Elastic Kibana 7 - Security

70 min

elastic kibana v7 this connector is for elastic security, both on premises and elastic cloud versions starting with 7 9 0 the primary focus is on the elastic security feature of kibana, but this uses additional apis for kibana prerequisites this connector has only been tested using elasticsearch & kibana on premises & elastic cloud 7 16 depending on how your organization has setup elasticsearch/kibana/etc , you need to make sure that the following requirements have been met create or know which kibana space they will primarily use create a signal index this index needs to be in the following format siem signals \<kibana space name> using the default kibana space this would be siem signals default create detection rule(s) or load elastic's pre packaged detection rules asset setup connecting to elastic cloud in order to use this connector with elastic cloud you must provide the following inputs in the configured asset host port api key if you generated a apikey from within the elastic cloud portal you may have need run the following commands to generate the correct apikey echo "qnq3bdbic0jqr3d1awxkmvbzd0m6cl9wqul6anhrww1vlvazdg5jzkuzuq==" | base64 d which will result in a value similar to the following bt7l0hsbjgwuild1pywc\ r vaizjxqymo p3tnife3q% then take this value and decode it again echo n "bt7l0hsbjgwuild1pywc\ r vaizjxqymo p3tnife3q%" | base64 this will result in the correct apikey connecting to on premises in order to use this connector with an on premises elasticsearch and kibana, you must provide the following inputs in the configured asset host port username password common issues within the asset if you receive an error about the host, please remove any trailing slashes from the host string configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required authorization api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions find cases retrieves a paginated subset of cases endpoint url api/cases/ find method get input argument name type required description page number optional parameter for find cases perpage number optional parameter for find cases sortfield string optional parameter for find cases sortorder string optional parameter for find cases tags string optional parameter for find cases owner string optional parameter for find cases status string optional status value reporters string optional parameter for find cases output parameter type description status code number http status code of the response reason string response reason phrase page number output field page per page number output field per page total number output field total cases array output field cases id string unique identifier version string output field version comments array output field comments file name string name of the resource file string output field file totalcomment number output field totalcomment closed at object output field closed at closed by object output field closed by created at string output field created at created by object output field created by email string output field email full name string name of the resource username string name of the resource external service object output field external service updated at string output field updated at updated by object output field updated by full name string name of the resource email string output field email username string name of the resource example \[ { "status code" 200, "response headers" { "date" "mon, 23 jan 2023 20 12 56 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "x srv trace" "v=1;t=d6ea1d0735c74352", "x srv span" "v=1;s=5a6153fa9cd5d837", "access control allow origin" " ", "x ratelimit limit" "120", "x ratelimit remaining" "119", "x ratelimit reset" "1674493629", "etag" "w/\\"a4 7ho0t/xlq3tufvitu2zvqqdiy+a\\"", "vary" "accept encoding", "content encoding" "gzip" }, "reason" "ok", "json body" { "page" 1, "per page" 5, "total" 2, "cases" \[], "count open cases" 2, "count closed cases" 0 } } ] get case returns the specified case endpoint url api/cases/{{case id}} method get input argument name type required description case id string required unique identifier includecomments boolean optional parameter for get case output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier version string output field version comments array output field comments file name string name of the resource file string output field file totalcomment number output field totalcomment closed at object output field closed at closed by object output field closed by created at string output field created at created by object output field created by email string output field email full name string name of the resource username string name of the resource external service object output field external service updated at string output field updated at updated by object output field updated by full name string name of the resource email string output field email username string name of the resource description string output field description title string output field title status string status value connector object output field connector example \[ { "status code" 200, "response headers" { "date" "tue, 24 jan 2023 17 24 36 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "x srv trace" "v=1;t=142245b81cc02af4", "x srv span" "v=1;s=6778cda89a9eedb4", "access control allow origin" " ", "x ratelimit limit" "120", "x ratelimit remaining" "119", "x ratelimit reset" "1674580310", "etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"", "vary" "accept encoding", "content encoding" "gzip" }, "reason" "ok", "json body" { "id" "a18b38a0 71b0 11ea a0b2 c51ea50a58e2", "version" "wzk4ldfd", "comments" \[], "totalcomment" 0, "closed at" null, "closed by" null, "created at" "2020 03 29t11 30 02 658z", "created by" {}, "external service" null, "updated at" "2020 03 29t12 01 50 244z", "updated by" {}, "description" "james bond clicked on a highly suspicious email banner advertising cheap holiday ", "title" "this case will self destruct in 5 seconds", "status" "open", "connector" {} } } ] get all case activity returns all user activity for the specified case endpoint url api/cases/{{case id}}/user actions method get input argument name type required description case id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "tue, 24 jan 2023 16 58 55 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "x srv trace" "v=1;t=456e25c3138d982b", "x srv span" "v=1;s=fb97ac49aee7fcdb", "access control allow origin" " ", "x ratelimit limit" "120", "x ratelimit remaining" "119", "x ratelimit reset" "1674578940", "etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"", "vary" "accept encoding", "content encoding" "gzip" }, "reason" "ok", "json body" \[ { "action field" \[ "description", "status", "tags", "title", "connector", "settings" ], "action" "create", "action at" "2020 04 02t15 25 19 088z", "action by" { "email" "ahunley\@imf usa gov", "full name" "alan hunley", "username" "ahunley" }, "new value" "{\\"title\\" \\"this case will self destruct in 5 seconds\\",\\"tags\\" \[\\"phishing\\",\\"social engineering\\"],\\"description\\" \\"james bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants \\"},\\"connector\\" {\\"id\\" \\"none\\",\\"name\\" \\"none\\",\\"type\\" \\" none\\",\\"fields\\"\ null},\\"settings\\" {\\"syncalerts\\"\ true}", "old value" null, "action id" "29ce6370 74f6 11ea b83a 553aecdb28b6", "case id" "293f1bc0 74f6 11ea b83a 553aecdb28b6", "comment id" null, "owner" "securitysolution" }, { "action field" \[ "comment" ], "action" "create", "action at" "2020 04 02t15 28 03 034z", "action by" { "email" "moneypenny\@hms gov uk", "full name" "ms moneypenny", "username" "moneypenny" }, "new value" "that is nothing ethan hunt answered a targeted social media campaign promoting phishy pension schemes to imf operatives ", "old value" null, "action id" "8b0d6870 74f6 11ea b83a 553aecdb28b6", "case id" "293f1bc0 74f6 11ea b83a 553aecdb28b6", "comment id" "8af6ac20 74f6 11ea b83a 553aecdb28b6", "owner" "securitysolution" }, { "action field" \[ "comment" ], "action" "update", "action at" "2020 04 02t15 34 01 118z", "action by" { "email" "jbond\@hms gov uk", "full name" "james bond", "username" " 007" }, "new value" "that is nothing ethan hunt answered a targeted social media campaign promoting phishy pension schemes to imf operatives even worse, he likes baked beans ", "old value" "that is nothing ethan hunt answered a targeted social media campaign promoting phishy pension schemes to imf operatives ", "action id" "60dafd50 74f7 11ea b83a 553aecdb28b6", "case id" "293f1bc0 74f6 11ea b83a 553aecdb28b6", "comment id" "8af6ac20 74f6 11ea b83a 553aecdb28b6", "owner" "securitysolution" } ] } ] get case configuration retrieves external connection details, such as the closure type and default connector for cases endpoint url /api/cases/configure method get input argument name type required description owner string optional parameter for get case configuration output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "tue, 24 jan 2023 19 27 57 gmt", "content type" "application/json; charset=utf 8", "content length" "884", "connection" "keep alive", "x srv trace" "v=1;t=bfa2495db98bca57", "x srv span" "v=1;s=273ea6f05af07f02", "access control allow origin" " ", "x ratelimit limit" "120", "x ratelimit remaining" "119", "x ratelimit reset" "1674588466", "etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"", "vary" "accept encoding" }, "reason" "ok", "json body" \[ {} ] } ] find connectors retrieves information about connectors endpoint url api/cases/configure/connectors/ find method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "date" "tue, 24 jan 2023 17 07 23 gmt", "content type" "application/json; charset=utf 8", "content length" "292", "connection" "keep alive", "x srv trace" "v=1;t=4ca005b418610af6", "x srv span" "v=1;s=7ffbe0153fe58eb3", "access control allow origin" " ", "x ratelimit limit" "120", "x ratelimit remaining" "119", "x ratelimit reset" "1674579860", "etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"", "vary" "accept encoding" }, "reason" "ok", "json body" \[ {} ] } ] find exception containers retrieves a paginated subset of exception containers endpoint url api/exception lists/ find method get input argument name type required description page number optional parameter for find exception containers per page number optional parameter for find exception containers sort field string optional parameter for find exception containers sort order string optional parameter for find exception containers cursor string optional parameter for find exception containers namespace type string optional name of the resource filter string optional parameter for find exception containers output parameter type description status code number http status code of the response reason string response reason phrase data array response data tags array output field tags file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by page number output field page per page number output field per page total number output field total example \[ { "status code" 200, "response headers" { "date" "mon, 23 jan 2023 20 40 42 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "x srv trace" "v=1;t=c420c1994848cd92", "x srv span" "v=1;s=78883294484d23fb", "access control allow origin" " ", "x ratelimit limit" "120", "x ratelimit remaining" "119", "x ratelimit reset" "1674506400", "etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"", "vary" "accept encoding", "content encoding" "gzip" }, "reason" "ok", "json body" { "data" \[], "page" 1, "per page" 2, "total" 6 } } ] find exception items retrieves a paginated subset of exception items in the specified container endpoint url api/exception lists/items/ find method get input argument name type required description list id string required unique identifier page number optional parameter for find exception items per page number optional parameter for find exception items sort field string optional parameter for find exception items sort order string optional parameter for find exception items cursor string optional parameter for find exception items output parameter type description status code number http status code of the response reason string response reason phrase data array response data tags array output field tags file name string name of the resource file string output field file comments array output field comments comment string output field comment created at string output field created at created by string output field created by created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field operator string output field operator type string type of the resource value array value for the parameter id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource tags array output field tags tie breaker id string unique identifier example \[ { "status code" 200, "response headers" { "date" "mon, 23 jan 2023 21 25 15 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "x srv trace" "v=1;t=11782e3fc888d672", "x srv span" "v=1;s=26a26302ea05a85c", "access control allow origin" " ", "x ratelimit limit" "120", "x ratelimit remaining" "119", "x ratelimit reset" "1674509073", "etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"", "vary" "accept encoding", "content encoding" "gzip" }, "reason" "ok", "json body" { "data" \[], "page" 1, "per page" 20, "total" 2 } } ] find list containers retrieves a paginated subset of list containers endpoint url api/lists/ find method get input argument name type required description page number optional parameter for find list containers per page number optional parameter for find list containers sort field string optional parameter for find list containers sort order string optional parameter for find list containers cursor string optional parameter for find list containers filter string optional parameter for find list containers output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor data array response data version string output field version id string unique identifier created at string output field created at created by string output field created by description string output field description immutable boolean output field immutable name string name of the resource tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version page number output field page per page number output field per page total number output field total example \[ { "status code" 200, "response headers" { "date" "mon, 23 jan 2023 21 40 00 gmt", "content type" "application/json; charset=utf 8", "content length" "660", "connection" "keep alive", "x srv trace" "v=1;t=db8f3736ef937fc5", "x srv span" "v=1;s=386f87daef9dcf10", "access control allow origin" " ", "x ratelimit limit" "120", "x ratelimit remaining" "119", "x ratelimit reset" "1674509983", "etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"", "vary" "accept encoding" }, "reason" "ok", "json body" { "cursor" "wziwlfsimtk1zju0zmitmjq0zc00zjlhltlhnwitztcyodkwmtm0n2uwil1d", "data" \[], "page" 1, "per page" 20, "total" 1 } } ] find list items retrieves a paginated subset of list items in the specified container endpoint url /api/lists/items/ find method get input argument name type required description list id string required unique identifier page number optional parameter for find list items per page number optional parameter for find list items sort field string optional parameter for find list items sort order string optional parameter for find list items cursor string optional parameter for find list items output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor data array response data version string output field version created at string output field created at created by string output field created by id string unique identifier list id string unique identifier tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by value string value for the parameter page number output field page per page number output field per page total number output field total example \[ { "status code" 200, "response headers" { "date" "mon, 23 jan 2023 21 54 12 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "x srv trace" "v=1;t=1425971a5b41ab27", "x srv span" "v=1;s=8dc3927dc8cb45ce", "access control allow origin" " ", "x ratelimit limit" "120", "x ratelimit remaining" "119", "x ratelimit reset" "1674510789", "etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"", "vary" "accept encoding", "content encoding" "gzip" }, "reason" "ok", "json body" { "cursor" "wziwlfsizmfjzmzmotqtnzizzs00ymq0ltk4ztutnzi2ogjjnta3nwnmil1d", "data" \[], "page" 1, "per page" 20, "total" 11 } } ] export rules exports rules to an ndjson file endpoint url api/detection engine/rules/ export method post input argument name type required description exclude export details boolean optional parameter for export rules file name string optional name of the resource objects array optional parameter for export rules rule id string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase exported count number count value exported rules count number count value missing rules array output field missing rules rule id string unique identifier missing rules count number count value exported exception list count number count value exported exception list item count number count value missing exception list item count number count value missing exception list items array output field missing exception list items file name string name of the resource file string output field file missing exception lists array output field missing exception lists file name string name of the resource file string output field file missing exception lists count number count value example \[ { "status code" 200, "response headers" { "server" "nginx/1 18 0 (ubuntu)", "date" "tue, 24 jan 2023 20 48 44 gmt", "content type" "application/ndjson", "content length" "347", "connection" "keep alive", "content disposition" "attachment; filename=\\"testfilename ndjson\\"", "x content type options" "nosniff", "referrer policy" "no referrer when downgrade", "content security policy" "script src 'unsafe eval' 'self'; worker src blob 'self'; style src 'unsafe inli ", "kbn name" "ubu2204template", "kbn license sig" "41fb004c5f952e932d4f566dc859516a1f89cc84a3bf9c11efde7c9b78e7a281", "cache control" "private, no cache, no store, must revalidate" }, "reason" "ok", "json body" { "exported count" 0, "exported rules count" 0, "missing rules" \[], "missing rules count" 1, "exported exception list count" 0, "exported exception list item count" 0, "missing exception list item count" 0, "missing exception list items" \[], "missing exception lists" \[], "missing exception lists count" 0 } } ] find rules retrieves a paginated subset of signal detection rules endpoint url api/detection engine/rules/ find method get input argument name type required description page number optional parameter for find rules per page number optional parameter for find rules sort field string optional parameter for find rules sort order string optional parameter for find rules filter string optional parameter for find rules output parameter type description status code number http status code of the response reason string response reason phrase page number output field page perpage number output field perpage total number output field total data array response data created at string output field created at updated at string output field updated at created by string output field created by description string output field description enabled boolean output field enabled false positives array output field false positives file name string name of the resource file string output field file from string output field from id string unique identifier immutable boolean output field immutable index array output field index interval string output field interval rule id string unique identifier language string output field language output index string output field output index max signals number output field max signals risk score number score value name string name of the resource example \[ { "status code" 200, "response headers" { "date" "mon, 23 jan 2023 20 22 33 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "x srv trace" "v=1;t=055814721165fd01", "x srv span" "v=1;s=d0abef80426f43dd", "access control allow origin" " ", "x ratelimit limit" "120", "x ratelimit remaining" "119", "x ratelimit reset" "1674505413", "etag" "w/\\"6b2 ualfqwmofsayivg98we59oy3qby\\"", "vary" "accept encoding", "content encoding" "gzip" }, "reason" "ok", "json body" { "page" 1, "perpage" 5, "total" 4, "data" \[] } } ] get rules retrieves a single rule using the rule id or id field endpoint url api/detection engine/rules method get input argument name type required description id string optional unique identifier rule id string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase created at string output field created at updated at string output field updated at created by string output field created by description string output field description enabled boolean output field enabled false positives array output field false positives file name string name of the resource file string output field file filters array output field filters query object output field query match object output field match event action object output field event action query string output field query type string type of the resource from string output field from id string unique identifier immutable boolean output field immutable interval string output field interval rule id string unique identifier language string output field language output index string output field output index max signals number output field max signals risk score number score value example \[ { "status code" 200, "response headers" { "date" "tue, 24 jan 2023 19 36 39 gmt", "content type" "application/json; charset=utf 8", "transfer encoding" "chunked", "connection" "keep alive", "x srv trace" "v=1;t=40dfdc4d61706ab6", "x srv span" "v=1;s=a573e9e875c58d77", "access control allow origin" " ", "x ratelimit limit" "120", "x ratelimit remaining" "119", "x ratelimit reset" "1674588944", "etag" "w/\\"96 s/5iq2y1qqiinh5bwopc+chvdju\\"", "vary" "accept encoding", "content encoding" "gzip" }, "reason" "ok", "json body" { "created at" "2020 02 03t11 19 04 259z", "updated at" "2020 02 03t11 19 04 462z", "created by" "elastic", "description" "process started by ms office program in user folder", "enabled" false, "false positives" \[], "filters" \[], "from" "now 4200s", "id" "c41d170b 8ba6 4de6 b8ec 76440a35ace3", "immutable" false, "interval" "1h", "rule id" "process started by ms office user folder", "language" "kuery", "output index" " siem signals siem test", "max signals" 100 } } ] search signals the signals endpoint is for retrieving, aggregating, and updating detection alerts endpoint url api/detection engine/signals/search method post input argument name type required description aggs object optional parameter for search signals latest object optional parameter for search signals max object optional parameter for search signals field string optional parameter for search signals oldest object optional parameter for search signals min object optional parameter for search signals field string optional parameter for search signals query object optional parameter for search signals bool object optional parameter for search signals filter array optional parameter for search signals match object optional parameter for search signals range object optional parameter for search signals output parameter type description status code number http status code of the response reason string response reason phrase took number output field took timed out boolean output field timed out shards object output field shards total number output field total successful number whether the operation was successful skipped number output field skipped failed number output field failed hits object output field hits total object output field total value number value for the parameter relation string output field relation max score object score value hits array output field hits file name string name of the resource file string output field file aggregations object output field aggregations oldest object output field oldest value number value for the parameter value as string string value for the parameter latest object output field latest value number value for the parameter value as string string value for the parameter example \[ { "status code" 200, "response headers" { "server" "nginx/1 18 0 (ubuntu)", "date" "wed, 25 jan 2023 14 57 26 gmt", "content type" "application/json; charset=utf 8", "content length" "225", "connection" "keep alive", "x content type options" "nosniff", "referrer policy" "no referrer when downgrade", "content security policy" "script src 'unsafe eval' 'self'; worker src blob 'self'; style src 'unsafe inli ", "kbn name" "ubu2204template", "kbn license sig" "41fb004c5f952e932d4f566dc859516a1f89cc84a3bf9c11efde7c9b78e7a281", "cache control" "private, no cache, no store, must revalidate" }, "reason" "ok", "json body" { "took" 3, "timed out" false, " shards" {}, "hits" {}, "aggregations" {} } } ] get all kibana spaces retrieve all kibana spaces endpoint url api/spaces/space method get input argument name type required description purpose string optional parameter for get all kibana spaces include authorized purposes boolean optional parameter for get all kibana spaces output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "server" "nginx/1 18 0 (ubuntu)", "date" "tue, 24 jan 2023 19 45 33 gmt", "content type" "application/json; charset=utf 8", "content length" "136", "connection" "keep alive", "x content type options" "nosniff", "referrer policy" "no referrer when downgrade", "content security policy" "script src 'unsafe eval' 'self'; worker src blob 'self'; style src 'unsafe inli ", "kbn name" "ubu2204template", "kbn license sig" "41fb004c5f952e932d4f566dc859516a1f89cc84a3bf9c11efde7c9b78e7a281", "cache control" "private, no cache, no store, must revalidate", "accept ranges" "bytes" }, "reason" "ok", "json body" \[ {}, {}, {} ] } ] get tags aggregates and returns all rule tags endpoint url api/detection engine/tags method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "server" "nginx/1 18 0 (ubuntu)", "date" "tue, 24 jan 2023 20 10 27 gmt", "content type" "application/json; charset=utf 8", "content length" "749", "connection" "keep alive", "x content type options" "nosniff", "referrer policy" "no referrer when downgrade", "content security policy" "script src 'unsafe eval' 'self'; worker src blob 'self'; style src 'unsafe inli ", "kbn name" "ubu2204template", "kbn license sig" "41fb004c5f952e932d4f566dc859516a1f89cc84a3bf9c11efde7c9b78e7a281", "cache control" "private, no cache, no store, must revalidate", "accept ranges" "bytes" }, "reason" "ok", "json body" \[ "elastic", "host", "windows" ] } ] response headers header description example accept ranges http response header accept ranges bytes access control allow origin http response header access control allow origin cache control directives for caching mechanisms private, no cache, no store, must revalidate connection http response header connection keep alive content disposition http response header content disposition attachment; filename="testfilename ndjson" content encoding http response header content encoding gzip content length the length of the response body in bytes 884 content security policy http response header content security policy script src 'unsafe eval' 'self'; worker src blob 'self'; style src 'unsafe inline' 'self' content type the media type of the resource application/ndjson date the date and time at which the message was originated tue, 24 jan 2023 17 24 36 gmt etag an identifier for a specific version of a resource w/"6b2 ualfqwmofsayivg98we59oy3qby" kbn license sig http response header kbn license sig 41fb004c5f952e932d4f566dc859516a1f89cc84a3bf9c11efde7c9b78e7a281 kbn name http response header kbn name ubu2204template referrer policy http response header referrer policy no referrer when downgrade server information about the software used by the origin server nginx/1 18 0 (ubuntu) transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding x content type options http response header x content type options nosniff x ratelimit limit the number of requests allowed in the current rate limit window 120 x ratelimit remaining the number of requests remaining in the current rate limit window 119 x ratelimit reset the time at which the current rate limit window resets 1674493629 x srv span http response header x srv span v=1;s=26a26302ea05a85c x srv trace http response header x srv trace v=1;t=142245b81cc02af4 notes for more information, see the elactic security api documentation (7 16)) https //www elastic co/guide/en/security/7 16/security apis html this connector was last tested against product version elastic kibana 7 16 3