs_settings' - summary: - $ref: '#/components/schemas/SLOs_summary' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - updatedAt: - description: The last update date - example: '2023-01-12T10:03:19.000Z' - type: string - version: - description: The internal SLO version - example: 2 - type: number - required: - - id - - name - - description - - indicator - - timeWindow - - budgetingMethod - - objective - - settings - - revision - - summary - - enabled - - groupBy - - instanceId - - tags - - createdAt - - updatedAt - - version - SLOs_summary: - description: The SLO computed data - properties: - errorBudget: - $ref: '#/components/schemas/SLOs_error_budget' - sliValue: - example: 0.9836 - type: number - status: - $ref: '#/components/schemas/SLOs_summary_status' - required: - - status - - sliValue - - errorBudget - title: Summary - type: object - SLOs_summary_status: - enum: - - NO_DATA - - HEALTHY - - DEGRADING - - VIOLATED - example: HEALTHY - title: summary status - type: string - SLOs_time_window: - description: Defines properties for the SLO time window - type: object - properties: - duration: - description: >- - the duration formatted as {duration}{unit}. Accepted values for - rolling: 7d, 30d, 90d. Accepted values for calendar aligned: 1w - (weekly) or 1M (monthly) - example: 30d - type: string - type: - description: >- - Indicates weither the time window is a rolling or a calendar aligned - time window. - enum: - - rolling - - calendarAligned - example: rolling - type: string - required: - - duration - - type - title: Time window - SLOs_timeslice_metric_basic_metric_with_field: - type: object - properties: - aggregation: - description: The aggregation type of the metric. - enum: - - sum - - avg - - min - - max - - std_deviation - - last_value - - cardinality - example: sum - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: '^[A-Z]$' - type: string - required: - - name - - aggregation - - field - title: Timeslice Metric Basic Metric with Field - SLOs_timeslice_metric_doc_count_metric: - type: object - properties: - aggregation: - description: The aggregation type of the metric. Only valid option is "doc_count" - enum: - - doc_count - example: doc_count - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: '^[A-Z]$' - type: string - required: - - name - - aggregation - title: Timeslice Metric Doc Count Metric - SLOs_timeslice_metric_percentile_metric: - type: object - properties: - aggregation: - description: >- - The aggregation type of the metric. Only valid option is - "percentile" - enum: - - percentile - example: percentile - type: string - field: - description: The field of the metric. - example: processor.processed - type: string - filter: - description: The filter to apply to the metric. - example: 'processor.outcome: "success"' - type: string - name: - description: The name of the metric. Only valid options are A-Z - example: A - pattern: '^[A-Z]$' - type: string - percentile: - description: The percentile value. - example: 95 - type: number - required: - - name - - aggregation - - field - - percentile - title: Timeslice Metric Percentile Metric - SLOs_update_slo_request: - description: > - The update SLO API request body varies depending on the type of - indicator, time window and budgeting method. Partial update is handled. - properties: - budgetingMethod: - $ref: '#/components/schemas/SLOs_budgeting_method' - description: - description: A description for the SLO. - type: string - groupBy: - $ref: '#/components/schemas/SLOs_group_by' - indicator: - oneOf: - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_kql' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_availability' - - $ref: '#/components/schemas/SLOs_indicator_properties_apm_latency' - - $ref: '#/components/schemas/SLOs_indicator_properties_custom_metric' - - $ref: '#/components/schemas/SLOs_indicator_properties_histogram' - - $ref: '#/components/schemas/SLOs_indicator_properties_timeslice_metric' - name: - description: A name for the SLO. - type: string - objective: - $ref: '#/components/schemas/SLOs_objective' - settings: - $ref: '#/components/schemas/SLOs_settings' - tags: - description: List of tags - items: - type: string - type: array - timeWindow: - $ref: '#/components/schemas/SLOs_time_window' - title: Update SLO request - type: object - securitySchemes: - apiKeyAuth: - description: >- - You must create an API key and use the encoded value in the request - header. To learn about creating keys, go to [API - keys](https://www.elastic.co/docs/current/serverless/api-keys). - in: header - name: Authorization - type: apiKey -security: - - apiKeyAuth: [] -tags: - - name: alerting - - description: > - Configure APM agent keys to authorize requests from APM agents to the APM - Server. - name: APM agent keys - - description: > - Annotate visualizations in the APM app with significant events. - Annotations enable you to easily see how events are impacting the - performance of your applications. - name: APM annotations - - name: connectors - - name: Data streams - - description: >- - Data view APIs enable you to manage data views, formerly known as Kibana - index patterns. - name: data views - - name: Elastic Agent actions - - name: Elastic Agent binary download sources - - name: Elastic Agent policies - - name: Elastic Agent status - - name: Elastic Agents - - name: Elastic Package Manager (EPM) - - name: Fleet enrollment API keys - - name: Fleet internals - - name: Fleet Kubernetes - - name: Fleet outputs - - name: Fleet package policies - - name: Fleet proxies - - name: Fleet Server hosts - - name: Fleet service tokens - - name: Fleet uninstall tokens - - description: Machine learning - name: ml - - description: > - Export sets of saved objects that you want to import into {kib}, resolve - import errors, and rotate an encryption key for encrypted saved objects - with the saved objects APIs. - - - To manage a specific type of saved object, use the corresponding APIs. - - For example, use: - - - [Data views](../group/endpoint-data-views) - - - Warning: Do not write documents directly to the `.kibana` index. When you - write directly to the `.kibana` index, the data becomes corrupted and - permanently breaks future Kibana versions. - name: saved objects - x-displayName: Saved objects - - description: Manage and interact with Security Assistant resources. - name: Security AI Assistant API - x-displayName: Security AI assistant - - description: >- - You can create rules that automatically turn events and external alerts - sent to Elastic Security into detection alerts. These alerts are displayed - on the Detections page. - name: Security Detections API - x-displayName: Security detections - - description: >- - Endpoint Exceptions API allows you to manage detection rule endpoint - exceptions to prevent a rule from generating an alert from incoming events - even when the rule's other criteria are met. - name: Security Endpoint Exceptions API - x-displayName: Security endpoint exceptions - - description: Interact with and manage endpoints running the Elastic Defend integration. - name: Security Endpoint Management API - x-displayName: Security endpoint management - - description: '' - name: Security Entity Analytics API - x-displayName: Security entity analytics - - description: >- - Exceptions API allows you to manage detection rule exceptions to prevent a - rule from generating an alert from incoming events even when the rule's - other criteria are met. - name: Security Exceptions API - x-displayName: Security exceptions - - description: 'Lists API allows you to manage lists of keywords, IPs or IP ranges items.' - name: Security Lists API - x-displayName: Security lists - - description: 'Run live queries, manage packs and saved queries.' - name: Security Osquery API - x-displayName: Security Osquery - - description: >- - You can create Timelines and Timeline templates via the API, as well as - import new Timelines from an ndjson file. - name: Security Timeline API - x-displayName: Security timeline - - description: 'SLO APIs enable you to define, manage and track service-level objectives' - name: slo - - name: spaces - - name: system diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 231f6b146f602..3fe73a417aae1 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -20201,12 +20201,18 @@ paths: enum: - '2023-10-31' type: string - - in: query + - description: >- + If `true` and the response contains any privileges that are + associated with deprecated features, they are omitted in favor of + details about the appropriate replacement feature privileges. + in: query name: replaceDeprecatedPrivileges required: false schema: type: boolean - responses: {} + responses: + '200': + description: Indicates a successful call. summary: Get all roles tags: - roles @@ -20235,7 +20241,9 @@ paths: schema: minLength: 1 type: string - responses: {} + responses: + '204': + description: Indicates a successful call. summary: Delete a role tags: - roles @@ -20250,22 +20258,32 @@ paths: enum: - '2023-10-31' type: string - - in: path + - description: The role name. + in: path name: name required: true schema: minLength: 1 type: string - - in: query + - description: >- + If `true` and the response contains any privileges that are + associated with deprecated features, they are omitted in favor of + details about the appropriate replacement feature privileges. + in: query name: replaceDeprecatedPrivileges required: false schema: type: boolean - responses: {} + responses: + '200': + description: Indicates a successful call. summary: Get a role tags: - roles put: + description: >- + Create a new Kibana role or update the attributes of an existing role. + Kibana roles are stored in the Elasticsearch native realm. operationId: '%2Fapi%2Fsecurity%2Frole%2F%7Bname%7D#2' parameters: - description: The version of the API to use @@ -20283,14 +20301,16 @@ paths: schema: example: 'true' type: string - - in: path + - description: The role name. + in: path name: name required: true schema: maxLength: 1024 minLength: 1 type: string - - in: query + - description: 'When true, a role is not overwritten if it already exists.' + in: query name: createOnly required: false schema: @@ -20304,6 +20324,7 @@ paths: type: object properties: description: + description: A description for the role. maxLength: 2048 type: string elasticsearch: @@ -20312,6 +20333,9 @@ paths: properties: cluster: items: + description: >- + Cluster privileges that define the cluster level + actions that users can perform. type: string type: array indices: @@ -20320,24 +20344,55 @@ paths: type: object properties: allow_restricted_indices: + description: >- + Restricted indices are a special category of + indices that are used internally to store + configuration data and should not be directly + accessed. Only internal system roles should + normally grant privileges over the restricted + indices. Toggling this flag is very strongly + discouraged because it could effectively grant + unrestricted operations on critical data, making + the entire system unstable or leaking sensitive + information. If for administrative purposes you + need to create a role with privileges covering + restricted indices, however, you can set this + property to true. In that case, the names field + covers the restricted indices too. type: boolean field_security: additionalProperties: items: + description: >- + The document fields that the role members have + read access to. type: string type: array type: object names: items: + description: >- + The data streams, indices, and aliases to which + the permissions in this entry apply. It supports + wildcards (*). type: string minItems: 1 type: array privileges: items: + description: >- + The index level privileges that the role members + have for the data streams and indices. type: string minItems: 1 type: array query: + description: >- + A search query that defines the documents the role + members have read access to. A document within the + specified data streams and indices must match this + query in order for it to be accessible by the role + members. type: string required: - names @@ -20350,11 +20405,19 @@ paths: properties: clusters: items: + description: >- + A list of remote cluster aliases. It supports + literal strings as well as wildcards and regular + expressions. type: string minItems: 1 type: array privileges: items: + description: >- + The cluster level privileges for the remote + cluster. The allowed values are a subset of the + cluster privileges. type: string minItems: 1 type: array @@ -20368,29 +20431,64 @@ paths: type: object properties: allow_restricted_indices: + description: >- + Restricted indices are a special category of + indices that are used internally to store + configuration data and should not be directly + accessed. Only internal system roles should + normally grant privileges over the restricted + indices. Toggling this flag is very strongly + discouraged because it could effectively grant + unrestricted operations on critical data, making + the entire system unstable or leaking sensitive + information. If for administrative purposes you + need to create a role with privileges covering + restricted indices, however, you can set this + property to true. In that case, the names field + will cover the restricted indices too. type: boolean clusters: items: + description: >- + A list of remote cluster aliases. It supports + literal strings as well as wildcards and regular + expressions. type: string minItems: 1 type: array field_security: additionalProperties: items: + description: >- + The document fields that the role members have + read access to. type: string type: array type: object names: items: + description: >- + A list of remote aliases, data streams, or + indices to which the permissions apply. It + supports wildcards (*). type: string minItems: 1 type: array privileges: items: + description: >- + The index level privileges that role members + have for the specified indices. type: string minItems: 1 type: array query: + description: >- + A search query that defines the documents the role + members have read access to. A document within the + specified data streams and indices must match this + query in order for it to be accessible by the role + members. type: string required: - clusters @@ -20399,6 +20497,7 @@ paths: type: array run_as: items: + description: A user name that the role member can impersonate. type: string type: array kibana: @@ -20417,14 +20516,23 @@ paths: nullable: true oneOf: - items: + description: >- + A base privilege that grants applies to all + spaces. type: string type: array - items: + description: >- + A base privilege that applies to specific + spaces. type: string type: array feature: additionalProperties: items: + description: >- + The privileges that the role member has for the + feature. type: string type: array type: object @@ -20438,6 +20546,7 @@ paths: minItems: 1 type: array - items: + description: A space that the privilege applies to. type: string type: array default: @@ -20450,7 +20559,9 @@ paths: type: object required: - elasticsearch - responses: {} + responses: + '204': + description: Indicates a successful call. summary: Create or update a role tags: - roles @@ -20486,6 +20597,7 @@ paths: type: object properties: description: + description: A description for the role. maxLength: 2048 type: string elasticsearch: @@ -20494,6 +20606,9 @@ paths: properties: cluster: items: + description: >- + Cluster privileges that define the cluster level + actions that users can perform. type: string type: array indices: @@ -20502,24 +20617,58 @@ paths: type: object properties: allow_restricted_indices: + description: >- + Restricted indices are a special category of + indices that are used internally to store + configuration data and should not be + directly accessed. Only internal system + roles should normally grant privileges over + the restricted indices. Toggling this flag + is very strongly discouraged because it + could effectively grant unrestricted + operations on critical data, making the + entire system unstable or leaking sensitive + information. If for administrative purposes + you need to create a role with privileges + covering restricted indices, however, you + can set this property to true. In that case, + the names field covers the restricted + indices too. type: boolean field_security: additionalProperties: items: + description: >- + The document fields that the role + members have read access to. type: string type: array type: object names: items: + description: >- + The data streams, indices, and aliases to + which the permissions in this entry apply. + It supports wildcards (*). type: string minItems: 1 type: array privileges: items: + description: >- + The index level privileges that the role + members have for the data streams and + indices. type: string minItems: 1 type: array query: + description: >- + A search query that defines the documents + the role members have read access to. A + document within the specified data streams + and indices must match this query in order + for it to be accessible by the role members. type: string required: - names @@ -20532,11 +20681,19 @@ paths: properties: clusters: items: + description: >- + A list of remote cluster aliases. It + supports literal strings as well as + wildcards and regular expressions. type: string minItems: 1 type: array privileges: items: + description: >- + The cluster level privileges for the + remote cluster. The allowed values are a + subset of the cluster privileges. type: string minItems: 1 type: array @@ -20550,29 +20707,67 @@ paths: type: object properties: allow_restricted_indices: + description: >- + Restricted indices are a special category of + indices that are used internally to store + configuration data and should not be + directly accessed. Only internal system + roles should normally grant privileges over + the restricted indices. Toggling this flag + is very strongly discouraged because it + could effectively grant unrestricted + operations on critical data, making the + entire system unstable or leaking sensitive + information. If for administrative purposes + you need to create a role with privileges + covering restricted indices, however, you + can set this property to true. In that case, + the names field will cover the restricted + indices too. type: boolean clusters: items: + description: >- + A list of remote cluster aliases. It + supports literal strings as well as + wildcards and regular expressions. type: string minItems: 1 type: array field_security: additionalProperties: items: + description: >- + The document fields that the role + members have read access to. type: string type: array type: object names: items: + description: >- + A list of remote aliases, data streams, or + indices to which the permissions apply. It + supports wildcards (*). type: string minItems: 1 type: array privileges: items: + description: >- + The index level privileges that role + members have for the specified indices. type: string minItems: 1 type: array query: + description: >- + A search query that defines the documents + the role members have read access to. A + document within the specified data streams + and indices must match this query in order + for it to be accessible by the role + members. type: string required: - clusters @@ -20581,6 +20776,9 @@ paths: type: array run_as: items: + description: >- + A user name that the role member can + impersonate. type: string type: array kibana: @@ -20599,14 +20797,23 @@ paths: nullable: true oneOf: - items: + description: >- + A base privilege that grants applies to + all spaces. type: string type: array - items: + description: >- + A base privilege that applies to specific + spaces. type: string type: array feature: additionalProperties: items: + description: >- + The privileges that the role member has for + the feature. type: string type: array type: object @@ -20620,6 +20827,7 @@ paths: minItems: 1 type: array - items: + description: A space that the privilege applies to. type: string type: array default: @@ -20635,7 +20843,9 @@ paths: type: object required: - roles - responses: {} + responses: + '200': + description: Indicates a successful call. summary: Create or update roles tags: - roles diff --git a/oas_docs/overlays/kibana.overlays.serverless.yaml b/oas_docs/overlays/kibana.overlays.serverless.yaml index 64040383ae38c..f1f6dbb8f51d2 100644 --- a/oas_docs/overlays/kibana.overlays.serverless.yaml +++ b/oas_docs/overlays/kibana.overlays.serverless.yaml @@ -30,7 +30,7 @@ actions: Actions typically involve the use of connectors to interact with Kibana services or third party integrations. externalDocs: description: Alerting documentation - url: https://www.elastic.co/docs/current/serverless/rules + url: https://www.elastic.co/docs/8.x/serverless/rules x-displayName: "Alerting" - target: '$.tags[?(@.name=="connectors")]' description: Change tag description and displayName @@ -40,7 +40,7 @@ actions: Alerting rules can use connectors to run actions when rule conditions are met. externalDocs: description: Connector documentation - url: https://www.elastic.co/docs/current/serverless/action-connectors + url: https://www.elastic.co/docs/8.x/serverless/action-connectors x-displayName: "Connectors" - target: '$.tags[?(@.name=="data views")]' description: Change displayName diff --git a/oas_docs/overlays/kibana.overlays.yaml b/oas_docs/overlays/kibana.overlays.yaml index 4a21c029ef80a..dbcbfe153d2d8 100644 --- a/oas_docs/overlays/kibana.overlays.yaml +++ b/oas_docs/overlays/kibana.overlays.yaml @@ -23,7 +23,7 @@ actions: If you use the Kibana console to send API requests, it automatically adds the appropriate space identifier. - To learn more, check out [Spaces](https://www.elastic.co/guide/en/kibana/master/xpack-spaces.html). + To learn more, check out [Spaces](https://www.elastic.co/guide/en/kibana/8.x/xpack-spaces.html). # Add some tag descriptions and displayNames - target: '$.tags[?(@.name=="alerting")]' description: Change tag description and displayName @@ -34,7 +34,7 @@ actions: Actions typically involve the use of connectors to interact with Kibana services or third party integrations. externalDocs: description: Alerting documentation - url: https://www.elastic.co/guide/en/kibana/master/alerting-getting-started.html + url: https://www.elastic.co/guide/en/kibana/8.x/alerting-getting-started.html x-displayName: "Alerting" - target: '$.tags[?(@.name=="cases")]' description: Change tag description and displayName @@ -45,7 +45,7 @@ actions: You can also send cases to external incident management systems by configuring connectors. externalDocs: description: Cases documentation - url: https://www.elastic.co/guide/en/kibana/master/cases.html + url: https://www.elastic.co/guide/en/kibana/8.x/cases.html x-displayName: "Cases" - target: '$.tags[?(@.name=="connectors")]' description: Change tag description and displayName @@ -55,7 +55,7 @@ actions: Alerting rules can use connectors to run actions when rule conditions are met. externalDocs: description: Connector documentation - url: https://www.elastic.co/guide/en/kibana/current/action-types.html + url: https://www.elastic.co/guide/en/kibana/8.x/action-types.html x-displayName: "Connectors" - target: '$.tags[?(@.name=="data views")]' description: Change displayName @@ -72,7 +72,7 @@ actions: description: Manage the roles that grant Elasticsearch and Kibana privileges. externalDocs: description: Kibana role management - url: https://www.elastic.co/guide/en/kibana/master/kibana-role-management.html + url: https://www.elastic.co/guide/en/kibana/8.x/kibana-role-management.html - target: '$.tags[?(@.name=="slo")]' description: Change displayName update: @@ -83,7 +83,7 @@ actions: x-displayName: "Spaces" description: Manage your Kibana spaces. externalDocs: - url: https://www.elastic.co/guide/en/kibana/master/xpack-spaces.html + url: https://www.elastic.co/guide/en/kibana/8.x/xpack-spaces.html description: Space overview - target: '$.tags[?(@.name=="system")]' description: Change displayName and description @@ -164,4 +164,39 @@ actions: application/json; Elastic-Api-Version=2023-10-31: examples: updateObjectSpacesResponseExample1: - $ref: "../examples/update_saved_objects_spaces_response1.yaml" \ No newline at end of file + $ref: "../examples/update_saved_objects_spaces_response1.yaml" + - target: "$.paths['/api/security/role/{name}']['put']" + description: "Add examples to create role API" + update: + requestBody: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + createRoleRequest1: + $ref: "../examples/create_role_request1.yaml" + createRoleRequest2: + $ref: "../examples/create_role_request2.yaml" + createRoleRequest3: + $ref: "../examples/create_role_request3.yaml" + createRoleRequest4: + $ref: "../examples/create_role_request4.yaml" + - target: "$.paths['/api/security/role/{name}']['get']" + description: "Add example to get role API" + update: + responses: + 200: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getRoleResponse1: + $ref: '../examples/get_role_response1.yaml' + - target: "$.paths['/api/security/role']['get']" + description: "Add example to get roles API" + update: + responses: + 200: + content: + application/json; Elastic-Api-Version=2023-10-31: + examples: + getRolesResponse1: + $ref: '../examples/get_roles_response1.yaml' diff --git a/x-pack/packages/security/plugin_types_server/src/authorization/role_schema.ts b/x-pack/packages/security/plugin_types_server/src/authorization/role_schema.ts index 3d673fa25dc5f..6a10b3a4ee2ad 100644 --- a/x-pack/packages/security/plugin_types_server/src/authorization/role_schema.ts +++ b/x-pack/packages/security/plugin_types_server/src/authorization/role_schema.ts @@ -20,8 +20,16 @@ export const elasticsearchRoleSchema = schema.object({ * An optional list of cluster privileges. These privileges define the cluster level actions that * users with this role are able to execute */ - cluster: schema.maybe(schema.arrayOf(schema.string())), - + cluster: schema.maybe( + schema.arrayOf( + schema.string({ + meta: { + description: + 'Cluster privileges that define the cluster level actions that users can perform.', + }, + }) + ) + ), /** * An optional list of remote cluster privileges. These privileges define the remote cluster level actions that * users with this role are able to execute @@ -29,8 +37,24 @@ export const elasticsearchRoleSchema = schema.object({ remote_cluster: schema.maybe( schema.arrayOf( schema.object({ - privileges: schema.arrayOf(schema.string(), { minSize: 1 }), - clusters: schema.arrayOf(schema.string(), { minSize: 1 }), + privileges: schema.arrayOf( + schema.string({ + meta: { + description: + 'The cluster level privileges for the remote cluster. The allowed values are a subset of the cluster privileges.', + }, + }), + { minSize: 1 } + ), + clusters: schema.arrayOf( + schema.string({ + meta: { + description: + 'A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.', + }, + }), + { minSize: 1 } + ), }) ) ), @@ -45,7 +69,15 @@ export const elasticsearchRoleSchema = schema.object({ * Required list of indices (or index name patterns) to which the permissions in this * entry apply. */ - names: schema.arrayOf(schema.string(), { minSize: 1 }), + names: schema.arrayOf( + schema.string({ + meta: { + description: + 'The data streams, indices, and aliases to which the permissions in this entry apply. It supports wildcards (*).', + }, + }), + { minSize: 1 } + ), /** * An optional set of the document fields that the owners of the role have read access to. @@ -53,7 +85,13 @@ export const elasticsearchRoleSchema = schema.object({ field_security: schema.maybe( schema.recordOf( schema.oneOf([schema.literal('grant'), schema.literal('except')]), - schema.arrayOf(schema.string()) + schema.arrayOf( + schema.string({ + meta: { + description: 'The document fields that the role members have read access to.', + }, + }) + ) ) ), @@ -61,20 +99,42 @@ export const elasticsearchRoleSchema = schema.object({ * Required list of the index level privileges that the owners of the role have on the * specified indices. */ - privileges: schema.arrayOf(schema.string(), { minSize: 1 }), + privileges: schema.arrayOf( + schema.string({ + meta: { + description: + 'The index level privileges that the role members have for the data streams and indices.', + }, + }), + { minSize: 1 } + ), /** * An optional search query that defines the documents the owners of the role have read access * to. A document within the specified indices must match this query in order for it to be * accessible by the owners of the role. */ - query: schema.maybe(schema.string()), + query: schema.maybe( + schema.string({ + meta: { + description: + 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members.', + }, + }) + ), /** * An optional flag used to indicate if index pattern wildcards or regexps should cover * restricted indices. */ - allow_restricted_indices: schema.maybe(schema.boolean()), + allow_restricted_indices: schema.maybe( + schema.boolean({ + meta: { + description: + 'Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field covers the restricted indices too.', + }, + }) + ), }) ) ), @@ -88,13 +148,29 @@ export const elasticsearchRoleSchema = schema.object({ /** * Required list of remote clusters to which the permissions in this entry apply. */ - clusters: schema.arrayOf(schema.string(), { minSize: 1 }), + clusters: schema.arrayOf( + schema.string({ + meta: { + description: + 'A list of remote cluster aliases. It supports literal strings as well as wildcards and regular expressions.', + }, + }), + { minSize: 1 } + ), /** * Required list of remote indices (or index name patterns) to which the permissions in this * entry apply. */ - names: schema.arrayOf(schema.string(), { minSize: 1 }), + names: schema.arrayOf( + schema.string({ + meta: { + description: + 'A list of remote aliases, data streams, or indices to which the permissions apply. It supports wildcards (*).', + }, + }), + { minSize: 1 } + ), /** * An optional set of the document fields that the owners of the role have read access to. @@ -102,7 +178,13 @@ export const elasticsearchRoleSchema = schema.object({ field_security: schema.maybe( schema.recordOf( schema.oneOf([schema.literal('grant'), schema.literal('except')]), - schema.arrayOf(schema.string()) + schema.arrayOf( + schema.string({ + meta: { + description: 'The document fields that the role members have read access to.', + }, + }) + ) ) ), @@ -110,20 +192,42 @@ export const elasticsearchRoleSchema = schema.object({ * Required list of the index level privileges that the owners of the role have on the * specified indices. */ - privileges: schema.arrayOf(schema.string(), { minSize: 1 }), + privileges: schema.arrayOf( + schema.string({ + meta: { + description: + 'The index level privileges that role members have for the specified indices.', + }, + }), + { minSize: 1 } + ), /** * An optional search query that defines the documents the owners of the role have read access * to. A document within the specified indices must match this query in order for it to be * accessible by the owners of the role. */ - query: schema.maybe(schema.string()), + query: schema.maybe( + schema.string({ + meta: { + description: + 'A search query that defines the documents the role members have read access to. A document within the specified data streams and indices must match this query in order for it to be accessible by the role members. ', + }, + }) + ), /** * An optional flag used to indicate if index pattern wildcards or regexps should cover * restricted indices. */ - allow_restricted_indices: schema.maybe(schema.boolean()), + allow_restricted_indices: schema.maybe( + schema.boolean({ + meta: { + description: + 'Restricted indices are a special category of indices that are used internally to store configuration data and should not be directly accessed. Only internal system roles should normally grant privileges over the restricted indices. Toggling this flag is very strongly discouraged because it could effectively grant unrestricted operations on critical data, making the entire system unstable or leaking sensitive information. If for administrative purposes you need to create a role with privileges covering restricted indices, however, you can set this property to true. In that case, the names field will cover the restricted indices too.', + }, + }) + ), }) ) ), @@ -131,7 +235,13 @@ export const elasticsearchRoleSchema = schema.object({ /** * An optional list of users that the owners of this role can impersonate. */ - run_as: schema.maybe(schema.arrayOf(schema.string())), + run_as: schema.maybe( + schema.arrayOf( + schema.string({ + meta: { description: 'A user name that the role member can impersonate.' }, + }) + ) + ), }); const allSpacesSchema = schema.arrayOf(schema.literal(GLOBAL_RESOURCE), { @@ -147,6 +257,7 @@ const spacesSchema = schema.oneOf( allSpacesSchema, schema.arrayOf( schema.string({ + meta: { description: 'A space that the privilege applies to.' }, validate(value) { if (!/^[a-z0-9_-]+$/.test(value)) { return `must be lower case, a-z, 0-9, '_', and '-' are allowed`; @@ -188,6 +299,7 @@ export const getKibanaRoleSchema = ( allSpacesSchema, schema.arrayOf( schema.string({ + meta: { description: 'A base privilege that grants applies to all spaces.' }, validate(value) { const globalPrivileges = getBasePrivilegeNames().global; if (!globalPrivileges.some((privilege) => privilege === value)) { @@ -198,6 +310,7 @@ export const getKibanaRoleSchema = ( ), schema.arrayOf( schema.string({ + meta: { description: 'A base privilege that applies to specific spaces.' }, validate(value) { const spacePrivileges = getBasePrivilegeNames().space; if (!spacePrivileges.some((privilege) => privilege === value)) { @@ -218,6 +331,7 @@ export const getKibanaRoleSchema = ( feature: schema.maybe( schema.recordOf( schema.string({ + meta: { description: 'The name of a feature.' }, validate(value) { if (!FEATURE_NAME_VALUE_REGEX.test(value)) { return `only a-z, A-Z, 0-9, '_', and '-' are allowed`; @@ -226,6 +340,7 @@ export const getKibanaRoleSchema = ( }), schema.arrayOf( schema.string({ + meta: { description: 'The privileges that the role member has for the feature.' }, validate(value) { if (!FEATURE_NAME_VALUE_REGEX.test(value)) { return `only a-z, A-Z, 0-9, '_', and '-' are allowed`; diff --git a/x-pack/plugins/security/server/routes/authorization/roles/delete.ts b/x-pack/plugins/security/server/routes/authorization/roles/delete.ts index fe7c97b32d27b..07f314da4232b 100644 --- a/x-pack/plugins/security/server/routes/authorization/roles/delete.ts +++ b/x-pack/plugins/security/server/routes/authorization/roles/delete.ts @@ -29,6 +29,11 @@ export function defineDeleteRolesRoutes({ router }: RouteDefinitionParams) { request: { params: schema.object({ name: schema.string({ minLength: 1 }) }), }, + response: { + 204: { + description: 'Indicates a successful call.', + }, + }, }, }, createLicensedRouteHandler(async (context, request, response) => { diff --git a/x-pack/plugins/security/server/routes/authorization/roles/get.ts b/x-pack/plugins/security/server/routes/authorization/roles/get.ts index 4159dd7ac62dc..63bfa38b76221 100644 --- a/x-pack/plugins/security/server/routes/authorization/roles/get.ts +++ b/x-pack/plugins/security/server/routes/authorization/roles/get.ts @@ -34,11 +34,30 @@ export function defineGetRolesRoutes({ version: API_VERSIONS.roles.public.v1, validate: { request: { - params: schema.object({ name: schema.string({ minLength: 1 }) }), + params: schema.object({ + name: schema.string({ + minLength: 1, + meta: { description: 'The role name.' }, + }), + }), query: schema.maybe( - schema.object({ replaceDeprecatedPrivileges: schema.maybe(schema.boolean()) }) + schema.object({ + replaceDeprecatedPrivileges: schema.maybe( + schema.boolean({ + meta: { + description: + 'If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.', + }, + }) + ), + }) ), }, + response: { + 200: { + description: 'Indicates a successful call.', + }, + }, }, }, createLicensedRouteHandler(async (context, request, response) => { diff --git a/x-pack/plugins/security/server/routes/authorization/roles/get_all.ts b/x-pack/plugins/security/server/routes/authorization/roles/get_all.ts index 69acdc24a317c..ef4a008ecb708 100644 --- a/x-pack/plugins/security/server/routes/authorization/roles/get_all.ts +++ b/x-pack/plugins/security/server/routes/authorization/roles/get_all.ts @@ -36,9 +36,23 @@ export function defineGetAllRolesRoutes({ validate: { request: { query: schema.maybe( - schema.object({ replaceDeprecatedPrivileges: schema.maybe(schema.boolean()) }) + schema.object({ + replaceDeprecatedPrivileges: schema.maybe( + schema.boolean({ + meta: { + description: + 'If `true` and the response contains any privileges that are associated with deprecated features, they are omitted in favor of details about the appropriate replacement feature privileges.', + }, + }) + ), + }) ), }, + response: { + 200: { + description: 'Indicates a successful call.', + }, + }, }, }, createLicensedRouteHandler(async (context, request, response) => { diff --git a/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.ts b/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.ts index 52c8178a651a7..4022098b9fd56 100644 --- a/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.ts +++ b/x-pack/plugins/security/server/routes/authorization/roles/model/put_payload.ts @@ -53,13 +53,28 @@ export function getPutPayloadSchema( /** * Optional text to describe the Role */ - description: schema.maybe(schema.string({ maxLength: 2048 })), + description: schema.maybe( + schema.string({ + maxLength: 2048, + meta: { description: 'A description for the role.' }, + }) + ), /** * An optional meta-data dictionary. Within the metadata, keys that begin with _ are reserved * for system usage. */ - metadata: schema.maybe(schema.recordOf(schema.string(), schema.any())), + metadata: schema.maybe( + schema.recordOf( + schema.string({ + meta: { + description: + 'A metadata dictionary. Keys that begin with `_` are reserved for system usage.', + }, + }), + schema.any() + ) + ), /** * Elasticsearch specific portion of the role definition. diff --git a/x-pack/plugins/security/server/routes/authorization/roles/post.ts b/x-pack/plugins/security/server/routes/authorization/roles/post.ts index 0fe918ee5cc3e..949553e960c9b 100644 --- a/x-pack/plugins/security/server/routes/authorization/roles/post.ts +++ b/x-pack/plugins/security/server/routes/authorization/roles/post.ts @@ -62,6 +62,11 @@ export function defineBulkCreateOrUpdateRolesRoutes({ }; }), }, + response: { + 200: { + description: 'Indicates a successful call.', + }, + }, }, }, createLicensedRouteHandler(async (context, request, response) => { diff --git a/x-pack/plugins/security/server/routes/authorization/roles/put.ts b/x-pack/plugins/security/server/routes/authorization/roles/put.ts index 16e2ab819e781..268c84ff7420e 100644 --- a/x-pack/plugins/security/server/routes/authorization/roles/put.ts +++ b/x-pack/plugins/security/server/routes/authorization/roles/put.ts @@ -26,6 +26,8 @@ export function definePutRolesRoutes({ path: '/api/security/role/{name}', access: 'public', summary: `Create or update a role`, + description: + 'Create a new Kibana role or update the attributes of an existing role. Kibana roles are stored in the Elasticsearch native realm.', options: { tags: ['oas-tag:roles'], }, @@ -35,8 +37,19 @@ export function definePutRolesRoutes({ version: API_VERSIONS.roles.public.v1, validate: { request: { - params: schema.object({ name: schema.string({ minLength: 1, maxLength: 1024 }) }), - query: schema.object({ createOnly: schema.boolean({ defaultValue: false }) }), + params: schema.object({ + name: schema.string({ + minLength: 1, + maxLength: 1024, + meta: { description: 'The role name.' }, + }), + }), + query: schema.object({ + createOnly: schema.boolean({ + defaultValue: false, + meta: { description: 'When true, a role is not overwritten if it already exists.' }, + }), + }), body: getPutPayloadSchema(() => { const privileges = authz.privileges.get(); return { @@ -45,6 +58,11 @@ export function definePutRolesRoutes({ }; }), }, + response: { + 204: { + description: 'Indicates a successful call.', + }, + }, }, }, createLicensedRouteHandler(async (context, request, response) => {