Elastic Kibana 8 - Security

the elastic kibana 8 security connector allows for streamlined integration with swimlane turbine, enabling automated security workflows and enhanced threat management elastic kibana 8 security is a powerful analytics and visualization platform that's part of the elastic stack it enables security teams to interactively navigate through large volumes of event data, providing real time insights into security events and alerts integrating with swimlane turbine, this connector empowers users to automate and orchestrate security workflows, streamline incident response, and enhance threat detection capabilities within their security operations prerequisites before you can use the elastic kibana 8 security connector for turbine, ensure you have the following http basic authentication with these parameters url the endpoint url for your elastic kibana instance username your elastic kibana username password your elastic kibana password api key authentication with these parameters url the endpoint url for your elastic kibana instance api key a generated api key for accessing elastic kibana apis capabilities this connector provides the following capabilities case tasks add case comment create case find cases get case update case get all case activity connector tasks create connector get all connectors get current connector push case to external service set default elastic security ui connector update elastic security case closure connector detection tasks create detection event correlation rule create detection indicator match rule create detection ml rule create detection query rule create detection threshold rule update detection event correlation rule update detection indicator match rule update detection ml rule update detection query rule update detection threshold rule delete detection rule export detection rules find detection rules get detection rule add pre packaged detection rules signal tasks create signal index get signals set signal status timeline tasks create timeline (& timeline templates) lists tasks create list container create list item create list index find list containers find list items update list container update list item exception tasks create exception container create exception item find exception containers find exception items tags tasks get tags kibana tasks create kibana space get kibana spaces endpoint management tasks create blocklist entries container create blocklist entry create event filter create event filters container create host isolation exception create host isolation exceptions container create trusted application create trusted applications container delete blocklist entry delete event filter delete host isolation exception delete trusted application find blocklist entries find event filters find host isolation exceptions and so on asset setup connecting to elastic cloud in order to use this connector with elastic cloud you must provide the following inputs in the configured asset url api key if you generated a apikey from within the elastic cloud portal you may have need run the following commands to generate the correct apikey echo "qnq3bdbic0jqr3d1awxkmvbzd0m6cl9wqul6anhrww1vlvazdg5jzkuzuq==" | base64 d which will result in a value similar to the following bt7l0hsbjgwuild1pywc\ r vaizjxqymo p3tnife3q% then take this value and decode it again echo n "bt7l0hsbjgwuild1pywc\ r vaizjxqymo p3tnife3q%" | base64 this will result in the correct apikey connecting to on premises the url has to be in this format \<kibana host> \<port> , https //www elastic co/guide/en/security/8 9/security apis html# authentication in order to use this connector with an on premises elasticsearch and kibana, you must provide the following inputs in the configured asset url username password common issues within the asset if you receive an error about the host, please remove any trailing slashes from the host string notes for more information, see the https //www elastic co/guide/en/kibana/8 10/api html this connector was last tested against product version elastic kibana 8 10 configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required port host port to use number optional x apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add case comment add a comment or alert to an existing case by providing the case id and specifying the comment type in elastic kibana 8 security endpoint url /api/cases/{{case id}}/comments method post input argument name type required description path parameters case id string required parameters for the add case comment action alertid array optional it is required only when type is alert comment string optional it is required only when type is user index array optional it is required only when type is alert owner string optional parameter for add case comment rule object optional it is required only when type is alert rule id string optional the rule identifier rule name string optional the rule name type string optional the comment type input example {"json body" {"alertid" \["293f1bc0 74f6 11ea b83a 553aecdb28b6"],"comment" "adding a test comment","index" \[" siem signals"],"owner" "cases","rule" {"id" "94d80550 aaf4 11ec 985f 97e55adae8b9","name" "security rule"},"type" "user"},"path parameters" {"case id" "93f1bc0 74f6 11ea b83a 553aecdb28b6"}} output parameter type description status code number http status code of the response reason string response reason phrase description string output field description title string output field title tags array output field tags settings object output field settings settings syncalerts boolean output field settings syncalerts owner string output field owner category object output field category assignees array output field assignees assignees file name string name of the resource assignees file string output field assignees file connector object output field connector connector id string unique identifier connector type string type of the resource connector fields object output field connector fields connector fields issuetype string type of the resource connector fields priority string output field connector fields priority connector fields parent object output field connector fields parent connector name string name of the resource severity string output field severity status string status value duration object output field duration closed at object output field closed at closed by object output field closed by output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 29 sep 2023 06 22 52 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic create blocklist entries container generates a blocklist container in elastic kibana 8 security, requiring description, name, list id, type, and namespace endpoint url /api/exception lists method post input argument name type required description description string optional parameter for create blocklist entries container name string optional name of the resource list id string optional unique identifier type string optional type of the resource namespace type string optional name of the resource tags array optional parameter for create blocklist entries container input example {"json body" {"description" "excludes linux trusted processes","name" "linux process exceptions","list id" "endpoint blocklist","type" "endpoint","namespace type" "agnostic","tags" \["linux","processes"]}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by description string output field description id string unique identifier immutable boolean output field immutable list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource os types file name string name of the resource os types file string type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "486","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 09 15 40 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" create blocklist entry creates a new blocklist entry in elastic kibana 8 security, including description, entries, list id, name, namespace type, os types, and entry type endpoint url /api/exception lists/items method post input argument name type required description comments array optional parameter for create blocklist entry comments file name string required name of the resource comments file string required parameter for create blocklist entry description string optional parameter for create blocklist entry entries array optional parameter for create blocklist entry entries field string required parameter for create blocklist entry entries value array required value for the parameter entries type string required type of the resource entries operator string required parameter for create blocklist entry list id string optional unique identifier name string optional name of the resource namespace type string optional name of the resource os types array optional type of the resource tags array optional parameter for create blocklist entry type string optional type of the resource input example {"json body" {"comments" \[],"description" "some description about this entry","entries" \[{"field" "file path","value" \["c /path/to/file exe","c /path/to/file2 exe"],"type" "match any","operator" "included"}],"list id" "endpoint blocklists","name" "linux process exceptions","namespace type" "agnostic","os types" \["macos"],"tags" \["policy\ all"],"type" "simple"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments file name string name of the resource comments file string output field comments file created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries value array value for the parameter entries type string type of the resource entries operator string output field entries operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "649","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 09 23 57 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" create case initiate a new case in elastic kibana 8 security, specifying connector, description, owner, settings, tags, and title endpoint url /api/cases method post input argument name type required description assignees array optional parameter for create case assignees uid string optional unique identifier description string optional parameter for create case title string optional parameter for create case tags array optional parameter for create case connector object optional parameter for create case connector id string required unique identifier connector name string required name of the resource connector type string required type of the resource connector fields object required parameter for create case connector fields issuetype string optional type of the resource connector fields priority string optional parameter for create case connector fields parent object optional parameter for create case connector fields caseid string required unique identifier settings object optional parameter for create case settings syncalerts boolean required parameter for create case owner string optional parameter for create case severity string optional parameter for create case input example {"json body" {"assignees" \[{"uid" ""}],"description" "a case description ","title" "case title 1","tags" \["tag 1"],"connector" {"id" "131d4448 abe0 4789 939d 8ef60680b498","name" "my connector","type" " jira","fields" {"issuetype" "10006","priority" "high","parent"\ null,"caseid" ""}},"settings" {"syncalerts"\ true},"owner" "cases","severity" "critical"}} output parameter type description status code number http status code of the response reason string response reason phrase description string output field description title string output field title tags array output field tags settings object output field settings settings syncalerts boolean output field settings syncalerts owner string output field owner category object output field category assignees array output field assignees assignees file name string name of the resource assignees file string output field assignees file connector object output field connector connector id string unique identifier connector type string type of the resource connector fields object output field connector fields connector fields issuetype string type of the resource connector fields priority string output field connector fields priority connector fields parent object output field connector fields parent connector name string name of the resource severity string output field severity status string status value duration object output field duration closed at object output field closed at closed by object output field closed by output example {"status code" 200,"response headers" {},"reason" "ok","json body" {"description" "a case description ","title" "case title 1","tags" \["tag 1"],"settings" {"syncalerts"\ true},"owner" "cases","category"\ null,"assignees" \[],"connector" {"id" "131d4448 abe0 4789 939d 8ef60680b498","type" " jira","fields" {},"name" "my connector"},"severity" "low","status" "open","duration"\ null,"closed at"\ null,"closed by"\ null,"created at" "2023 09 29t06 09 04 418z","created by" {"username" "elastic","full name"\ n create connector establishes a new connector in elastic kibana 8 security with a specific name, type, configuration, and secrets endpoint url /api/actions/connector method post input argument name type required description name string optional name of the resource connector type id string optional unique identifier config object optional parameter for create connector config connectortype string required type of the resource config mappings object optional parameter for create connector config mappings alertidconfig object optional unique identifier config mappings alertidconfig id string required unique identifier config mappings alertidconfig name string required unique identifier config mappings alertidconfig key string required unique identifier config mappings alertidconfig fieldtype string required unique identifier config mappings caseidconfig object optional unique identifier config mappings caseidconfig id string required unique identifier config mappings caseidconfig name string required unique identifier config mappings caseidconfig key string required unique identifier config mappings caseidconfig fieldtype string required unique identifier config mappings casenameconfig object optional name of the resource config mappings casenameconfig id string required unique identifier config mappings casenameconfig name string required name of the resource config mappings casenameconfig key string required name of the resource config mappings casenameconfig fieldtype string required name of the resource config mappings commentsconfig object optional parameter for create connector config mappings commentsconfig id string required unique identifier config mappings commentsconfig name string required name of the resource config mappings commentsconfig key string required parameter for create connector config mappings commentsconfig fieldtype string required type of the resource input example {"json body" {"name" "my swimlane connector","connector type id" " swimlane","config" {"connectortype" "all","mappings" {"alertidconfig" {"id" "b6fst","name" "alert name","key" "alert name","fieldtype" "text"},"caseidconfig" {"id" "b6fst","name" "alert name","key" "alert name","fieldtype" "text"},"casenameconfig" {"id" "b6fst","name" "alert name","key" "alert name","fieldtype" "text"},"commentsconfig" {"id" "b6fst","name" "alert name","key" "alert name","fieldtype" "text"},"descriptionconfig" {"id" "b6fst","name" "alert name","key" "alert name","fieldtype" "text"},"rulenameconfig" {"id" "b6fst","name" "alert name","key" "alert name","fieldtype" "text"},"severityconfig" {"id" "b6fst","name" "alert name","key" "alert name","fieldtype" "text"}},"appid" "myappid","apiurl" "https //myswimlaneinstance com"},"secrets" {"apitoken" "mytoken"}}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource config object output field config config connectortype string type of the resource config mappings object output field config mappings config mappings alertidconfig object unique identifier config mappings alertidconfig id string unique identifier config mappings alertidconfig name string unique identifier config mappings alertidconfig key string unique identifier config mappings alertidconfig fieldtype string unique identifier config mappings caseidconfig object unique identifier config mappings caseidconfig id string unique identifier config mappings caseidconfig name string unique identifier config mappings caseidconfig key string unique identifier config mappings caseidconfig fieldtype string unique identifier config mappings casenameconfig object name of the resource config mappings casenameconfig id string unique identifier config mappings casenameconfig name string name of the resource config mappings casenameconfig key string name of the resource config mappings casenameconfig fieldtype string name of the resource config mappings commentsconfig object output field config mappings commentsconfig config mappings commentsconfig id string unique identifier config mappings commentsconfig name string name of the resource output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "948","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 29 sep 2023 17 21 03 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" create detection event correlation rule generates alerts by creating an event correlation rule in elastic kibana 8 security with details such as description, name, risk score, and severity endpoint url /api/detection engine/rules method post input argument name type required description rule id string optional unique identifier risk score number optional score value description string optional parameter for create detection event correlation rule name string optional name of the resource severity string optional parameter for create detection event correlation rule tags array optional parameter for create detection event correlation rule type string optional type of the resource language string optional parameter for create detection event correlation rule query string optional parameter for create detection event correlation rule input example {"json body" {"rule id" "eql outbound rundll32 connections","risk score" 21,"description" "unusual rundll32 exe network connection","name" "rundll32 exe network connection","severity" "low","tags" \["eql","windows","rundll32 exe"],"type" "eql","language" "eql","query" "sequence by process entity id with maxspan=2h \[process where event type in (\\"start\\", \\"process started\\") and (process name == \\"rundll32 exe\\" or process pe original file name == \\"rundll32 exe\\") and ((process args == \\"rundll32 exe\\" and process args count == 1) or (process args != \\"rundll32 exe\\" and process args count == 0))] \[network where event type == \\"connection\\" and (process name == \\"rundll32 exe\\" or process pe original file name == \\"rundll32 exe\\")]"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields investigation fields file name string name of the resource investigation fields file string output field investigation fields file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author author file name string name of the resource author file string output field author file false positives array output field false positives false positives file name string name of the resource false positives file string output field false positives file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping risk score mapping file name string name of the resource risk score mapping file string output field risk score mapping file severity mapping array output field severity mapping output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 09 48 58 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic create detection indicator match rule generates an alert in elastic kibana 8 security by creating an indicator match rule with specified name, risk score, and threat mapping endpoint url /api/detection engine/rules method post input argument name type required description type string optional type of the resource index array optional parameter for create detection indicator match rule query string optional parameter for create detection indicator match rule threat index array optional parameter for create detection indicator match rule threat query string optional parameter for create detection indicator match rule threat mapping array optional parameter for create detection indicator match rule threat mapping entries array optional parameter for create detection indicator match rule threat mapping entries field string optional parameter for create detection indicator match rule threat mapping entries type string optional type of the resource threat mapping entries value string optional value for the parameter risk score number optional score value severity string optional parameter for create detection indicator match rule name string optional name of the resource description string optional parameter for create detection indicator match rule input example {"json body" {"type" "threat match","index" \["packetbeat "],"query" "destination ip or host ip ","threat index" \["ip threat list"],"threat query" " ","threat mapping" \[{"entries" \[{"field" "destination ip","type" "mapping","value" "destination ip"},{"field" "destination port","type" "mapping","value" "destination port"}]},{"entries" \[{"field" "source ip","type" "mapping","value" "host ip"}]}],"risk score" 50,"severity" "medium","name" "bad ip threat match","description" "checks for bad ip addresses listed in the ip threat list index"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields investigation fields file name string name of the resource investigation fields file string output field investigation fields file tags array output field tags tags file name string name of the resource tags file string output field tags file interval string output field interval enabled boolean output field enabled author array output field author author file name string name of the resource author file string output field author file false positives array output field false positives false positives file name string name of the resource false positives file string output field false positives file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping risk score mapping file name string name of the resource output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 09 53 40 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic create detection ml rule generates a machine learning based detection rule in elastic kibana 8 security, utilizing criteria such as risk score, severity, and job id endpoint url /api/detection engine/rules method post input argument name type required description anomaly threshold number optional parameter for create detection ml rule rule id string optional unique identifier risk score number optional score value machine learning job id string optional unique identifier description string optional parameter for create detection ml rule interval string optional parameter for create detection ml rule name string optional name of the resource note string optional parameter for create detection ml rule severity string optional parameter for create detection ml rule tags array optional parameter for create detection ml rule type string optional type of the resource from string optional parameter for create detection ml rule enabled boolean optional parameter for create detection ml rule throttle string optional parameter for create detection ml rule actions array optional parameter for create detection ml rule actions action type id string optional unique identifier actions group string optional parameter for create detection ml rule actions id string optional unique identifier actions params object optional parameter for create detection ml rule actions params message string optional response message input example {"json body" {"anomaly threshold" 70,"rule id" "ml linux network high threshold","risk score" 70,"machine learning job id" "linux anomalous network activity ecs","description" "generates alerts when the job discovers anomalies over 70","interval" "5m","name" "anomalous linux network activity","note" "shut down the internet ","severity" "high","tags" \["machine learning","linux"],"type" "machine learning","from" "now 6m","enabled"\ true,"throttle" "rule","actions" \[{"action type id" " slack","group" "default","id" "73cdcf10 5eea 11ee 924f eb8f01880390","params" {"message" "detection is created!"}}]}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity note string output field note output index string output field output index investigation fields array output field investigation fields investigation fields file name string name of the resource investigation fields file string output field investigation fields file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author author file name string name of the resource author file string output field author file false positives array output field false positives false positives file name string name of the resource false positives file string output field false positives file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping risk score mapping file name string name of the resource risk score mapping file string output field risk score mapping file output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 09 43 34 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic create detection query rule initiates the creation of a new detection query rule in elastic kibana 8 security, requiring details like description, name, risk score, severity, and query endpoint url /api/detection engine/rules method post input argument name type required description rule id string optional unique identifier risk score number optional score value description string optional parameter for create detection query rule interval string optional parameter for create detection query rule name string optional name of the resource severity string optional parameter for create detection query rule tags array optional parameter for create detection query rule type string optional type of the resource from string optional parameter for create detection query rule query string optional parameter for create detection query rule language string optional parameter for create detection query rule filters array optional parameter for create detection query rule filters query object optional parameter for create detection query rule filters query match object optional parameter for create detection query rule filters query match event action object optional parameter for create detection query rule filters query match event action query string optional parameter for create detection query rule filters query match event action type string optional type of the resource enabled boolean optional parameter for create detection query rule input example {"json body" {"rule id" "process started by ms office program 1","risk score" 50,"description" "process started by ms office program possible payload","interval" "1h","name" "ms office child process","severity" "low","tags" \["child process","ms office"],"type" "query","from" "now 70m","query" "process parent name\ excel exe or process parent name\ mspub exe or process parent name\ outlook exe or process parent name\ powerpnt exe or process parent name\ visio exe or process parent name\ winword exe","language" "kuery","filters" \[{"query" {"match" {"event action" {"query" "process create (rule processcreate)","type" "phrase"}}}}],"enabled"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields investigation fields file name string name of the resource investigation fields file string output field investigation fields file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author author file name string name of the resource author file string output field author file false positives array output field false positives false positives file name string name of the resource false positives file string output field false positives file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping risk score mapping file name string name of the resource risk score mapping file string output field risk score mapping file severity mapping array output field severity mapping output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 09 57 40 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic create detection threshold rule create a detection threshold rule in elastic kibana 8 security using criteria like risk score, severity, and query parameters endpoint url /api/detection engine/rules method post input argument name type required description description string optional parameter for create detection threshold rule enabled boolean optional parameter for create detection threshold rule from string optional parameter for create detection threshold rule index array optional parameter for create detection threshold rule interval string optional parameter for create detection threshold rule name string optional name of the resource query string optional parameter for create detection threshold rule risk score number optional score value rule id string optional unique identifier severity string optional parameter for create detection threshold rule severity mapping array optional parameter for create detection threshold rule severity mapping field string optional parameter for create detection threshold rule severity mapping operator string optional parameter for create detection threshold rule severity mapping severity string optional parameter for create detection threshold rule severity mapping value string optional value for the parameter tags array optional parameter for create detection threshold rule threshold object optional parameter for create detection threshold rule threshold field string required parameter for create detection threshold rule threshold value number required value for the parameter type string optional type of the resource input example {"json body" {"description" "detects when there are 20 or more failed login attempts from the same ip address with a 2 minute time frame ","enabled"\ true,"exceptions list" \[{"id" "int ips","namespace type" "single","type" "detection"}],"from" "now 180s","index" \["winlogbeat "],"interval" "2m","name" "liverpool windows server prml 19","query" "host name\ prml 19 and event category\ authentication and event outcome\ failure","risk score" 30,"rule id" "liv win ser logins","severity" "low","severity mapping" \[{"field" "source geo city name","operator" "equals","severity" "low","value" "manchester"},{"field" "source geo city name","operator" "equals","severity" "critical","value" "wallingford"}],"tags" \["brute force"],"threshold" {"field" "source ip","value" 20},"type" "threshold"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields investigation fields file name string name of the resource investigation fields file string output field investigation fields file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author author file name string name of the resource author file string output field author file false positives array output field false positives false positives file name string name of the resource false positives file string output field false positives file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping risk score mapping file name string name of the resource risk score mapping file string output field risk score mapping file severity mapping array output field severity mapping output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 08 37 05 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic create event filter creates a new event filter in elastic kibana 8 security, specifying details like name, description, os types, and more endpoint url /api/exception lists/items method post input argument name type required description comments array optional parameter for create event filter comments comment string optional parameter for create event filter description string optional parameter for create event filter entries array optional parameter for create event filter entries field string optional parameter for create event filter entries operator string optional parameter for create event filter entries type string optional type of the resource entries value string optional value for the parameter list id string optional unique identifier name string optional name of the resource namespace type string optional name of the resource os types array optional type of the resource tags array optional parameter for create event filter type string optional type of the resource input example {"json body" {"comments" \[{"comment" "a new comment about this entry"}],"description" "some description about this entry","entries" \[{"field" "process executable","operator" "included","type" "match","value" "c \\\applications\\\elastic\\\foo exe"}],"list id" "endpoint event filters","name" "create event filter","namespace type" "agnostic","os types" \["windows"],"tags" \["policy\ all"],"type" "simple"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments comment string output field comments comment comments created at string output field comments created at comments created by string output field comments created by comments id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries operator string output field entries operator entries type string type of the resource entries value string value for the parameter id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "795","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 10 32 36 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" create event filters container creates a new event filters container in elastic kibana 8 security using provided name, description, list id, namespace type, and filter type endpoint url /api/exception lists method post input argument name type required description description string optional parameter for create event filters container name string optional name of the resource list id string optional unique identifier type string optional type of the resource namespace type string optional name of the resource tags array optional parameter for create event filters container input example {"json body" {"description" "elastic defend event filters list","name" "elastic defend event filters list","list id" "endpoint event filters","type" "endpoint events","namespace type" "agnostic","tags" \["linux","processes"]}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by description string output field description id string unique identifier immutable boolean output field immutable list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource os types file name string name of the resource os types file string type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "507","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 10 24 20 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" create exception container creates an exception container in elastic kibana 8 security, requiring a description, name, and type endpoint url /api/exception lists method post input argument name type required description description string optional parameter for create exception container name string optional name of the resource list id string optional not required, automatically created when it is not provided type string optional type of the resource namespace type string optional name of the resource tags array optional parameter for create exception container input example {"json body" {"description" "excludes linux trusted processes","name" "linux process exceptions","list id" "trusted linux processes","type" "detection","namespace type" "single","tags" \["linux","processes"]}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by description string output field description id string unique identifier immutable boolean output field immutable list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource os types file name string name of the resource os types file string type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "490","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 06 38 54 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" create exception item creates an exception item in elastic kibana 8 security using specified details such as description, entries, list id, name, and type endpoint url /api/exception lists/items method post input argument name type required description description string optional parameter for create exception item entries array optional parameter for create exception item entries field string required parameter for create exception item entries operator string required parameter for create exception item entries type string required type of the resource entries value array required value for the parameter list id string optional unique identifier name string optional name of the resource namespace type string optional name of the resource tags array optional parameter for create exception item type string optional type of the resource input example {"json body" {"description" "excludes the weekly maintenance job","entries" \[{"field" "host name","operator" "included","type" "match any","value" \["liv win anf","livw win mel","linux anfield"]}],"list id" "trusted linux processes","name" "linux maintenance job","namespace type" "single","tags" \["in house processes","linux"],"type" "simple"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments file name string name of the resource comments file string output field comments file created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries operator string output field entries operator entries type string type of the resource entries value array value for the parameter id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource os types file name string name of the resource os types file string type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "659","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 08 20 52 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" create host isolation exception create an exception to host isolation in elastic kibana 8 security with required details such as description, entries, list id, and os types endpoint url /api/exception lists/items method post input argument name type required description description string optional parameter for create host isolation exception entries array optional parameter for create host isolation exception entries field string required parameter for create host isolation exception entries value string required value for the parameter entries type string required type of the resource entries operator string required parameter for create host isolation exception list id string optional unique identifier name string optional name of the resource namespace type string optional name of the resource os types array optional type of the resource tags array optional parameter for create host isolation exception type string optional type of the resource input example {"json body" {"description" "create host isolation exception","entries" \[{"field" "destination ip","value" "10 10 0 1","type" "match","operator" "included"}],"list id" "endpoint host isolation exceptions","name" "create host isolation exception","namespace type" "agnostic","os types" \["linux","macos","windows"],"tags" \["policy\ all"],"type" "simple"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments file name string name of the resource comments file string output field comments file created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries value string value for the parameter entries type string type of the resource entries operator string output field entries operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "653","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 16 59 11 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" create host isolation exceptions container creates a management container for host isolation exceptions in elastic kibana 8 security, requiring description, list id, name, namespace type, and type endpoint url /api/exception lists method post input argument name type required description description string optional parameter for create host isolation exceptions container name string optional name of the resource list id string optional unique identifier type string optional type of the resource namespace type string optional name of the resource tags array optional parameter for create host isolation exceptions container input example {"json body" {"description" "elastic defend host isolation exceptions list","name" "elastic defend host isolation exceptions list","list id" "endpoint host isolation exceptions","type" "endpoint host isolation exceptions","namespace type" "agnostic","tags" \["host isolation exception","linux"]}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by description string output field description id string unique identifier immutable boolean output field immutable list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource os types file name string name of the resource os types file string type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "577","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 16 53 32 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" create kibana space creates a new space in elastic kibana 8 with specified 'id' and 'name' necessary headers must be included endpoint url /api/spaces/space method post input argument name type required description id string optional unique identifier name string optional name of the resource description string optional parameter for create kibana space initials string optional must have a maximum length of color string optional parameter for create kibana space imageurl string optional the data url encoded image to display in the space avatar if specified, initials will not be displayed, and the color will be visible as the background color for transparent images for best results, your image should be 64x64 images will not be optimized by this api call, so care should be taken when using custom images disabledfeatures array optional parameter for create kibana space disabledfeatures file name string required name of the resource disabledfeatures file string required parameter for create kibana space input example {"json body" {"id" "my kibana space","name" "my kibana space","description" "my space description created","initials" "mk","color" "#aabbcc","disabledfeatures" \[]}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource description string output field description color string output field color initials string output field initials disabledfeatures array output field disabledfeatures disabledfeatures file name string name of the resource disabledfeatures file string output field disabledfeatures file output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "150","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 08 59 18 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" create list container creates a new list container in elastic kibana 8 security using the provided description, name, and type endpoint url /api/lists method post input argument name type required description id string optional unique identifier name string optional name of the resource description string optional parameter for create list container type string optional type of the resource serializer string optional parameter for create list container deserializer string optional parameter for create list container version number optional parameter for create list container input example {"json body" {"id" "internal ip range excludes","name" "exclude internal ip addresses","description" "contains list items that exclude internal ip addresses from detection rules ","type" "ip","serializer" "(?\<gte> +)/(?\<lte> +)","deserializer" "{{{gte}}} {{{lte}}}","version" 1}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version id string unique identifier created at string output field created at created by string output field created by description string output field description deserializer string output field deserializer immutable boolean output field immutable name string name of the resource serializer string output field serializer tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "488","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 17 23 14 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" create list item associates a new list item with a specified list container in elastic kibana 8 security, requiring 'list id' and 'value' endpoint url /api/lists/items method post input argument name type required description id string optional unique identifier list id string optional unique identifier value string optional value for the parameter input example {"json body" {"id" "internal ip 1","list id" "internal ip excludes","value" "10 0 0 12"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version id string unique identifier type string type of the resource value string value for the parameter created at string output field created at created by string output field created by list id string unique identifier tie breaker id string unique identifier updated at string output field updated at updated by string output field updated by output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "291","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 17 29 20 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" create signal index initiates the creation of a new signal index in elastic kibana 8 security, categorizing detection alerts endpoint url /api/detection engine/index method post output parameter type description status code number http status code of the response reason string response reason phrase acknowledged boolean output field acknowledged output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "21","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 13 26 41 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" " create timeline generates a new timeline or template in elastic kibana 8 security with the specified timeline data endpoint url /api/timeline method post input argument name type required description timeline object optional parameter for create timeline timeline columns array optional parameter for create timeline timeline columns id string optional unique identifier timeline dataproviders array optional response data timeline dataproviders and array optional response data timeline dataproviders and name string optional response data timeline dataproviders and enabled boolean optional response data timeline dataproviders and excluded boolean optional response data timeline dataproviders and id string optional response data timeline dataproviders and querymatch object optional response data timeline dataproviders and querymatch field string optional response data timeline dataproviders and querymatch value string optional response data timeline dataproviders and querymatch operator string optional response data timeline dataproviders enabled boolean optional response data timeline dataproviders excluded boolean optional response data timeline dataproviders id string optional response data timeline dataproviders name string optional response data timeline dataproviders querymatch object optional response data timeline dataproviders querymatch field string optional response data timeline dataproviders querymatch value string optional response data timeline dataproviders querymatch operator string optional response data timeline daterange object optional parameter for create timeline timeline daterange end number optional parameter for create timeline timeline daterange start number optional parameter for create timeline timeline description string optional parameter for create timeline input example {"json body" {"timeline" {"columns" \[{"id" "user name"},{"id" "event category"}],"dataproviders" \[{"and" \[{"name" "event category","enabled"\ true,"excluded"\ false,"id" "timeline 1 914beb92 86ab 471c a00b 25b7e20c2d11","querymatch" {"field" "event category","value" "process","operator" " "}},{"name" "user name","enabled"\ true,"excluded"\ false,"id" "timeline 1 914beb92 86ab 471c a00b 25b7e20c2d12","querymatch" {"field" "user name","value" "system","operator" " "}}],"enabled"\ true,"excluded"\ false,"id" "timeline 1 914beb92 86ab 471c a00b 25b7e20c2d13","name" "host os platform","querymatch" {"field" "host os platform","value" "windows","operator" " "}}],"daterange" {"end" 1594005719000,"start" 1593832919000},"description" "gets windows system processes from all hosts","title" "windows system processes"}}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data persisttimeline object response data data persisttimeline code number response data data persisttimeline message string response data data persisttimeline timeline object response data data persisttimeline timeline savedobjectid string response data data persisttimeline timeline version string response data data persisttimeline timeline columns array response data data persisttimeline timeline columns id string response data data persisttimeline timeline dataproviders array response data data persisttimeline timeline dataproviders and array response data data persisttimeline timeline dataproviders enabled boolean response data data persisttimeline timeline dataproviders excluded boolean response data data persisttimeline timeline dataproviders id string response data data persisttimeline timeline dataproviders name string response data data persisttimeline timeline dataproviders querymatch object response data data persisttimeline timeline dataviewid object response data data persisttimeline timeline description string response data data persisttimeline timeline excludedrowrendererids array response data data persisttimeline timeline excludedrowrendererids file name string response data data persisttimeline timeline excludedrowrendererids file string response data data persisttimeline timeline title string response data data persisttimeline timeline daterange object response data output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 16 55 38 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic create trusted application create a trusted application in elastic kibana 8 security, specifying details such as name, description, entries, os types, and more endpoint url /api/exception lists/items method post input argument name type required description comments array optional parameter for create trusted application comments file name string required name of the resource comments file string required parameter for create trusted application description string optional parameter for create trusted application entries array optional parameter for create trusted application entries field string required parameter for create trusted application entries value string required value for the parameter entries type string required type of the resource entries operator string required parameter for create trusted application list id string optional unique identifier name string optional name of the resource namespace type string optional name of the resource os types array optional type of the resource tags array optional parameter for create trusted application type string optional type of the resource input example {"json body" {"comments" \[],"description" "some description about this entry","entries" \[{"field" "process executable caseless","value" "c \\\applications\\\elastic\\\foo exe","type" "match","operator" "included"}],"list id" "endpoint trusted app","name" "create endpoint trusted app","namespace type" "agnostic","os types" \["windows"],"tags" \["policy\ all"],"type" "simple"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments file name string name of the resource comments file string output field comments file created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries value string value for the parameter entries type string type of the resource entries operator string output field entries operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "659","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 06 11 44 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" create trusted applications container create a container for trusted applications in elastic kibana 8 security with necessary details such as description, list id, name, namespace type, and type endpoint url /api/exception lists method post input argument name type required description description string optional parameter for create trusted applications container name string optional name of the resource list id string optional unique identifier type string optional type of the resource namespace type string optional name of the resource tags array optional parameter for create trusted applications container input example {"json body" {"description" "elastic defend trusted apps list","name" "elastic defend trusted apps list","list id" "endpoint trusted app","type" "endpoint","namespace type" "agnostic","tags" \["defend","trusted"]}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by description string output field description id string unique identifier immutable boolean output field immutable list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource os types file name string name of the resource os types file string type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "91","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 06 02 23 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" " delete blocklist entry removes a specific blocklist entry from elastic kibana 8 by utilizing the provided entry id and namespace type endpoint url /api/exception lists/items method delete input argument name type required description parameters id string required parameters for the delete blocklist entry action parameters namespace type string required parameters for the delete blocklist entry action input example {"parameters" {"id" "e880f600 6360 11ee 924f eb8f01880390","namespace type" "agnostic"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments file name string name of the resource comments file string output field comments file created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries value array value for the parameter entries type string type of the resource entries operator string output field entries operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "681","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 10 15 51 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" delete detection rule deletes a specified detection rule in elastic kibana 8 security using the provided rule id endpoint url /api/detection engine/rules?id={{id}} method delete input argument name type required description path parameters id string required parameters for the delete detection rule action input example {"path parameters" {"id" "3ba66e80 629b 11ee 924f eb8f01880390"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier updated at string output field updated at updated by string output field updated by created at string output field created at created by string output field created by name string name of the resource tags array output field tags interval string output field interval enabled boolean output field enabled revision number output field revision description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields investigation fields file name string name of the resource investigation fields file string output field investigation fields file author array output field author author file name string name of the resource author file string output field author file false positives array output field false positives false positives file name string name of the resource false positives file string output field false positives file output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 10 48 41 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic delete event filter removes a specified event filter from elastic kibana 8 using the provided 'id' and 'namespace type' endpoint url /api/exception lists/items method delete input argument name type required description parameters id string required parameters for the delete event filter action parameters namespace type string required parameters for the delete event filter action input example {"parameters" {"id" "7fe2fe90 636a 11ee 924f eb8f01880390","namespace type" "agnostic"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments comment string output field comments comment comments created at string output field comments created at comments created by string output field comments created by comments id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries operator string output field entries operator entries type string type of the resource entries value string value for the parameter id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "954","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 13 46 16 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" delete host isolation exception removes a specified host isolation exception in elastic kibana 8 using the 'id' and 'namespace type' endpoint url /api/exception lists/items method delete input argument name type required description parameters id string required parameters for the delete host isolation exception action parameters namespace type string required parameters for the delete host isolation exception action input example {"parameters" {"id" "80f34d90 63a0 11ee 924f eb8f01880390","namespace type" "agnostic"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments file name string name of the resource comments file string output field comments file created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries type string type of the resource entries value string value for the parameter entries operator string output field entries operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "663","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 17 21 05 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" delete trusted application deletes a trusted application from elastic kibana 8 by using the specified 'id' and 'namespace type' endpoint url /api/exception lists/items method delete input argument name type required description parameters id string required parameters for the delete trusted application action parameters namespace type string required parameters for the delete trusted application action input example {"parameters" {"id" "38e91330 640f 11ee 924f eb8f01880390","namespace type" "agnostic"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments comment string output field comments comment comments created at string output field comments created at comments created by string output field comments created by comments id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries value string value for the parameter entries type string type of the resource entries operator string output field entries operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "786","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 06 30 12 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" export detection rules exports detection rules from elastic kibana 8 security to an ndjson file, facilitating sharing and backup processes endpoint url /api/detection engine/rules/ export method post input argument name type required description parameters exclude export details boolean optional parameters for the export detection rules action parameters file name string optional parameters for the export detection rules action objects array optional parameter for export detection rules objects rule id string optional unique identifier input example {"parameters" {"exclude export details"\ false,"file name" "export ndjson"},"json body" {"objects" \[{"rule id" "a8fd8c70 7be8 4d70 95d3 5135bf17d498"}]}} output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content disposition" "attachment; filename=\\"export ndjson\\"","content length" "1665","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/ndjson","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 10 59 19 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kb find blocklist entries locate blocklist entries in elastic kibana 8 security by specifying list id and namespace type parameters endpoint url /api/exception lists/items/ find method get input argument name type required description parameters list id string required parameters for the find blocklist entries action parameters namespace type string required parameters for the find blocklist entries action parameters page number optional parameters for the find blocklist entries action parameters per page number optional parameters for the find blocklist entries action parameters sort field string optional parameters for the find blocklist entries action parameters sort order string optional parameters for the find blocklist entries action parameters search string optional parameters for the find blocklist entries action input example {"parameters" {"list id" "endpoint blocklists","namespace type" "agnostic","page" 1,"per page" 10,"sort field" "name","sort order" "desc","search" ""}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data version string response data data comments array response data data comments file name string response data data comments file string response data data created at string response data data created by string response data data description string response data data entries array response data data entries field string response data data entries value array response data data entries type string response data data entries operator string response data data id string response data data item id string response data data list id string response data data name string response data data namespace type string response data data os types array response data data tags array response data data tie breaker id string response data data type string response data data updated at string response data output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "725","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 10 06 23 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 find case activity retrieves user activity details for a specified case in elastic kibana 8 security using the provided case id endpoint url /api/cases/{{case id}}/user actions/ find method get input argument name type required description path parameters case id string required parameters for the find case activity action input example {"path parameters" {"case id" "b1116be0 5e8e 11ee 924f eb8f01880390"}} output parameter type description status code number http status code of the response reason string response reason phrase useractions array output field useractions useractions type string type of the resource useractions payload object output field useractions payload useractions payload comment object output field useractions payload comment useractions payload comment comment string output field useractions payload comment comment useractions payload comment owner string output field useractions payload comment owner useractions payload comment type string type of the resource useractions created at string output field useractions created at useractions created by object output field useractions created by useractions created by username string name of the resource useractions created by full name object name of the resource useractions created by email object output field useractions created by email useractions owner string output field useractions owner useractions action string output field useractions action useractions comment id string unique identifier useractions id string unique identifier useractions version string output field useractions version page number output field page perpage number output field perpage total number output field total output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "1016","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 29 sep 2023 16 50 40 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 00000000 find cases efficiently manage and review a paginated subset of cases from elastic kibana 8 security endpoint url /api/cases/ find method get input argument name type required description parameters assignees string optional parameters for the find cases action parameters defaultsearchoperator string optional parameters for the find cases action parameters from string optional the date must be specified as a kql(kibana query language) data range or date match expression parameters owner array optional parameters for the find cases action parameters page number optional parameters for the find cases action parameters perpage number optional parameters for the find cases action parameters reporters array optional parameters for the find cases action parameters search string optional parameters for the find cases action parameters searchfields array optional parameters for the find cases action parameters severity string optional parameters for the find cases action parameters sortfield string optional parameters for the find cases action parameters sortorder string optional parameters for the find cases action parameters status string optional parameters for the find cases action parameters tags array optional parameters for the find cases action parameters to string optional parameters for the find cases action input example {"parameters" {"assignees" "","defaultsearchoperator" "or","from" "","owner" \["cases","observability"],"page" 1,"perpage" 20,"reporters" \[""],"search" "","searchfields" \[""],"severity" "critical","sortfield" "updatedat","sortorder" "desc","status" "in progress","tags" \[""],"to" ""}} output parameter type description status code number http status code of the response reason string response reason phrase page number output field page per page number output field per page total number output field total cases array output field cases cases description string output field cases description cases title string output field cases title cases tags array output field cases tags cases settings object output field cases settings cases settings syncalerts boolean output field cases settings syncalerts cases owner string output field cases owner cases category object output field cases category cases assignees array output field cases assignees cases assignees file name string name of the resource cases assignees file string output field cases assignees file cases connector object output field cases connector cases connector id string unique identifier cases connector type string type of the resource cases connector fields object output field cases connector fields cases connector fields issuetype string type of the resource cases connector fields priority string output field cases connector fields priority cases connector fields parent object output field cases connector fields parent cases connector name string name of the resource cases severity string output field cases severity output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "791","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 29 sep 2023 06 17 41 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 find detection rules retrieve a paginated list of detection rules from elastic kibana 8 security, enabling analysis and management endpoint url /api/detection engine/rules/ find method get input argument name type required description parameters page number optional parameters for the find detection rules action parameters per page number optional parameters for the find detection rules action parameters sort field string optional parameters for the find detection rules action parameters sort order string optional parameters for the find detection rules action parameters filter string optional filters the returned results according to the value of the specified field, using the alert attributes syntax input example {"parameters" {"page" 1,"per page" 20,"sort field" "enabled","sort order" "asc","filter" "alert attributes name\ windows"}} output parameter type description status code number http status code of the response reason string response reason phrase page number output field page perpage number output field perpage total number output field total data array response data data file name string response data data file string response data output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "43","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 11 04 54 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000 find event filters locate event filters in elastic kibana 8 by specifying list id and namespace type parameters endpoint url /api/exception lists/items/ find method get input argument name type required description parameters list id string required parameters for the find event filters action parameters namespace type string required parameters for the find event filters action parameters page number optional parameters for the find event filters action parameters per page number optional parameters for the find event filters action parameters sort field string optional parameters for the find event filters action parameters sort order string optional parameters for the find event filters action parameters filter string optional parameters for the find event filters action input example {"parameters" {"list id" "endpoint event filters","namespace type" "agnostic","page" 1,"per page" 10,"sort field" "name","sort order" "desc","filter" ""}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data version string response data data comments array response data data comments comment string response data data comments created at string response data data comments created by string response data data comments id string response data data created at string response data data created by string response data data description string response data data entries array response data data entries field string response data data entries operator string response data data entries type string response data data entries value string response data data id string response data data item id string response data data list id string response data data name string response data data namespace type string response data data os types array response data data tags array response data data tie breaker id string response data output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "998","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 13 42 33 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 find exception containers retrieve a paginated subset of exception containers from elastic kibana 8 security endpoint url /api/exception lists/ find method get input argument name type required description parameters filter string optional parameters for the find exception containers action parameters search string optional parameters for the find exception containers action parameters page number optional parameters for the find exception containers action parameters per page number optional parameters for the find exception containers action parameters sort field string optional parameters for the find exception containers action parameters sort order string optional parameters for the find exception containers action parameters namespace type string optional parameters for the find exception containers action input example {"parameters" {"filter" "","search" "","page" 1,"per page" 10,"sort field" "name","sort order" "desc","namespace type" "single"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data version string response data data created at string response data data created by string response data data description string response data data id string response data data immutable boolean response data data list id string response data data name string response data data namespace type string response data data os types array response data data os types file name string response data data os types file string response data data tags array response data data tie breaker id string response data data type string response data data updated at string response data data updated by string response data data version number response data page number output field page per page number output field per page total number output field total output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "534","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 08 42 46 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 find exception items retrieves a subset of exception items from a specified list in elastic kibana 8 security, using the 'list id' parameter for pagination endpoint url /api/exception lists/items/ find method get input argument name type required description parameters list id string required parameters for the find exception items action parameters page number optional parameters for the find exception items action parameters per page number optional parameters for the find exception items action parameters sort field string optional parameters for the find exception items action parameters sort order string optional parameters for the find exception items action input example {"parameters" {"list id" "trusted linux processes","page" 1,"per page" 10,"sort field" "name","sort order" "desc"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data version string response data data comments array response data data comments file name string response data data comments file string response data data created at string response data data created by string response data data description string response data data entries array response data data entries field string response data data entries operator string response data data entries type string response data data entries value array response data data id string response data data item id string response data data list id string response data data name string response data data namespace type string response data data os types array response data data os types file name string response data data os types file string response data data tags array response data data tie breaker id string response data output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "703","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 08 47 31 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 find host isolation exceptions locate host isolation exceptions in elastic kibana 8 using specified list id and namespace type parameters endpoint url /api/exception lists/items/ find method get input argument name type required description parameters list id string required parameters for the find host isolation exceptions action parameters namespace type string required parameters for the find host isolation exceptions action parameters page number optional parameters for the find host isolation exceptions action parameters per page number optional parameters for the find host isolation exceptions action parameters sort field string optional parameters for the find host isolation exceptions action parameters sort order string optional parameters for the find host isolation exceptions action parameters filter string optional parameters for the find host isolation exceptions action input example {"parameters" {"list id" "endpoint host isolation exceptions","namespace type" "agnostic","page" 1,"per page" 10,"sort field" "name","sort order" "desc","filter" ""}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data version string response data data comments array response data data comments file name string response data data comments file string response data data created at string response data data created by string response data data description string response data data entries array response data data entries field string response data data entries type string response data data entries value string response data data entries operator string response data data id string response data data item id string response data data list id string response data data name string response data data namespace type string response data data os types array response data data tags array response data data tie breaker id string response data data type string response data data updated at string response data output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "707","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 17 16 48 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 find list containers retrieve a paginated subset of list containers within elastic kibana 8 security, aiding in efficient data management endpoint url /api/lists/ find method get input argument name type required description parameters filter string optional parameters for the find list containers action parameters page number optional parameters for the find list containers action parameters per page number optional parameters for the find list containers action parameters sort field string optional parameters for the find list containers action parameters sort order string optional parameters for the find list containers action input example {"parameters" {"filter" "type\ keyword","page" 1,"per page" 10,"sort field" "name","sort order" "desc"}} output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor data array response data data version string response data data id string response data data created at string response data data created by string response data data description string response data data immutable boolean response data data name string response data data tie breaker id string response data data type string response data data updated at string response data data updated by string response data data version number response data page number output field page per page number output field per page total number output field total output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "60","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 17 38 16 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000 find list items retrieve a paginated subset of list items from a specified container in elastic kibana 8 security endpoint url /api/lists/items/ find method post input argument name type required description parameters list id string optional parameters for the find list items action parameters page number optional parameters for the find list items action parameters per page number optional parameters for the find list items action parameters sort field string optional parameters for the find list items action parameters sort order string optional parameters for the find list items action input example {"parameters" {"list id" "internal ip range excludes","page" 1,"per page" 10,"sort field" "name","sort order" "desc"}} output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor data array response data data file name string response data data file string response data page number output field page per page number output field per page total number output field total output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "60","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 06 00 02 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" " find trusted applications locate trusted applications in elastic kibana 8 using the provided list id and namespace type parameters endpoint url /api/exception lists/items/ find method get input argument name type required description parameters list id string required parameters for the find trusted applications action parameters namespace type string required parameters for the find trusted applications action parameters page number optional parameters for the find trusted applications action parameters per page number optional parameters for the find trusted applications action parameters sort field string optional parameters for the find trusted applications action parameters sort order string optional parameters for the find trusted applications action parameters filter string optional parameters for the find trusted applications action input example {"parameters" {"list id" "endpoint trusted app","namespace type" "agnostic","page" 1,"per page" 10,"sort field" "name","sort order" "desc"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data version string response data data comments array response data data comments comment string response data data comments created at string response data data comments created by string response data data comments id string response data data created at string response data data created by string response data data description string response data data entries array response data data entries field string response data data entries value string response data data entries type string response data data entries operator string response data data id string response data data item id string response data data list id string response data data name string response data data namespace type string response data data os types array response data data tags array response data data tie breaker id string response data output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "830","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 06 26 51 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 get action details retrieves the details of a specific response action in elastic kibana 8 security using the provided action id endpoint url /api/endpoint/action/{{action id}} method get input argument name type required description path parameters action id string required parameters for the get action details action input example {"path parameters" {"action id" "fr518850 681a 4y60 aa98 e22640cae2b8"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data agents array response data data command string response data data startedat string response data data completedat string response data data createdby string response data data iscompleted boolean response data data wassuccessful boolean response data data isexpired boolean response data data outputs object response data data outputs afdc366c e2e0 4cdb ae1d 94575bd2d8e0 object response data data outputs afdc366c e2e0 4cdb ae1d 94575bd2d8e0 type string response data data outputs afdc366c e2e0 4cdb ae1d 94575bd2d8e0 content object response data data outputs afdc366c e2e0 4cdb ae1d 94575bd2d8e0 content entries array response data output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "115","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 06 36 00 gmt","elastic api version" "2023 10 31","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instanc get all connector retrieve a comprehensive list of all available connectors from elastic kibana 8 security for management and configuration purposes endpoint url /api/actions/connectors method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "tue, 03 oct 2023 16 06 01 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic get case retrieve detailed case information from elastic kibana 8 security using a specific case id endpoint url /api/cases/{{case id}} method get input argument name type required description path parameters case id string required parameters for the get case action parameters includecomments boolean optional parameters for the get case action input example {"parameters" {"includecomments"\ true},"path parameters" {"case id" ""}} output parameter type description status code number http status code of the response reason string response reason phrase description string output field description title string output field title tags array output field tags settings object output field settings settings syncalerts boolean output field settings syncalerts owner string output field owner category object output field category assignees array output field assignees assignees file name string name of the resource assignees file string output field assignees file connector object output field connector connector id string unique identifier connector type string type of the resource connector fields object output field connector fields connector fields issuetype string type of the resource connector fields priority string output field connector fields priority connector fields parent object output field connector fields parent connector name string name of the resource severity string output field severity status string status value duration object output field duration closed at object output field closed at closed by object output field closed by output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "674","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 29 sep 2023 06 14 33 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 get connector retrieves a specific elastic kibana 8 security connector by its unique identifier (id) endpoint url /api/actions/connector/{{id}} method get input argument name type required description path parameters id string required parameters for the get connector action input example {"path parameters" {"id" "73cdcf10 5eea 11ee 924f eb8f01880390"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource config object output field config config connectortype string type of the resource config mappings object output field config mappings config mappings rulenameconfig object name of the resource config mappings rulenameconfig id string unique identifier config mappings rulenameconfig name string name of the resource config mappings rulenameconfig key string name of the resource config mappings rulenameconfig fieldtype string name of the resource config mappings alertidconfig object unique identifier config mappings caseidconfig object unique identifier config mappings casenameconfig object name of the resource config mappings commentsconfig object output field config mappings commentsconfig config mappings severityconfig object output field config mappings severityconfig config mappings descriptionconfig object output field config mappings descriptionconfig config appid string unique identifier config apiurl string url endpoint for the request connector type id string unique identifier is preconfigured boolean output field is preconfigured is deprecated boolean output field is deprecated is missing secrets boolean output field is missing secrets is system action boolean output field is system action output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "535","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "mon, 09 oct 2023 06 10 38 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 get current connector retrieves the list of current connectors available to the user in the elastic security ui endpoint url /api/cases/configure method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "695","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "mon, 09 oct 2023 06 03 55 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 get detection rule retrieves a specific detection rule from elastic kibana 8 security using the provided rule id endpoint url /api/detection engine/rules?id={{id}} method get input argument name type required description path parameters id string required parameters for the get detection rule action input example {"path parameters" {"id" "e4099430 629b 11ee 924f eb8f01880390"}} output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier updated at string output field updated at updated by string output field updated by created at string output field created at created by string output field created by name string name of the resource tags array output field tags tags file name string name of the resource tags file string output field tags file interval string output field interval enabled boolean output field enabled revision number output field revision description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields investigation fields file name string name of the resource investigation fields file string output field investigation fields file author array output field author author file name string name of the resource author file string output field author file false positives array output field false positives output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 12 58 45 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic get endpoint retrieves metadata for a specified host with elastic defend by using the provided endpoint id endpoint url /api/endpoint/metadata/{{endpoint id}} method get input argument name type required description path parameters endpoint id string required parameters for the get endpoint action input example {"path parameters" {"endpoint id" "fr518850 681a 4y60 aa98 e22640cae2b8"}} output parameter type description status code number http status code of the response reason string response reason phrase host status string status value last checkin string output field last checkin metadata object response data metadata \@timestamp string response data metadata endpoint object response data metadata endpoint capabilities array response data metadata endpoint configuration object response data metadata endpoint configuration isolation boolean response data metadata endpoint policy object response data metadata endpoint policy applied object response data metadata endpoint policy applied endpoint policy version string response data metadata endpoint policy applied id string response data metadata endpoint policy applied name string response data metadata endpoint policy applied status string response data metadata endpoint policy applied version string response data metadata endpoint state object response data metadata endpoint state isolation boolean response data metadata endpoint status string response data metadata agent object response data metadata agent build object response data metadata agent build original string response data metadata agent id string response data metadata agent type string response data output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "115","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 06 36 00 gmt","elastic api version" "2023 10 31","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instanc get kibana space retrieves information about available kibana spaces within the elastic kibana 8 security environment endpoint url /api/spaces/space method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "287","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 09 06 29 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 get processes retrieves a list of running processes from specified hosts within elastic defend using provided endpoint ids endpoint url /api/endpoint/action/running procs method post input argument name type required description endpoint ids array optional unique identifier alert ids array optional unique identifier case ids array optional unique identifier comment string optional parameter for get processes input example {"json body" {"endpoint ids" \["ed518850 681a 4d60 bb98 e22640cae2a8"],"alert ids" \["ed518850 681a 4d60 bb98 e22640cae2a8"],"case ids" \["ed518850 681a 4d60 bb98 e22640cae2a8"],"comment" ""}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data agents array response data data command string response data data isexpired boolean response data data iscompleted boolean response data data wassuccessful boolean response data data errors array response data data errors file name string response data data errors file string response data data startedat string response data data completedat string response data data outputs object response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 object response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 type string response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 content object response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 content key string response data data createdby string response data data comment string response data output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "115","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 06 36 00 gmt","elastic api version" "2023 10 31","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instanc get signals obtain an overview of detected threats and anomalies by retrieving signals from elastic kibana 8 security endpoint url /api/detection engine/signals/search method post input argument name type required description aggs object optional parameter for get signals aggs latest object optional parameter for get signals aggs latest max object optional parameter for get signals aggs latest max field string optional parameter for get signals aggs oldest object optional parameter for get signals aggs oldest min object optional parameter for get signals aggs oldest min field string optional parameter for get signals query object optional parameter for get signals query bool object optional parameter for get signals query bool filter array optional parameter for get signals query bool filter match object optional parameter for get signals query bool filter match signal status string optional status value query bool filter range object optional parameter for get signals query bool filter range signal rule risk score object optional score value input example {"json body" {"aggs" {"latest" {"max" {"field" "@timestamp"}},"oldest" {"min" {"field" "@timestamp"}}},"query" {"bool" {"filter" \[{"match" {"signal status" "open"}},{"range" {"signal rule risk score" {"gte" 70}}}]}}}} output parameter type description status code number http status code of the response reason string response reason phrase took number output field took timed out boolean output field timed out shards object output field shards shards total number output field shards total shards successful number whether the operation was successful shards skipped number output field shards skipped shards failed number output field shards failed hits object output field hits hits total object output field hits total hits total value number value for the parameter hits total relation string output field hits total relation hits max score number score value hits hits array output field hits hits hits hits index string output field hits hits index hits hits id string unique identifier hits hits score number score value hits hits source object output field hits hits source hits hits source kibana version string output field hits hits source kibana version hits hits source kibana alert rule category string output field hits hits source kibana alert rule category hits hits source kibana alert rule consumer string output field hits hits source kibana alert rule consumer hits hits source kibana alert rule execution uuid string unique identifier hits hits source kibana alert rule name string name of the resource hits hits source kibana alert rule producer string output field hits hits source kibana alert rule producer output example {"status code" 200,"response headers" {"x content type options" "nosniff","referrer policy" "no referrer when downgrade","kbn name" "ubu2004template","kbn license sig" "a43abc045d066ce42208f51f7d1f6ab599a400a120e87ef8e5ed3b4b62b5bfea","content type" "application/json; charset=utf 8","cache control" "private, no cache, no store, must revalidate","vary" "accept encoding","content encoding" "gzip","date" "wed, 15 mar 2023 20 49 15 gmt","connection" "keep alive","keep alive" "timeout=120","transfer get tags aggregates and returns all unique tags from security rules in elastic kibana 8 endpoint url /api/detection engine/tags method get output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 08 49 08 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic isolate a host isolates a host from the network in elastic defend by utilizing the endpoint ids provided in the json body endpoint url /api/endpoint/action/isolate method post input argument name type required description endpoint ids array optional unique identifier alert ids array optional unique identifier case ids array optional unique identifier comment string optional parameter for isolate a host input example {"json body" {"endpoint ids" \["9972d10e 4b9e 41aa a534 a85e2a28ea42","bc0e4f0c 3bca 4633 9fee 156c0b505d16"],"alert ids" \["ed518850 681a 4d60 bb98 e22640cae2a8"],"case ids" \["ed518850 681a 4d60 bb98 e22640cae2a8"],"comment" "locked down, pending further investigation"}} output parameter type description status code number http status code of the response reason string response reason phrase action string output field action data object response data data id string response data data agents array response data data command string response data data isexpired boolean response data data iscompleted boolean response data data wassuccessful boolean response data data errors array response data data errors file name string response data data errors file string response data data startedat string response data data completedat string response data data outputs object response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 object response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 type string response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 content object response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 content key string response data data createdby string response data data comment string response data data parameters entity id string parameters for the isolate a host action output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "115","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 06 36 00 gmt","elastic api version" "2023 10 31","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instanc list endpoints retrieves a comprehensive list of hosts running elastic defend for enhanced security oversight and management endpoint url /api/endpoint/metadata method get input argument name type required description parameters page number optional parameters for the list endpoints action parameters page size number optional parameters for the list endpoints action parameters kuery string optional parameters for the list endpoints action parameters hoststatuses array optional parameters for the list endpoints action parameters sortfield string optional parameters for the list endpoints action parameters sortdirection string optional parameters for the list endpoints action input example {"parameters" {"page" 0,"page size" 10,"kuery" "united endpoint host os name 'windows'","hoststatuses" \["healthy","updating"],"sortfield" "enrolled at","sortdirection" "asc"}} output parameter type description status code number http status code of the response reason string response reason phrase data array response data data file name string response data data file string response data total number output field total page number output field page pagesize number output field pagesize sortfield string output field sortfield sortdirection string output field sortdirection output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "92","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 07 16 18 gmt","elastic api version" "2023 10 31","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e795 list response actions retrieve a list of available response actions from elastic kibana 8 security endpoint url /api/endpoint/action method get input argument name type required description parameters page number optional parameters for the list response actions action parameters pagesize number optional parameters for the list response actions action parameters commands array optional parameters for the list response actions action parameters agentids array optional parameters for the list response actions action parameters userids array optional parameters for the list response actions action parameters startdate string optional a start date in iso format or date math format parameters enddate string optional a end date in iso format or date math format input example {"parameters" {"page" 1,"pagesize" 10,"commands" \["isolate","running processes"],"agentids" \["132323"],"userids" \["123233"],"startdate" "now 24h/h","enddate" "now+1h"}} output parameter type description status code number http status code of the response reason string response reason phrase page number output field page pagesize number output field pagesize total number output field total startdate string date value enddate string date value elasticagentids array unique identifier data array response data data id string response data data agents array response data data command string response data data startedat string response data data iscompleted boolean response data data completedat string response data data wassuccessful boolean response data data isexpired boolean response data data createdby string response data output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "76","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 07 27 39 gmt","elastic api version" "2023 10 31","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance prepackaged elastic prebuilt detection rules load and update elastic kibana 8's prebuilt detection rules to enhance security monitoring capabilities endpoint url /api/detection engine/rules/prepackaged method put output parameter type description status code number http status code of the response reason string response reason phrase rules installed number output field rules installed rules updated number output field rules updated timelines installed number output field timelines installed timelines updated number output field timelines updated output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "88","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 13 08 48 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" " prepackaged get detection rule status retrieve the current status of prepackaged detection rules in elastic kibana 8 security endpoint url /api/detection engine/rules/prepackaged/ status method get output parameter type description status code number http status code of the response reason string response reason phrase rules custom installed number output field rules custom installed rules installed number output field rules installed rules not installed number output field rules not installed rules not updated number output field rules not updated timelines installed number output field timelines installed timelines not installed number output field timelines not installed timelines not updated number output field timelines not updated output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "175","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 13 12 12 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 release an isolated host removes isolation status from specified hosts in elastic kibana 8 security, allowing network reconnection requires 'endpoint ids' endpoint url /api/endpoint/action/unisolate method post input argument name type required description endpoint ids array optional unique identifier alert ids array optional unique identifier case ids array optional unique identifier comment string optional parameter for release an isolated host input example {"json body" {"endpoint ids" \["9972d10e 4b9e 41aa a534 a85e2a28ea42","bc0e4f0c 3bca 4633 9fee 156c0b505d16"],"alert ids" \["ed518850 681a 4d60 bb98 e22640cae2a8"],"case ids" \["ed518850 681a 4d60 bb98 e22640cae2a8"],"comment" "remediation complete, restoring network"}} output parameter type description status code number http status code of the response reason string response reason phrase action string output field action data object response data data id string response data data agents array response data data command string response data data isexpired boolean response data data iscompleted boolean response data data wassuccessful boolean response data data errors array response data data errors file name string response data data errors file string response data data startedat string response data data completedat string response data data outputs object response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 object response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 type string response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 content object response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 content key string response data data createdby string response data data comment string response data data parameters entity id string parameters for the release an isolated host action output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "115","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 06 36 00 gmt","elastic api version" "2023 10 31","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instanc retrieve blocklist entry retrieves a specific blocklist entry from elastic kibana 8 security using the provided namespace type and id endpoint url /api/exception lists/items method get input argument name type required description parameters id string required parameters for the retrieve blocklist entry action parameters namespace type string required parameters for the retrieve blocklist entry action input example {"parameters" {"id" "e880f600 6360 11ee 924f eb8f01880390","namespace type" "agnostic"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments file name string name of the resource comments file string output field comments file created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries value array value for the parameter entries type string type of the resource entries operator string output field entries operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "681","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 10 12 25 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 retrieve event filter retrieve a specific event filter from elastic kibana 8 security by specifying 'id' and 'namespace type' endpoint url /api/exception lists/items method get input argument name type required description parameters id string required parameters for the retrieve event filter action parameters namespace type string required parameters for the retrieve event filter action input example {"parameters" {"id" "7fe2fe90 636a 11ee 924f eb8f01880390","namespace type" "agnostic"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments comment string output field comments comment comments created at string output field comments created at comments created by string output field comments created by comments id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries operator string output field entries operator entries type string type of the resource entries value string value for the parameter id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "954","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 13 38 23 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 retrieve host isolation exception retrieve details of a specific host isolation exception in elastic kibana 8 security using the provided id and namespace type endpoint url /api/exception lists/items method get input argument name type required description parameters id string required parameters for the retrieve host isolation exception action parameters namespace type string required parameters for the retrieve host isolation exception action input example {"parameters" {"id" "80f34d90 63a0 11ee 924f eb8f01880390","namespace type" "agnostic"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments file name string name of the resource comments file string output field comments file created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries type string type of the resource entries value string value for the parameter entries operator string output field entries operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "663","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 17 12 27 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 retrieve trusted application retrieve details for a specific trusted application in elastic kibana 8 security using its id and namespace type endpoint url /api/exception lists/items method get input argument name type required description parameters id string required parameters for the retrieve trusted application action parameters namespace type string required parameters for the retrieve trusted application action input example {"parameters" {"id" "38e91330 640f 11ee 924f eb8f01880390","namespace type" "agnostic"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments comment string output field comments comment comments created at string output field comments created at comments created by string output field comments created by comments id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries value string value for the parameter entries type string type of the resource entries operator string output field entries operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource output example {"status code" 200,"response headers" {"accept ranges" "bytes","cache control" "private, no cache, no store, must revalidate","content length" "786","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 06 23 26 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 000000000 set alert status updates the status of specified alerts in elastic kibana 8 security using a provided status value endpoint url /api/detection engine/signals/status method post input argument name type required description signal ids array optional unique identifier status string optional status value query object optional parameter for set alert status query bool object optional parameter for set alert status query bool filter array optional parameter for set alert status query bool filter range object optional parameter for set alert status query bool filter range \@timestamp object optional parameter for set alert status input example {"json body" {"signal ids" \["694156bbe6a487e06d049bd6019bd49fec4172cfb33f5d81c3b4a977f0026fba","f4d1c62c4e8946c835cb497329127803c09b955de49a8fa186be3899522667b0"],"status" "closed","query" {"bool" {"filter" \[{"range" {"signal rule risk score" {"lte" 20}}},{"range" {"@timestamp" {"lte" "now m"}}}]}}}} output parameter type description status code number http status code of the response reason string response reason phrase took number output field took timed out boolean output field timed out total number output field total updated number output field updated deleted number output field deleted batches number output field batches version conflicts number output field version conflicts noops number output field noops retries object output field retries retries bulk number output field retries bulk retries search number output field retries search throttled millis number output field throttled millis requests per second number output field requests per second throttled until millis number output field throttled until millis failures array output field failures failures file name string name of the resource failures file string output field failures file output example {"status code" 200,"response headers" {"x content type options" "nosniff","referrer policy" "no referrer when downgrade","kbn name" "ubu2004template","kbn license sig" "a43abc045d066ce42208f51f7d1f6ab599a400a120e87ef8e5ed3b4b62b5bfea","content type" "application/json; charset=utf 8","cache control" "private, no cache, no store, must revalidate","vary" "accept encoding","content encoding" "gzip","date" "wed, 15 mar 2023 20 49 15 gmt","connection" "keep alive","keep alive" "timeout=120","transfer set default elastic security configures the default connector and closure type for elastic security ui, requiring a specified connector and closure type endpoint url /api/cases/configure method post input argument name type required description connector object optional parameter for set default elastic security connector id string required unique identifier connector name string required name of the resource connector type string required type of the resource connector fields object required parameter for set default elastic security connector fields caseid object optional unique identifier closure type string optional type of the resource owner string optional parameter for set default elastic security input example {"json body" {"connector" {"id" "73cdcf10 5eea 11ee 924f eb8f01880390","name" "swimlane connector","type" " swimlane","fields" {"caseid"\ null}},"closure type" "close by user","owner" "securitysolution"}} output parameter type description status code number http status code of the response reason string response reason phrase closure type string type of the resource connector object output field connector connector id string unique identifier connector type string type of the resource connector fields object output field connector fields connector fields caseid object unique identifier connector name string name of the resource owner string output field owner created at string output field created at created by object output field created by created by username string name of the resource created by full name object name of the resource created by email object output field created by email updated at object output field updated at updated by object output field updated by mappings array output field mappings mappings source string output field mappings source mappings target string output field mappings target mappings action type string type of the resource version string output field version error object error message if any id string unique identifier output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "626","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "tue, 03 oct 2023 17 21 57 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" set signal status updates the status of specified signals in elastic kibana 8 security using provided signal ids endpoint url /api/detection engine/signals/status method post input argument name type required description status string optional status value signal ids array optional unique identifier input example {"json body" {"status" "open","signal ids" \["2437654347868"]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "160","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 13 41 10 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" suspend a process suspend a specific process on a host with elastic defend using the provided parameters endpoint url /api/endpoint/action/suspend process method post input argument name type required description endpoint ids array optional unique identifier alert ids array optional unique identifier case ids array optional unique identifier parameters pid string required parameters for the suspend a process action comment string optional parameter for suspend a process input example {"json body" {"endpoint ids" \["ed518850 681a 4d60 bb98 e22640cae2a8"],"alert ids" \["ed518850 681a 4d60 bb98 e22640cae2a8"],"case ids" \["ed518850 681a 4d60 bb98 e22640cae2a8"],"parameters" {"pid" "abc123"},"comment" "terminate the process"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data data object response data data data id string response data data data agents array response data data data command string response data data data isexpired boolean response data data data iscompleted boolean response data data data wassuccessful boolean response data data data errors array response data data data errors file name string response data data data errors file string response data data data startedat string response data data data completedat string response data data data outputs object response data data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 object response data data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 type string response data data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 content object response data data data createdby string response data data data comment string response data data data parameters pid string parameters for the suspend a process action output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "115","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 06 36 00 gmt","elastic api version" "2023 10 31","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instanc terminate a process terminates a process on selected hosts in elastic defend by specifying endpoint ids and parameters endpoint url /api/endpoint/action/kill process method post input argument name type required description endpoint ids array optional unique identifier alert ids array optional unique identifier case ids array optional unique identifier parameters pid string required parameters for the terminate a process action comment string optional parameter for terminate a process input example {"json body" {"endpoint ids" \["ed518850 681a 4d60 bb98 e22640cae2a8"],"alert ids" \["ed518850 681a 4d60 bb98 e22640cae2a8"],"case ids" \["ed518850 681a 4d60 bb98 e22640cae2a8"],"parameters" {"pid" "abc123"},"comment" "terminate the process"}} output parameter type description status code number http status code of the response reason string response reason phrase data object response data data id string response data data agents array response data data command string response data data isexpired boolean response data data iscompleted boolean response data data wassuccessful boolean response data data errors array response data data errors file name string response data data errors file string response data data startedat string response data data completedat string response data data outputs object response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 object response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 type string response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 content object response data data outputs ed518850 681a 4d60 bb98 e22640cae2a8 content key string response data data createdby string response data data comment string response data data parameters pid string parameters for the terminate a process action output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "115","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 06 36 00 gmt","elastic api version" "2023 10 31","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instanc update blocklist entry updates a blocklist entry in elastic kibana 8 security, including description, entries, id, item id, name, namespace type, os types, and type endpoint url /api/exception lists/items method put input argument name type required description version string optional parameter for update blocklist entry name string optional name of the resource description string optional parameter for update blocklist entry entries array optional parameter for update blocklist entry entries field string required parameter for update blocklist entry entries value array required value for the parameter entries type string required type of the resource entries operator string required parameter for update blocklist entry os types array optional type of the resource tags array optional parameter for update blocklist entry id string optional unique identifier comments array optional parameter for update blocklist entry comments file name string required name of the resource comments file string required parameter for update blocklist entry item id string optional unique identifier namespace type string optional name of the resource type string optional type of the resource input example {"json body" {" version" "wzi1odesmv0=","name" "linux process exceptions updates","description" "these applications must be blocked","entries" \[{"field" "file path","value" \["c /path/to/file exe","c /path/to/file2 exe","c /path/to/file3 exe"],"type" "match any","operator" "included"}],"os types" \["macos"],"tags" \["policy\ all"],"id" "e880f600 6360 11ee 924f eb8f01880390","comments" \[],"item id" "695590a7 5655 480d 8375 f486de462cfb","namespace type" "agnostic","type" "simple"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments file name string name of the resource comments file string output field comments file created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries value array value for the parameter entries type string type of the resource entries operator string output field entries operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "478","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 09 55 38 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" update cases updates specified cases in elastic kibana 8 security with details provided in the json body endpoint url /api/cases method patch input argument name type required description cases array optional parameter for update cases cases id string required unique identifier cases version string required parameter for update cases cases connector object optional parameter for update cases cases connector id string required unique identifier cases connector name string required name of the resource cases connector type string required type of the resource cases connector fields object required parameter for update cases cases connector fields issuetype string required type of the resource cases connector fields priority object required parameter for update cases cases connector fields parent object required parameter for update cases cases connector fields caseid string optional unique identifier cases description string optional parameter for update cases cases tags array optional parameter for update cases cases assignees array optional parameter for update cases cases assignees file name string required name of the resource cases assignees file string required parameter for update cases cases settings object optional parameter for update cases cases settings syncalerts boolean required parameter for update cases cases severity string optional parameter for update cases cases status string optional status value cases title string optional parameter for update cases input example {"json body" {"cases" \[{"id" "a18b38a0 71b0 11ea a0b2 c51ea50a58e2","version" "wzizldfd","connector" {"id" "131d4448 abe0 4789 939d 8ef60680b498","name" "my connector","type" " swimlane","fields" {"issuetype" "10006","priority"\ null,"parent"\ null,"caseid" ""}},"description" "a new description ","tags" \["tag 1","tag 2"],"assignees" \[],"settings" {"syncalerts"\ true},"severity" "critical","status" "open","title" "first case"}]}} output parameter type description status code number http status code of the response reason string response reason phrase output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "165","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 09 04 04 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" update detection event correlation rule updates an existing event correlation detection rule in elastic kibana 8 security with specified id, name, risk score, severity, and type endpoint url /api/detection engine/rules method patch input argument name type required description id string optional unique identifier risk score number optional score value description string optional parameter for update detection event correlation rule name string optional name of the resource severity string optional parameter for update detection event correlation rule tags array optional parameter for update detection event correlation rule type string optional type of the resource language string optional parameter for update detection event correlation rule query string optional parameter for update detection event correlation rule input example {"json body" {"rule id" "eql outbound rundll32 connections","risk score" 21,"description" "unusual rundll32 exe network connection","name" "rundll32 exe network connection update","severity" "low","tags" \["eql","windows","rundll32 exe"],"type" "eql","language" "eql","query" "sequence by process entity id with maxspan=2h \[process where event type in (\\"start\\", \\"process started\\") and (process name == \\"rundll32 exe\\" or process pe original file name == \\"rundll32 exe\\") and ((process args == \\"rundll32 exe\\" and process args count == 1) or (process args != \\"rundll32 exe\\" and process args count == 0))] \[network where event type == \\"connection\\" and (process name == \\"rundll32 exe\\" or process pe original file name == \\"rundll32 exe\\")]"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields investigation fields file name string name of the resource investigation fields file string output field investigation fields file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author author file name string name of the resource author file string output field author file false positives array output field false positives false positives file name string name of the resource false positives file string output field false positives file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping risk score mapping file name string name of the resource risk score mapping file string output field risk score mapping file severity mapping array output field severity mapping output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 10 18 52 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic update detection indicator match rule updates an existing indicator match rule with parameters such as risk score and severity in elastic kibana 8 security endpoint url /api/detection engine/rules method patch input argument name type required description id string optional unique identifier type string optional type of the resource index array optional parameter for update detection indicator match rule query string optional parameter for update detection indicator match rule threat index array optional parameter for update detection indicator match rule threat query string optional parameter for update detection indicator match rule threat mapping array optional parameter for update detection indicator match rule threat mapping entries array optional parameter for update detection indicator match rule threat mapping entries field string optional parameter for update detection indicator match rule threat mapping entries type string optional type of the resource threat mapping entries value string optional value for the parameter risk score number optional score value severity string optional parameter for update detection indicator match rule name string optional name of the resource description string optional parameter for update detection indicator match rule input example {"json body" {"rule id" "a8fd8c70 7be8 4d70 95d3 5135bf17d498","type" "threat match","index" \["packetbeat "],"query" "destination ip or host ip ","threat index" \["ip threat list"],"threat query" " ","threat mapping" \[{"entries" \[{"field" "destination ip","type" "mapping","value" "destination ip"},{"field" "destination port","type" "mapping","value" "destination port"}]},{"entries" \[{"field" "source ip","type" "mapping","value" "host ip"}]}],"risk score" 50,"severity" "medium","name" "bad ip threat match update","description" "checks for bad ip addresses listed in the ip threat list index"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields investigation fields file name string name of the resource investigation fields file string output field investigation fields file tags array output field tags tags file name string name of the resource tags file string output field tags file interval string output field interval enabled boolean output field enabled author array output field author author file name string name of the resource author file string output field author file false positives array output field false positives false positives file name string name of the resource false positives file string output field false positives file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping risk score mapping file name string name of the resource output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 10 23 37 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic update detection ml rule updates an existing machine learning rule in elastic kibana 8 security, adjusting parameters such as risk score, severity, and more endpoint url /api/detection engine/rules method patch input argument name type required description anomaly threshold number optional parameter for update detection ml rule id string optional unique identifier risk score number optional score value machine learning job id string optional unique identifier description string optional parameter for update detection ml rule interval string optional parameter for update detection ml rule name string optional name of the resource note string optional parameter for update detection ml rule severity string optional parameter for update detection ml rule tags array optional parameter for update detection ml rule type string optional type of the resource from string optional parameter for update detection ml rule enabled boolean optional parameter for update detection ml rule throttle string optional parameter for update detection ml rule actions array optional parameter for update detection ml rule actions action type id string optional unique identifier actions group string optional parameter for update detection ml rule actions id string optional unique identifier actions params object optional parameter for update detection ml rule actions params message string optional response message input example {"json body" {"anomaly threshold" 70,"rule id" "ml linux network high threshold","risk score" 70,"machine learning job id" "linux anomalous network activity ecs","description" "generates alerts when the job discovers anomalies over 70","interval" "5m","name" "anomalous linux network activity","note" "shut down the internet ","severity" "high","tags" \["machine learning","linux"],"type" "machine learning","from" "now 6m","enabled"\ true,"throttle" "rule","actions" \[{"action type id" " slack","group" "default","id" "73cdcf10 5eea 11ee 924f eb8f01880390","params" {"message" "detection is created!"}}]}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity note string output field note output index string output field output index investigation fields array output field investigation fields investigation fields file name string name of the resource investigation fields file string output field investigation fields file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author author file name string name of the resource author file string output field author file false positives array output field false positives false positives file name string name of the resource false positives file string output field false positives file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping risk score mapping file name string name of the resource risk score mapping file string output field risk score mapping file output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 10 30 34 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic update detection query rule updates an existing query detection rule in elastic kibana 8 security with specified id, name, risk score, severity, type, and query endpoint url /api/detection engine/rules method patch input argument name type required description id string optional unique identifier risk score number optional score value description string optional parameter for update detection query rule interval string optional parameter for update detection query rule name string optional name of the resource severity string optional parameter for update detection query rule tags array optional parameter for update detection query rule type string optional type of the resource from string optional parameter for update detection query rule query string optional parameter for update detection query rule language string optional parameter for update detection query rule filters array optional parameter for update detection query rule filters query object optional parameter for update detection query rule filters query match object optional parameter for update detection query rule filters query match event action object optional parameter for update detection query rule filters query match event action query string optional parameter for update detection query rule filters query match event action type string optional type of the resource enabled boolean optional parameter for update detection query rule input example {"json body" {"rule id" "process started by ms office program 1","risk score" 50,"description" "process started by ms office program possible payload","interval" "1h","name" "ms office child process update","severity" "low","tags" \["child process","ms office"],"type" "query","from" "now 70m","query" "process parent name\ excel exe or process parent name\ mspub exe or process parent name\ outlook exe or process parent name\ powerpnt exe or process parent name\ visio exe or process parent name\ winword exe","language" "kuery","filters" \[{"query" {"match" {"event action" {"query" "process create (rule processcreate)","type" "phrase"}}}}],"enabled"\ false}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields investigation fields file name string name of the resource investigation fields file string output field investigation fields file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author author file name string name of the resource author file string output field author file false positives array output field false positives false positives file name string name of the resource false positives file string output field false positives file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping risk score mapping file name string name of the resource risk score mapping file string output field risk score mapping file severity mapping array output field severity mapping output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 10 15 08 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic update detection threshold rule updates an existing query threshold rule in elastic kibana 8 security with parameters such as id, name, risk score, and severity endpoint url /api/detection engine/rules method patch input argument name type required description description string optional parameter for update detection threshold rule enabled boolean optional parameter for update detection threshold rule from string optional parameter for update detection threshold rule index array optional parameter for update detection threshold rule interval string optional parameter for update detection threshold rule name string optional name of the resource query string optional parameter for update detection threshold rule risk score number optional score value id string optional unique identifier severity string optional parameter for update detection threshold rule severity mapping array optional parameter for update detection threshold rule severity mapping field string optional parameter for update detection threshold rule severity mapping operator string optional parameter for update detection threshold rule severity mapping severity string optional parameter for update detection threshold rule severity mapping value string optional value for the parameter tags array optional parameter for update detection threshold rule threshold object optional parameter for update detection threshold rule threshold field string required parameter for update detection threshold rule threshold value number required value for the parameter type string optional type of the resource input example {"json body" {"description" "detects when there are 20 or more failed login attempts from the same ip address with a 2 minute time frame ","enabled"\ true,"from" "now 180s","index" \["winlogbeat "],"interval" "2m","name" "liverpool windows server prml 19 update","query" "host name\ prml 19 and event category\ authentication and event outcome\ failure","risk score" 30,"rule id" "liv win ser logins","severity" "low","severity mapping" \[{"field" "source geo city name","operator" "equals","severity" "low","value" "manchester"},{"field" "source geo city name","operator" "equals","severity" "critical","value" "wallingford"}],"tags" \["brute force"],"threshold" {"field" "source ip","value" 20},"type" "threshold"}} output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields investigation fields file name string name of the resource investigation fields file string output field investigation fields file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author author file name string name of the resource author file string output field author file false positives array output field false positives false positives file name string name of the resource false positives file string output field false positives file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping risk score mapping file name string name of the resource risk score mapping file string output field risk score mapping file severity mapping array output field severity mapping output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content encoding" "gzip","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "wed, 04 oct 2023 10 41 52 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions polic update elastic security case closure connector updates the case closure connector settings in elastic kibana 8 security with a given configuration id and version endpoint url /api/cases/configure/{{configuration id}} method patch input argument name type required description path parameters configuration id string required parameters for the update elastic security case closure connector action connector object optional parameter for update elastic security case closure connector connector id string required unique identifier connector name string required name of the resource connector type string required type of the resource connector fields object required parameter for update elastic security case closure connector connector fields caseid object optional unique identifier closure type string optional type of the resource version string optional parameter for update elastic security case closure connector input example {"json body" {"connector" {"id" "131d4448 abe0 4789 939d 8ef60680b498","name" "my connector","type" " swimlane","fields" {"caseid"\ null}},"closure type" "close by pushing","version" "wziwmiwxxq=="},"path parameters" {"configuration id" "5a48f180 6211 11ee 924f eb8f01880390"}} output parameter type description status code number http status code of the response reason string response reason phrase closure type string type of the resource connector object output field connector connector id string unique identifier connector type string type of the resource connector fields object output field connector fields connector fields caseid object unique identifier connector name string name of the resource owner string output field owner created at string output field created at created by object output field created by created by username string name of the resource created by full name object name of the resource created by email object output field created by email updated at string output field updated at updated by object output field updated by updated by username string name of the resource updated by full name object name of the resource updated by email object output field updated by email mappings array output field mappings mappings source string output field mappings source mappings target string output field mappings target mappings action type string type of the resource version string output field version output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "693","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "tue, 03 oct 2023 17 35 06 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" update event filter updates an existing event filter in elastic kibana 8 security, including description, entries, id, item id, name, namespace type, os types, and type endpoint url /api/exception lists/items method put input argument name type required description version string optional parameter for update event filter name string optional name of the resource description string optional parameter for update event filter entries array optional parameter for update event filter entries field string required parameter for update event filter entries operator string required parameter for update event filter entries type string required type of the resource entries value string required value for the parameter os types array optional type of the resource tags array optional parameter for update event filter id string optional unique identifier comments array optional parameter for update event filter comments comment string optional parameter for update event filter comments id string optional unique identifier item id string optional unique identifier namespace type string optional name of the resource type string optional type of the resource input example {"json body" {" version" "wzi1odusmv0=","name" "some name for this item updated","description" "some description about this entry updated","entries" \[{"field" "process executable","operator" "included","type" "match","value" "c \\\applications\\\elastic\\\foov2 exe"}],"os types" \["windows"],"tags" \["policy\ all"],"id" "7fe2fe90 636a 11ee 924f eb8f01880390","comments" \[{"comment" "updated comment","id" "4cb925a9 9df5 441d 839a c218c158b0b4"},{"comment" "add new comment"}],"item id" "2afcc085 e670 4042 88c7 c686400075e2","namespace type" "agnostic","type" "simple"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments comment string output field comments comment comments created at string output field comments created at comments created by string output field comments created by comments id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries operator string output field entries operator entries type string type of the resource entries value string value for the parameter id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "954","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 13 17 44 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" update host isolation exception updates an existing host isolation exception in elastic kibana 8 security, including description, entries, id, and os types endpoint url /api/exception lists/items method put input argument name type required description version string optional parameter for update host isolation exception description string optional parameter for update host isolation exception entries array optional parameter for update host isolation exception entries field string required parameter for update host isolation exception entries type string required type of the resource entries value string required value for the parameter entries operator string required parameter for update host isolation exception id string optional unique identifier item id string optional unique identifier name string optional name of the resource namespace type string optional name of the resource tags array optional parameter for update host isolation exception os types array optional type of the resource type string optional type of the resource input example {"json body" {" version" "wzi1odksmv0=","description" "via api","entries" \[{"field" "destination ip","type" "match","value" "10 10 0 15","operator" "included"}],"id" "80f34d90 63a0 11ee 924f eb8f01880390","item id" "fb00f1ac 11cd 432e be2f 1bb7fa5ca7e0","name" "host isolation exception created with api update","namespace type" "agnostic","tags" \["update","host isolation"],"os types" \["linux","macos","windows"],"type" "simple"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments file name string name of the resource comments file string output field comments file created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries type string type of the resource entries value string value for the parameter entries operator string output field entries operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "663","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 17 07 27 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" update list container updates an existing list container in elastic kibana 8 security using the provided 'id', 'name', and 'description' endpoint url /api/lists method patch input argument name type required description name string optional name of the resource description string optional parameter for update list container version string optional parameter for update list container id string optional unique identifier input example {"json body" {"name" "exclude internal ip addresses update","description" "contains list items that exclude internal ip addresses from detection rules "," version" "wzismv0=","id" "internal ip range excludes"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by description string output field description deserializer string output field deserializer id string unique identifier immutable boolean output field immutable name string name of the resource serializer string output field serializer tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "495","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 06 06 07 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" update list item updates an existing list item in elastic kibana 8 security using the specified 'id' and 'value' endpoint url /api/lists/items method patch input argument name type required description id string optional unique identifier value string optional value for the parameter version string optional parameter for update list item input example {"json body" {"id" "internal ip 1","value" "10 0 0 12"," version" "wzasmv0="}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by id string unique identifier list id string unique identifier tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by value string value for the parameter output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "291","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "thu, 05 oct 2023 06 34 58 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" update trusted application updates an existing trusted application in elastic kibana 8 security, including description, entries, id, and os types endpoint url /api/exception lists/items method put input argument name type required description version string optional parameter for update trusted application name string optional name of the resource description string optional parameter for update trusted application entries array optional parameter for update trusted application entries field string required parameter for update trusted application entries value string required value for the parameter entries type string required type of the resource entries operator string required parameter for update trusted application os types array optional type of the resource tags array optional parameter for update trusted application id string optional unique identifier comments array optional parameter for update trusted application comments comment string optional parameter for update trusted application item id string optional unique identifier namespace type string optional name of the resource type string optional type of the resource input example {"json body" {" version" "wzi1otqsmv0=","name" "create endpoint trusted app updated!","description" "this app is good","entries" \[{"field" "process hash sha1","value" "aedb279e378bed6c2db3c9dc9e12ba635e0b391c","type" "match","operator" "included"}],"os types" \["windows"],"tags" \["policy\ all"],"id" "38e91330 640f 11ee 924f eb8f01880390","comments" \[{"comment" "comment is updated"}],"item id" "cbc73361 5d6f 4cbd 84c2 eb3564a934ae","namespace type" "agnostic","type" "simple"}} output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comments comment string output field comments comment comments created at string output field comments created at comments created by string output field comments created by comments id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries entries field string output field entries field entries value string value for the parameter entries type string type of the resource entries operator string output field entries operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource output example {"status code" 200,"response headers" {"cache control" "private, no cache, no store, must revalidate","content length" "786","content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'","content type" "application/json; charset=utf 8","cross origin opener policy" "same origin","date" "fri, 06 oct 2023 06 19 54 gmt","kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519","kbn name" "instance 0000000000","permissions policy" response headers header description example accept ranges http response header accept ranges bytes cache control directives for caching mechanisms private, no cache, no store, must revalidate connection http response header connection keep alive content disposition http response header content disposition attachment; filename="export ndjson" content encoding http response header content encoding gzip content length the length of the response body in bytes 91 content security policy http response header content security policy script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self' content type the media type of the resource application/json; charset=utf 8 cross origin opener policy http response header cross origin opener policy same origin date the date and time at which the message was originated fri, 29 sep 2023 16 50 40 gmt elastic api version http response header elastic api version 2023 10 31 kbn license sig http response header kbn license sig 32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519 kbn name http response header kbn name instance 0000000000 keep alive http response header keep alive timeout=120 permissions policy http response header permissions policy camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), web share=() referrer policy http response header referrer policy no referrer when downgrade transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding warning http response header warning 299 kibana 8 10 2 "deprecated query parameter includecomments" x cloud request id http response header x cloud request id xwhqpidns0kptm0j aamxa x content type options http response header x content type options nosniff x found handling cluster http response header x found handling cluster 397bafc2854d4f8ebe25ade55fbf3b17 x found handling instance http response header x found handling instance instance 0000000000