Elastic Kibana 8 - Security

the elastic kibana 8 security connector allows for streamlined integration with swimlane turbine, enabling automated security workflows and enhanced threat management elastic kibana 8 security is a powerful analytics and visualization platform that's part of the elastic stack it enables security teams to interactively navigate through large volumes of event data, providing real time insights into security events and alerts integrating with swimlane turbine, this connector empowers users to automate and orchestrate security workflows, streamline incident response, and enhance threat detection capabilities within their security operations prerequisites before you can use the elastic kibana 8 security connector for turbine, ensure you have the following http basic authentication with these parameters url the endpoint url for your elastic kibana instance username your elastic kibana username password your elastic kibana password api key authentication with these parameters url the endpoint url for your elastic kibana instance api key a generated api key for accessing elastic kibana apis capabilities this connector provides the following capabilities case tasks add case comment create case find cases get case update case get all case activity connector tasks create connector get all connectors get current connector push case to external service set default elastic security ui connector update elastic security case closure connector detection tasks create detection event correlation rule create detection indicator match rule create detection ml rule create detection query rule create detection threshold rule update detection event correlation rule update detection indicator match rule update detection ml rule update detection query rule update detection threshold rule delete detection rule export detection rules find detection rules get detection rule add pre packaged detection rules signal tasks create signal index get signals set signal status timeline tasks create timeline (& timeline templates) lists tasks create list container create list item create list index find list containers find list items update list container update list item exception tasks create exception container create exception item find exception containers find exception items tags tasks get tags kibana tasks create kibana space get kibana spaces endpoint management tasks create blocklist entries container create blocklist entry create event filter create event filters container create host isolation exception create host isolation exceptions container create trusted application create trusted applications container delete blocklist entry delete event filter delete host isolation exception delete trusted application find blocklist entries find event filters find host isolation exceptions and so on asset setup connecting to elastic cloud in order to use this connector with elastic cloud you must provide the following inputs in the configured asset url api key if you generated a apikey from within the elastic cloud portal you may have need run the following commands to generate the correct apikey echo "qnq3bdbic0jqr3d1awxkmvbzd0m6cl9wqul6anhrww1vlvazdg5jzkuzuq==" | base64 d which will result in a value similar to the following bt7l0hsbjgwuild1pywc\ r vaizjxqymo p3tnife3q% then take this value and decode it again echo n "bt7l0hsbjgwuild1pywc\ r vaizjxqymo p3tnife3q%" | base64 this will result in the correct apikey connecting to on premises the url has to be in this format \<kibana host> \<port> , click here to know more https //www elastic co/guide/en/security/8 9/security apis html# authentication in order to use this connector with an on premises elasticsearch and kibana, you must provide the following inputs in the configured asset url username password common issues within the asset if you receive an error about the host, please remove any trailing slashes from the host string configurations api key authentication authenticates using an api key configuration parameters parameter description type required url a url to the target host string required port host port to use number optional x apikey api key string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional http basic authentication authenticates using username and password configuration parameters parameter description type required url a url to the target host string required username username string required password password string required verify ssl verify ssl certificate boolean optional http proxy a proxy to route requests through string optional actions add case comment add a comment or alert to an existing case by providing the case id and specifying the comment type in elastic kibana 8 security endpoint url /api/cases/{{case id}}/comments method post input argument name type required description case id string required unique identifier alertid array optional it is required only when type is alert comment string optional it is required only when type is user index array optional it is required only when type is alert owner string optional parameter for add case comment rule object optional it is required only when type is alert id string optional the rule identifier name string optional the rule name type string required the comment type output parameter type description status code number http status code of the response reason string response reason phrase description string output field description title string output field title tags array output field tags settings object output field settings syncalerts boolean output field syncalerts owner string output field owner category object output field category assignees array output field assignees file name string name of the resource file string output field file connector object output field connector id string unique identifier type string type of the resource fields object output field fields issuetype string type of the resource priority string output field priority parent object output field parent name string name of the resource severity string output field severity status string status value duration object output field duration closed at object output field closed at closed by object output field closed by example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 29 sep 2023 06 22 52 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "lnuiwbnpt6cvxs9xak6roq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "description" "a case description ", "title" "case title 1", "tags" \[], "settings" {}, "owner" "cases", "category" null, "assignees" \[], "connector" {}, "severity" "low", "status" "open", "duration" null, "closed at" null, "closed by" null, "created at" "2023 09 29t06 09 04 418z", "created by" {} } } ] create blocklist entries container generates a blocklist container in elastic kibana 8 security, requiring description, name, list id, type, and namespace endpoint url /api/exception lists method post input argument name type required description description string required parameter for create blocklist entries container name string required name of the resource list id string required unique identifier type string required type of the resource namespace type string required name of the resource tags array optional parameter for create blocklist entries container output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by description string output field description id string unique identifier immutable boolean output field immutable list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource file name string name of the resource file string output field file tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "486", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 09 15 40 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "qfsunfcwqjed3tfiqtleog", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1odasmv0=", "created at" "2023 10 05t09 19 29 856z", "created by" "elastic", "description" "excludes linux trusted processes", "id" "49a40400 6360 11ee 924f eb8f01880390", "immutable" false, "list id" "endpoint blocklists", "name" "linux process exceptions", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "791b484f c2ec 4a3d b2db 4e28a78b44b9", "type" "endpoint", "updated at" "2023 10 05t09 19 29 856z", "updated by" "elastic" } } ] create blocklist entry creates a new blocklist entry in elastic kibana 8 security, including description, entries, list id, name, namespace type, os types, and entry type endpoint url /api/exception lists/items method post input argument name type required description comments array optional parameter for create blocklist entry file name string required name of the resource file string required parameter for create blocklist entry description string required parameter for create blocklist entry entries array required parameter for create blocklist entry field string required parameter for create blocklist entry value array required value for the parameter type string required type of the resource operator string required parameter for create blocklist entry list id string required unique identifier name string required name of the resource namespace type string required name of the resource os types array required type of the resource tags array optional parameter for create blocklist entry type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field value array value for the parameter type string type of the resource operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "649", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 09 23 57 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "17pa328btecl57ffmdln q", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1odesmv0=", "comments" \[], "created at" "2023 10 05t09 23 56 384z", "created by" "elastic", "description" "some description about this entry", "entries" \[], "id" "e880f600 6360 11ee 924f eb8f01880390", "item id" "695590a7 5655 480d 8375 f486de462cfb", "list id" "endpoint blocklists", "name" "linux process exceptions", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "3f770c4b fe1d 4293 ab3a c61f0517ae98", "type" "simple" } } ] create case initiate a new case in elastic kibana 8 security, specifying connector, description, owner, settings, tags, and title endpoint url /api/cases method post input argument name type required description assignees array optional parameter for create case uid string optional unique identifier description string required parameter for create case title string required parameter for create case tags array required parameter for create case connector object required parameter for create case id string required unique identifier name string required name of the resource type string required type of the resource fields object required parameter for create case issuetype string optional type of the resource priority string optional parameter for create case parent object optional parameter for create case caseid string required unique identifier settings object required parameter for create case syncalerts boolean required parameter for create case owner string required parameter for create case severity string optional parameter for create case output parameter type description status code number http status code of the response reason string response reason phrase description string output field description title string output field title tags array output field tags settings object output field settings syncalerts boolean output field syncalerts owner string output field owner category object output field category assignees array output field assignees file name string name of the resource file string output field file connector object output field connector id string unique identifier type string type of the resource fields object output field fields issuetype string type of the resource priority string output field priority parent object output field parent name string name of the resource severity string output field severity status string status value duration object output field duration closed at object output field closed at closed by object output field closed by example \[ { "status code" 200, "response headers" {}, "reason" "ok", "json body" { "description" "a case description ", "title" "case title 1", "tags" \[], "settings" {}, "owner" "cases", "category" null, "assignees" \[], "connector" {}, "severity" "low", "status" "open", "duration" null, "closed at" null, "closed by" null, "created at" "2023 09 29t06 09 04 418z", "created by" {} } } ] create connector establishes a new connector in elastic kibana 8 security with a specific name, type, configuration, and secrets endpoint url /api/actions/connector method post input argument name type required description name string required name of the resource connector type id string required unique identifier config object required parameter for create connector connectortype string required type of the resource mappings object optional parameter for create connector alertidconfig object optional unique identifier id string required unique identifier name string required name of the resource key string required parameter for create connector fieldtype string required type of the resource caseidconfig object optional unique identifier id string required unique identifier name string required name of the resource key string required parameter for create connector fieldtype string required type of the resource casenameconfig object optional name of the resource id string required unique identifier name string required name of the resource key string required parameter for create connector fieldtype string required type of the resource commentsconfig object optional parameter for create connector id string required unique identifier name string required name of the resource key string required parameter for create connector fieldtype string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource config object output field config connectortype string type of the resource mappings object output field mappings alertidconfig object unique identifier id string unique identifier name string name of the resource key string output field key fieldtype string type of the resource caseidconfig object unique identifier id string unique identifier name string name of the resource key string output field key fieldtype string type of the resource casenameconfig object name of the resource id string unique identifier name string name of the resource key string output field key fieldtype string type of the resource commentsconfig object output field commentsconfig id string unique identifier name string name of the resource example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "948", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 29 sep 2023 17 21 03 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "l uhbrvgqwcvcs mrzsnmw", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "id" "90bc33d0 5eec 11ee 924f eb8f01880390", "name" "my swimlane connector test", "config" {}, "connector type id" " swimlane", "is preconfigured" false, "is deprecated" false, "is missing secrets" false, "is system action" false } } ] create detection event correlation rule generates alerts by creating an event correlation rule in elastic kibana 8 security with details such as description, name, risk score, and severity endpoint url /api/detection engine/rules method post input argument name type required description rule id string optional unique identifier risk score number required score value description string required parameter for create detection event correlation rule name string required name of the resource severity string required parameter for create detection event correlation rule tags array optional parameter for create detection event correlation rule type string required type of the resource language string required parameter for create detection event correlation rule query string optional parameter for create detection event correlation rule output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields file name string name of the resource file string output field file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author file name string name of the resource file string output field file false positives array output field false positives file name string name of the resource file string output field file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping file name string name of the resource file string output field file severity mapping array output field severity mapping example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 09 48 58 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "a7olcrchrmu0f8khjpjoka", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "name" "rundll32 exe network connection", "description" "unusual rundll32 exe network connection", "risk score" 21, "severity" "low", "output index" "", "investigation fields" \[], "tags" \[], "interval" "5m", "enabled" true, "author" \[], "false positives" \[], "from" "now 6m", "max signals" 100, "risk score mapping" \[], "severity mapping" \[] } } ] create detection indicator match rule generates an alert in elastic kibana 8 security by creating an indicator match rule with specified name, risk score, and threat mapping endpoint url /api/detection engine/rules method post input argument name type required description type string required type of the resource index array optional parameter for create detection indicator match rule query string optional parameter for create detection indicator match rule threat index array required parameter for create detection indicator match rule threat query string required parameter for create detection indicator match rule threat mapping array required parameter for create detection indicator match rule entries array optional parameter for create detection indicator match rule field string optional parameter for create detection indicator match rule type string optional type of the resource value string optional value for the parameter risk score number required score value severity string required parameter for create detection indicator match rule name string required name of the resource description string required parameter for create detection indicator match rule output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields file name string name of the resource file string output field file tags array output field tags file name string name of the resource file string output field file interval string output field interval enabled boolean output field enabled author array output field author file name string name of the resource file string output field file false positives array output field false positives file name string name of the resource file string output field file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping file name string name of the resource example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 09 53 40 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "kz6pc6tstzieu5svsdhvba", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "name" "bad ip threat match", "description" "checks for bad ip addresses listed in the ip threat list index", "risk score" 50, "severity" "medium", "output index" "", "investigation fields" \[], "tags" \[], "interval" "5m", "enabled" true, "author" \[], "false positives" \[], "from" "now 6m", "max signals" 100, "risk score mapping" \[], "severity mapping" \[] } } ] create detection ml rule generates a machine learning based detection rule in elastic kibana 8 security, utilizing criteria such as risk score, severity, and job id endpoint url /api/detection engine/rules method post input argument name type required description anomaly threshold number required parameter for create detection ml rule rule id string optional unique identifier risk score number required score value machine learning job id string required unique identifier description string required parameter for create detection ml rule interval string optional parameter for create detection ml rule name string required name of the resource note string optional parameter for create detection ml rule severity string required parameter for create detection ml rule tags array optional parameter for create detection ml rule type string required type of the resource from string optional parameter for create detection ml rule enabled boolean optional parameter for create detection ml rule throttle string optional parameter for create detection ml rule actions array optional parameter for create detection ml rule action type id string optional unique identifier group string optional parameter for create detection ml rule id string optional unique identifier params object optional parameter for create detection ml rule message string optional response message output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity note string output field note output index string output field output index investigation fields array output field investigation fields file name string name of the resource file string output field file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author file name string name of the resource file string output field file false positives array output field false positives file name string name of the resource file string output field file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 09 43 34 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "e9jhnafrqtiewovw eqxw", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "name" "anomalous linux network activity", "description" "generates alerts when the job discovers anomalies over 70", "risk score" 70, "severity" "high", "note" "shut down the internet ", "output index" "", "investigation fields" \[], "tags" \[], "interval" "5m", "enabled" true, "author" \[], "false positives" \[], "from" "now 6m", "max signals" 100, "risk score mapping" \[] } } ] create detection query rule initiates the creation of a new detection query rule in elastic kibana 8 security, requiring details like description, name, risk score, severity, and query endpoint url /api/detection engine/rules method post input argument name type required description rule id string optional unique identifier risk score number required score value description string required parameter for create detection query rule interval string optional parameter for create detection query rule name string required name of the resource severity string required parameter for create detection query rule tags array optional parameter for create detection query rule type string required type of the resource from string optional parameter for create detection query rule query string required parameter for create detection query rule language string optional parameter for create detection query rule filters array optional parameter for create detection query rule query object optional parameter for create detection query rule match object optional parameter for create detection query rule event action object optional parameter for create detection query rule enabled boolean optional parameter for create detection query rule output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields file name string name of the resource file string output field file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author file name string name of the resource file string output field file false positives array output field false positives file name string name of the resource file string output field file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping file name string name of the resource file string output field file severity mapping array output field severity mapping example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 09 57 40 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "dbgrchvjticiajmdk13inq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "name" "ms office child process", "description" "process started by ms office program possible payload", "risk score" 50, "severity" "low", "output index" "", "investigation fields" \[], "tags" \[], "interval" "1h", "enabled" false, "author" \[], "false positives" \[], "from" "now 70m", "max signals" 100, "risk score mapping" \[], "severity mapping" \[] } } ] create detection threshold rule create a detection threshold rule in elastic kibana 8 security using criteria like risk score, severity, and query parameters endpoint url /api/detection engine/rules method post input argument name type required description description string required parameter for create detection threshold rule enabled boolean optional parameter for create detection threshold rule from string optional parameter for create detection threshold rule index array optional parameter for create detection threshold rule interval string optional parameter for create detection threshold rule name string required name of the resource query string required parameter for create detection threshold rule risk score number required score value rule id string optional unique identifier severity string required parameter for create detection threshold rule severity mapping array optional parameter for create detection threshold rule field string optional parameter for create detection threshold rule operator string optional parameter for create detection threshold rule severity string optional parameter for create detection threshold rule value string optional value for the parameter tags array optional parameter for create detection threshold rule threshold object required parameter for create detection threshold rule field string required parameter for create detection threshold rule value number required value for the parameter type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields file name string name of the resource file string output field file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author file name string name of the resource file string output field file false positives array output field false positives file name string name of the resource file string output field file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping file name string name of the resource file string output field file severity mapping array output field severity mapping example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 08 37 05 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "z1z9zj3zq8mg2am5d1ksda", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "name" "liverpool windows server prml 19", "description" "detects when there are 20 or more failed login attempts from the same ip address ", "risk score" 30, "severity" "low", "output index" "", "investigation fields" \[], "tags" \[], "interval" "2m", "enabled" true, "author" \[], "false positives" \[], "from" "now 180s", "max signals" 100, "risk score mapping" \[], "severity mapping" \[] } } ] create event filter creates a new event filter in elastic kibana 8 security, specifying details like name, description, os types, and more endpoint url /api/exception lists/items method post input argument name type required description comments array optional parameter for create event filter comment string optional parameter for create event filter description string required parameter for create event filter entries array required parameter for create event filter field string optional parameter for create event filter operator string optional parameter for create event filter type string optional type of the resource value string optional value for the parameter list id string required unique identifier name string required name of the resource namespace type string required name of the resource os types array required type of the resource tags array optional parameter for create event filter type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comment string output field comment created at string output field created at created by string output field created by id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field operator string output field operator type string type of the resource value string value for the parameter id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "795", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 10 32 36 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "rdezgagiqcqyfgmmf6gitg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1odusmv0=", "comments" \[], "created at" "2023 10 05t10 32 35 833z", "created by" "elastic", "description" "some description about this entry", "entries" \[], "id" "7fe2fe90 636a 11ee 924f eb8f01880390", "item id" "2afcc085 e670 4042 88c7 c686400075e2", "list id" "endpoint event filters", "name" "create event filter", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "2ccdba14 27d4 4c94 851f ac0dff40b4a0", "type" "simple" } } ] create event filters container creates a new event filters container in elastic kibana 8 security using provided name, description, list id, namespace type, and filter type endpoint url /api/exception lists method post input argument name type required description description string required parameter for create event filters container name string required name of the resource list id string required unique identifier type string required type of the resource namespace type string required name of the resource tags array optional parameter for create event filters container output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by description string output field description id string unique identifier immutable boolean output field immutable list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource file name string name of the resource file string output field file tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "507", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 10 24 20 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "qzf2gmdgrpaozviygwtuhg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1odqsmv0=", "created at" "2023 10 05t10 24 19 674z", "created by" "elastic", "description" "elastic defend event filters list", "id" "582723a0 6369 11ee 924f eb8f01880390", "immutable" false, "list id" "endpoint event filters", "name" "elastic defend event filters list", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "bf5d7517 0779 4db8 a2db 56746f7fe08b", "type" "endpoint events", "updated at" "2023 10 05t10 24 19 674z", "updated by" "elastic" } } ] create exception container creates an exception container in elastic kibana 8 security, requiring a description, name, and type endpoint url /api/exception lists method post input argument name type required description description string required parameter for create exception container name string required name of the resource list id string optional not required, automatically created when it is not provided type string required type of the resource namespace type string optional name of the resource tags array optional parameter for create exception container output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by description string output field description id string unique identifier immutable boolean output field immutable list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource file name string name of the resource file string output field file tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "490", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 06 38 54 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "7kqootwktuwg33n3ofagia", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1nzcsmv0=", "created at" "2023 10 05t06 38 53 779z", "created by" "elastic", "description" "excludes linux trusted processes", "id" "da175a30 6349 11ee 924f eb8f01880390", "immutable" false, "list id" "trusted linux processes", "name" "linux process exceptions", "namespace type" "single", "os types" \[], "tags" \[], "tie breaker id" "f7dd5363 670d 4117 9d15 67e9ff55fb91", "type" "detection", "updated at" "2023 10 05t06 38 53 779z", "updated by" "elastic" } } ] create exception item creates an exception item in elastic kibana 8 security using specified details such as description, entries, list id, name, and type endpoint url /api/exception lists/items method post input argument name type required description description string required parameter for create exception item entries array required parameter for create exception item field string required parameter for create exception item operator string required parameter for create exception item type string required type of the resource value array required value for the parameter list id string required unique identifier name string required name of the resource namespace type string optional name of the resource tags array optional parameter for create exception item type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field operator string output field operator type string type of the resource value array value for the parameter id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource file name string name of the resource file string output field file tags array output field tags tie breaker id string unique identifier type string type of the resource example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "659", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 08 20 52 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "xkevmdbcqk2mp3mqydtvta", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1nzgsmv0=", "comments" \[], "created at" "2023 10 05t08 20 51 765z", "created by" "elastic", "description" "excludes the weekly maintenance job", "entries" \[], "id" "18b1ee50 6358 11ee 924f eb8f01880390", "item id" "74a84b5f 077a 4cb0 b62b 8728dc536433", "list id" "trusted linux processes", "name" "linux maintenance job", "namespace type" "single", "os types" \[], "tags" \[], "tie breaker id" "a4ff46fb b669 4b10 bd39 fbf96d1d89a9", "type" "simple" } } ] create host isolation exception create an exception to host isolation in elastic kibana 8 security with required details such as description, entries, list id, and os types endpoint url /api/exception lists/items method post input argument name type required description description string required parameter for create host isolation exception entries array required parameter for create host isolation exception field string required parameter for create host isolation exception value string required value for the parameter type string required type of the resource operator string required parameter for create host isolation exception list id string required unique identifier name string required name of the resource namespace type string required name of the resource os types array required type of the resource tags array optional parameter for create host isolation exception type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field value string value for the parameter type string type of the resource operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "653", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 16 59 11 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "utnsgzrwtg6bm24knvyfwq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1odksmv0=", "comments" \[], "created at" "2023 10 05t16 59 10 441z", "created by" "elastic", "description" "create host isolation exception", "entries" \[], "id" "80f34d90 63a0 11ee 924f eb8f01880390", "item id" "fb00f1ac 11cd 432e be2f 1bb7fa5ca7e0", "list id" "endpoint host isolation exceptions", "name" "create host isolation exception", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "3d200c83 5581 42f7 ba46 4c16792276a4", "type" "simple" } } ] create host isolation exceptions container creates a management container for host isolation exceptions in elastic kibana 8 security, requiring description, list id, name, namespace type, and type endpoint url /api/exception lists method post input argument name type required description description string required parameter for create host isolation exceptions container name string required name of the resource list id string required unique identifier type string required type of the resource namespace type string required name of the resource tags array optional parameter for create host isolation exceptions container output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by description string output field description id string unique identifier immutable boolean output field immutable list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource file name string name of the resource file string output field file tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "577", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 16 53 32 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "jskff0 7r0e2b mv7g 0bq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1odgsmv0=", "created at" "2023 10 05t16 53 32 257z", "created by" "elastic", "description" "elastic defend host isolation exceptions list", "id" "b7608510 639f 11ee 924f eb8f01880390", "immutable" false, "list id" "endpoint host isolation exceptions", "name" "elastic defend host isolation exceptions list", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "2dfd3025 7732 4d7d bf18 32c849a58cc4", "type" "endpoint host isolation exceptions", "updated at" "2023 10 05t16 53 32 257z", "updated by" "elastic" } } ] create kibana space creates a new space in elastic kibana 8 with specified 'id' and 'name' necessary headers must be included endpoint url /api/spaces/space method post input argument name type required description id string required unique identifier name string required name of the resource description string optional parameter for create kibana space initials string optional must have a maximum length of color string optional parameter for create kibana space imageurl string optional the data url encoded image to display in the space avatar if specified, initials will not be displayed, and the color will be visible as the background color for transparent images for best results, your image should be 64x64 images will not be optimized by this api call, so care should be taken when using custom images disabledfeatures array optional parameter for create kibana space file name string required name of the resource file string required parameter for create kibana space output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource description string output field description color string output field color initials string output field initials disabledfeatures array output field disabledfeatures file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "150", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 08 59 18 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "mlwozg3aqswhd3sta8vxjg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "id" "my kibana space", "name" "my kibana space", "description" "my space description created", "color" "#aabbcc", "initials" "mk", "disabledfeatures" \[] } } ] create list container creates a new list container in elastic kibana 8 security using the provided description, name, and type endpoint url /api/lists method post input argument name type required description id string optional unique identifier name string required name of the resource description string required parameter for create list container type string required type of the resource serializer string optional parameter for create list container deserializer string optional parameter for create list container version number optional parameter for create list container output parameter type description status code number http status code of the response reason string response reason phrase version string output field version id string unique identifier created at string output field created at created by string output field created by description string output field description deserializer string output field deserializer immutable boolean output field immutable name string name of the resource serializer string output field serializer tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "488", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 17 23 14 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "9anqdhzxt0 kxvx2qohpew", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzismv0=", "id" "internal ip range excludes", "created at" "2023 10 04t17 23 14 443z", "created by" "elastic", "description" "contains list items that exclude internal ip addresses from detection rules ", "deserializer" "{{{gte}}} {{{lte}}}", "immutable" false, "name" "exclude internal ip addresses", "serializer" "(?\<gte> +)/(?\<lte> +)", "tie breaker id" "10382723 9f9d 4959 b50f bd02b9c973ba", "type" "ip", "updated at" "2023 10 04t17 23 14 443z", "updated by" "elastic", "version" 1 } } ] create list item associates a new list item with a specified list container in elastic kibana 8 security, requiring 'list id' and 'value' endpoint url /api/lists/items method post input argument name type required description id string optional unique identifier list id string required unique identifier value string required value for the parameter output parameter type description status code number http status code of the response reason string response reason phrase version string output field version id string unique identifier type string type of the resource value string value for the parameter created at string output field created at created by string output field created by list id string unique identifier tie breaker id string unique identifier updated at string output field updated at updated by string output field updated by example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "291", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 17 29 20 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "irjqmzf3tguvkyimonpwow", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzasmv0=", "id" "internal ip 1", "type" "ip", "value" "10 0 0 12", "created at" "2023 10 04t17 29 19 819z", "created by" "elastic", "list id" "internal ip excludes", "tie breaker id" "9e492985 270f 45fe 9d3f c07dc94285de", "updated at" "2023 10 04t17 29 19 819z", "updated by" "elastic" } } ] create signal index initiates the creation of a new signal index in elastic kibana 8 security, categorizing detection alerts endpoint url /api/detection engine/index method post output parameter type description status code number http status code of the response reason string response reason phrase acknowledged boolean output field acknowledged example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "21", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 13 26 41 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "uyvpoppfqz6rttaatbdria", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "acknowledged" true } } ] create timeline generates a new timeline or template in elastic kibana 8 security with the specified timeline data endpoint url /api/timeline method post input argument name type required description timeline object required parameter for create timeline columns array optional parameter for create timeline id string optional unique identifier dataproviders array optional response data and array optional parameter for create timeline name string optional name of the resource enabled boolean optional parameter for create timeline excluded boolean optional parameter for create timeline id string optional unique identifier querymatch object optional parameter for create timeline enabled boolean optional parameter for create timeline excluded boolean optional parameter for create timeline id string optional unique identifier name string optional name of the resource querymatch object optional parameter for create timeline field string optional parameter for create timeline value string optional value for the parameter operator string optional parameter for create timeline daterange object optional parameter for create timeline end number optional parameter for create timeline start number optional parameter for create timeline description string optional parameter for create timeline title string required parameter for create timeline output parameter type description status code number http status code of the response reason string response reason phrase data object response data persisttimeline object output field persisttimeline code number output field code message string response message timeline object output field timeline savedobjectid string unique identifier version string output field version columns array output field columns id string unique identifier dataproviders array response data and array output field and enabled boolean output field enabled excluded boolean output field excluded id string unique identifier name string name of the resource querymatch object output field querymatch dataviewid object response data description string output field description excludedrowrendererids array unique identifier file name string name of the resource file string output field file title string output field title daterange object output field daterange example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 16 55 38 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "lqpkfh4jsaijjdinm92 lw", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "data" {} } } ] create trusted application create a trusted application in elastic kibana 8 security, specifying details such as name, description, entries, os types, and more endpoint url /api/exception lists/items method post input argument name type required description comments array optional parameter for create trusted application file name string required name of the resource file string required parameter for create trusted application description string required parameter for create trusted application entries array required parameter for create trusted application field string required parameter for create trusted application value string required value for the parameter type string required type of the resource operator string required parameter for create trusted application list id string required unique identifier name string required name of the resource namespace type string required name of the resource os types array required type of the resource tags array optional parameter for create trusted application type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field value string value for the parameter type string type of the resource operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "659", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 06 11 44 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "1n7gd0pcr1u92hevp67krg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1otqsmv0=", "comments" \[], "created at" "2023 10 06t06 11 43 715z", "created by" "elastic", "description" "some description about this entry", "entries" \[], "id" "38e91330 640f 11ee 924f eb8f01880390", "item id" "cbc73361 5d6f 4cbd 84c2 eb3564a934ae", "list id" "endpoint trusted app", "name" "create endpoint trusted app", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "80021764 e6b0 4000 895d 9d324ec3f273", "type" "simple" } } ] create trusted applications container create a container for trusted applications in elastic kibana 8 security with necessary details such as description, list id, name, namespace type, and type endpoint url /api/exception lists method post input argument name type required description description string required parameter for create trusted applications container name string required name of the resource list id string required unique identifier type string required type of the resource namespace type string required name of the resource tags array optional parameter for create trusted applications container output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by description string output field description id string unique identifier immutable boolean output field immutable list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource file name string name of the resource file string output field file tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "91", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 06 02 23 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "3aqa4rn3rdgeo1uaovkyeg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1otismv0=", "created at" "2023 10 06t06 03 13 460z", "created by" "elastic", "description" "elastic defend trusted apps list", "id" "08c65740 640e 11ee 924f eb8f01880390", "immutable" false, "list id" "endpoint trusted app", "name" "elastic defend trusted apps list", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "2ccf7018 408e 43b4 ae13 4257363d5ce6", "type" "endpoint", "updated at" "2023 10 06t06 03 13 460z", "updated by" "elastic" } } ] delete blocklist entry removes a specific blocklist entry from elastic kibana 8 by utilizing the provided entry id and namespace type endpoint url /api/exception lists/items method delete input argument name type required description id string required unique identifier namespace type string required name of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field value array value for the parameter type string type of the resource operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "681", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 10 15 51 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" " 97kaljstzkfsdhj9cohaq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1odismv0=", "comments" \[], "created at" "2023 10 05t09 23 56 384z", "created by" "elastic", "description" "these applications must be blocked", "entries" \[], "id" "e880f600 6360 11ee 924f eb8f01880390", "item id" "695590a7 5655 480d 8375 f486de462cfb", "list id" "endpoint blocklists", "name" "linux process exceptions updates", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "3f770c4b fe1d 4293 ab3a c61f0517ae98", "type" "simple" } } ] delete detection rule deletes a specified detection rule in elastic kibana 8 security using the provided rule id endpoint url /api/detection engine/rules?id={{id}} method delete input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier updated at string output field updated at updated by string output field updated by created at string output field created at created by string output field created by name string name of the resource tags array output field tags interval string output field interval enabled boolean output field enabled revision number output field revision description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields file name string name of the resource file string output field file author array output field author file name string name of the resource file string output field file false positives array output field false positives file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 10 48 41 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "kkcrsb rtw2tswuotfsplq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "id" "3ba66e80 629b 11ee 924f eb8f01880390", "updated at" "2023 10 04t10 18 51 959z", "updated by" "elastic", "created at" "2023 10 04t09 48 56 068z", "created by" "elastic", "name" "rundll32 exe network connection update", "tags" \[], "interval" "5m", "enabled" true, "revision" 1, "description" "unusual rundll32 exe network connection", "risk score" 21, "severity" "low", "output index" "", "investigation fields" \[] } } ] delete event filter removes a specified event filter from elastic kibana 8 using the provided 'id' and 'namespace type' endpoint url /api/exception lists/items method delete input argument name type required description id string required unique identifier namespace type string required name of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comment string output field comment created at string output field created at created by string output field created by id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field operator string output field operator type string type of the resource value string value for the parameter id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "954", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 13 46 16 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "wgkbrhnjrvc9kt6uldx nw", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1odysmv0=", "comments" \[], "created at" "2023 10 05t10 32 35 833z", "created by" "elastic", "description" "some description about this entry updated", "entries" \[], "id" "7fe2fe90 636a 11ee 924f eb8f01880390", "item id" "2afcc085 e670 4042 88c7 c686400075e2", "list id" "endpoint event filters", "name" "some name for this item updated", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "2ccdba14 27d4 4c94 851f ac0dff40b4a0", "type" "simple" } } ] delete host isolation exception removes a specified host isolation exception in elastic kibana 8 using the 'id' and 'namespace type' endpoint url /api/exception lists/items method delete input argument name type required description id string required unique identifier namespace type string required name of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field type string type of the resource value string value for the parameter operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "663", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 17 21 05 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "xwhqpidns0kptm0j aamxa", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1otasmv0=", "comments" \[], "created at" "2023 10 05t16 59 10 441z", "created by" "elastic", "description" "via api", "entries" \[], "id" "80f34d90 63a0 11ee 924f eb8f01880390", "item id" "fb00f1ac 11cd 432e be2f 1bb7fa5ca7e0", "list id" "endpoint host isolation exceptions", "name" "host isolation exception created with api update", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "3d200c83 5581 42f7 ba46 4c16792276a4", "type" "simple" } } ] delete trusted application deletes a trusted application from elastic kibana 8 by using the specified 'id' and 'namespace type' endpoint url /api/exception lists/items method delete input argument name type required description id string required unique identifier namespace type string required name of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comment string output field comment created at string output field created at created by string output field created by id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field value string value for the parameter type string type of the resource operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "786", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 06 30 12 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "gs cwzusqbqbfyf3d4oj2g", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1otusmv0=", "comments" \[], "created at" "2023 10 06t06 11 43 715z", "created by" "elastic", "description" "this app is good", "entries" \[], "id" "38e91330 640f 11ee 924f eb8f01880390", "item id" "cbc73361 5d6f 4cbd 84c2 eb3564a934ae", "list id" "endpoint trusted app", "name" "create endpoint trusted app updated!", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "80021764 e6b0 4000 895d 9d324ec3f273", "type" "simple" } } ] export detection rules exports detection rules from elastic kibana 8 security to an ndjson file, facilitating sharing and backup processes endpoint url /api/detection engine/rules/ export method post input argument name type required description exclude export details boolean optional parameter for export detection rules file name string optional name of the resource objects array optional parameter for export detection rules rule id string optional unique identifier output parameter type description status code number http status code of the response reason string response reason phrase response text string output field response text example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content disposition" "attachment; filename=\\"export ndjson\\"", "content length" "1665", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/ndjson", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 10 59 19 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "g0jr2asorwgunis7hypg0g", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "response text" "{\\"id\\" \\"e4099430 629b 11ee 924f eb8f01880390\\",\\"updated at\\" \\"2023 10 04t10 23 36 7 " } ] find blocklist entries locate blocklist entries in elastic kibana 8 security by specifying list id and namespace type parameters endpoint url /api/exception lists/items/ find method get input argument name type required description list id string required unique identifier namespace type string required name of the resource page number optional parameter for find blocklist entries per page number optional parameter for find blocklist entries sort field string optional parameter for find blocklist entries sort order string optional parameter for find blocklist entries search string optional parameter for find blocklist entries output parameter type description status code number http status code of the response reason string response reason phrase data array response data version string output field version comments array output field comments file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field value array value for the parameter type string type of the resource operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "725", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 10 06 23 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "01p70q3pqiyvaeco3rcnvq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "data" \[], "page" 1, "per page" 10, "total" 1 } } ] find case activity retrieves user activity details for a specified case in elastic kibana 8 security using the provided case id endpoint url /api/cases/{{case id}}/user actions/ find method get input argument name type required description case id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase useractions array output field useractions type string type of the resource payload object output field payload comment object output field comment comment string output field comment owner string output field owner type string type of the resource created at string output field created at created by object output field created by username string name of the resource full name object name of the resource email object output field email owner string output field owner action string output field action comment id string unique identifier id string unique identifier version string output field version page number output field page perpage number output field perpage total number output field total example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "1016", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 29 sep 2023 16 50 40 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "iwesb2wmrjsmdlmoqoiqpq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "useractions" \[], "page" 1, "perpage" 20, "total" 2 } } ] find cases efficiently manage and review a paginated subset of cases from elastic kibana 8 security endpoint url /api/cases/ find method get input argument name type required description assignees string optional parameter for find cases defaultsearchoperator string optional parameter for find cases from string optional the date must be specified as a kql(kibana query language) data range or date match expression owner array optional parameter for find cases page number optional parameter for find cases perpage number optional parameter for find cases reporters array optional parameter for find cases search string optional parameter for find cases searchfields array optional parameter for find cases severity string optional parameter for find cases sortfield string optional parameter for find cases sortorder string optional parameter for find cases status string optional status value tags array optional parameter for find cases to string optional parameter for find cases output parameter type description status code number http status code of the response reason string response reason phrase page number output field page per page number output field per page total number output field total cases array output field cases description string output field description title string output field title tags array output field tags settings object output field settings syncalerts boolean output field syncalerts owner string output field owner category object output field category assignees array output field assignees file name string name of the resource file string output field file connector object output field connector id string unique identifier type string type of the resource fields object output field fields issuetype string type of the resource priority string output field priority parent object output field parent name string name of the resource severity string output field severity example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "791", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 29 sep 2023 06 17 41 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "fenxtsrzszwezqddimgybg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "page" 1, "per page" 20, "total" 1, "cases" \[], "count open cases" 1, "count in progress cases" 0, "count closed cases" 0 } } ] find detection rules retrieve a paginated list of detection rules from elastic kibana 8 security, enabling analysis and management endpoint url /api/detection engine/rules/ find method get input argument name type required description page number optional parameter for find detection rules per page number optional parameter for find detection rules sort field string optional parameter for find detection rules sort order string optional parameter for find detection rules filter string optional filters the returned results according to the value of the specified field, using the alert attributes syntax output parameter type description status code number http status code of the response reason string response reason phrase page number output field page perpage number output field perpage total number output field total data array response data file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "43", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 11 04 54 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "bzch71e smidwbulobq1uw", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "page" 1, "perpage" 20, "total" 0, "data" \[] } } ] find event filters locate event filters in elastic kibana 8 by specifying list id and namespace type parameters endpoint url /api/exception lists/items/ find method get input argument name type required description list id string required unique identifier namespace type string required name of the resource page number optional parameter for find event filters per page number optional parameter for find event filters sort field string optional parameter for find event filters sort order string optional parameter for find event filters filter string optional parameter for find event filters output parameter type description status code number http status code of the response reason string response reason phrase data array response data version string output field version comments array output field comments comment string output field comment created at string output field created at created by string output field created by id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field operator string output field operator type string type of the resource value string value for the parameter id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "998", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 13 42 33 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "febukm8dq2ijvynukid qw", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "data" \[], "page" 1, "per page" 10, "total" 1 } } ] find exception containers retrieve a paginated subset of exception containers from elastic kibana 8 security endpoint url /api/exception lists/ find method get input argument name type required description filter string optional parameter for find exception containers search string optional parameter for find exception containers page number optional parameter for find exception containers per page number optional parameter for find exception containers sort field string optional parameter for find exception containers sort order string optional parameter for find exception containers namespace type string optional name of the resource output parameter type description status code number http status code of the response reason string response reason phrase data array response data version string output field version created at string output field created at created by string output field created by description string output field description id string unique identifier immutable boolean output field immutable list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource file name string name of the resource file string output field file tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version page number output field page per page number output field per page total number output field total example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "534", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 08 42 46 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "fud0rglqtj 11jkffi8eta", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "data" \[], "page" 1, "per page" 10, "total" 1 } } ] find exception items retrieves a subset of exception items from a specified list in elastic kibana 8 security, using the 'list id' parameter for pagination endpoint url /api/exception lists/items/ find method get input argument name type required description list id string required unique identifier page number optional parameter for find exception items per page number optional parameter for find exception items sort field string optional parameter for find exception items sort order string optional parameter for find exception items output parameter type description status code number http status code of the response reason string response reason phrase data array response data version string output field version comments array output field comments file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field operator string output field operator type string type of the resource value array value for the parameter id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource file name string name of the resource file string output field file tags array output field tags tie breaker id string unique identifier example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "703", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 08 47 31 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "toxcw5rxs ednlgbzsyt5w", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "data" \[], "page" 1, "per page" 10, "total" 1 } } ] find host isolation exceptions locate host isolation exceptions in elastic kibana 8 using specified list id and namespace type parameters endpoint url /api/exception lists/items/ find method get input argument name type required description list id string required unique identifier namespace type string required name of the resource page number optional parameter for find host isolation exceptions per page number optional parameter for find host isolation exceptions sort field string optional parameter for find host isolation exceptions sort order string optional parameter for find host isolation exceptions filter string optional parameter for find host isolation exceptions output parameter type description status code number http status code of the response reason string response reason phrase data array response data version string output field version comments array output field comments file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field type string type of the resource value string value for the parameter operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "707", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 17 16 48 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "ahxrwuv0rjwgdmjs51 k9q", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "data" \[], "page" 1, "per page" 10, "total" 1 } } ] find list containers retrieve a paginated subset of list containers within elastic kibana 8 security, aiding in efficient data management endpoint url /api/lists/ find method get input argument name type required description filter string optional parameter for find list containers page number optional parameter for find list containers per page number optional parameter for find list containers sort field string optional parameter for find list containers sort order string optional parameter for find list containers output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor data array response data version string output field version id string unique identifier created at string output field created at created by string output field created by description string output field description immutable boolean output field immutable name string name of the resource tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version page number output field page per page number output field per page total number output field total example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "60", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 17 38 16 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" " lxr0lpsq oilqprinicvg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "cursor" "wzbd", "data" \[], "page" 1, "per page" 10, "total" 0 } } ] find list items retrieve a paginated subset of list items from a specified container in elastic kibana 8 security endpoint url /api/lists/items/ find method post input argument name type required description list id string optional unique identifier page number optional parameter for find list items per page number optional parameter for find list items sort field string optional parameter for find list items sort order string optional parameter for find list items output parameter type description status code number http status code of the response reason string response reason phrase cursor string output field cursor data array response data file name string name of the resource file string output field file page number output field page per page number output field per page total number output field total example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "60", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 06 00 02 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "lwqzyqjdq8ih5gd7lafrhw", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "cursor" "wzbd", "data" \[], "page" 1, "per page" 20, "total" 0 } } ] find trusted applications locate trusted applications in elastic kibana 8 using the provided list id and namespace type parameters endpoint url /api/exception lists/items/ find method get input argument name type required description list id string required unique identifier namespace type string required name of the resource page number optional parameter for find trusted applications per page number optional parameter for find trusted applications sort field string optional parameter for find trusted applications sort order string optional parameter for find trusted applications filter string optional parameter for find trusted applications output parameter type description status code number http status code of the response reason string response reason phrase data array response data version string output field version comments array output field comments comment string output field comment created at string output field created at created by string output field created by id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field value string value for the parameter type string type of the resource operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "830", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 06 26 51 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "7ylm 1adt0g vp6fblmoeg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "data" \[], "page" 1, "per page" 10, "total" 1 } } ] get action details retrieves the details of a specific response action in elastic kibana 8 security using the provided action id endpoint url /api/endpoint/action/{{action id}} method get input argument name type required description action id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase data object response data id string unique identifier agents array output field agents command string output field command startedat string output field startedat completedat string output field completedat createdby string output field createdby iscompleted boolean output field iscompleted wassuccessful boolean whether the operation was successful isexpired boolean output field isexpired outputs object output field outputs afdc366c e2e0 4cdb ae1d 94575bd2d8e0 object output field afdc366c e2e0 4cdb ae1d 94575bd2d8e0 type string type of the resource content object response content entries array output field entries example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "115", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 06 36 00 gmt", "elastic api version" "2023 10 31", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "ttrip cqtqciwwo5slhg8w", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "data" {} } } ] get all connector retrieve a comprehensive list of all available connectors from elastic kibana 8 security for management and configuration purposes endpoint url /api/actions/connectors method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "tue, 03 oct 2023 16 06 01 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "6nxliz arbc4krkclnn 1q", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" \[ { "id" "elastic cloud email", "name" "elastic cloud smtp", "connector type id" " email", "is preconfigured" true, "is deprecated" false, "referenced by count" 0, "is system action" false }, { "id" "73cdcf10 5eea 11ee 924f eb8f01880390", "name" "my swimlane connector", "config" { "connectortype" "all", "mappings" { "rulenameconfig" { "id" "b6fst", "name" "alert name", "key" "alert name", "fieldtype" "text" }, "alertidconfig" null, "caseidconfig" null, "casenameconfig" null, "commentsconfig" null, "severityconfig" null, "descriptionconfig" null }, "appid" "myappid", "apiurl" "https //myswimlaneinstance com" }, "connector type id" " swimlane", "is preconfigured" false, "is deprecated" false, "referenced by count" 0, "is missing secrets" false, "is system action" false }, { "id" "8a7e42c0 5eeb 11ee 924f eb8f01880390", "name" "my swimlane connector 1", "config" { "connectortype" "all", "mappings" { "alertidconfig" { "id" "b6fst", "name" "alert name", "key" "alert name", "fieldtype" "text" }, "caseidconfig" { "id" "b6fst", "name" "alert name", "key" "alert name", "fieldtype" "text" }, "casenameconfig" { "id" "b6fst", "name" "alert name", "key" "alert name", "fieldtype" "text" }, "commentsconfig" { "id" "b6fst", "name" "alert name", "key" "alert name", "fieldtype" "text" }, "descriptionconfig" { "id" "b6fst", "name" "alert name", "key" "alert name", "fieldtype" "text" }, "rulenameconfig" { "id" "b6fst", "name" "alert name", "key" "alert name", get case retrieve detailed case information from elastic kibana 8 security using a specific case id endpoint url /api/cases/{{case id}} method get input argument name type required description case id string required unique identifier includecomments boolean optional parameter for get case output parameter type description status code number http status code of the response reason string response reason phrase description string output field description title string output field title tags array output field tags settings object output field settings syncalerts boolean output field syncalerts owner string output field owner category object output field category assignees array output field assignees file name string name of the resource file string output field file connector object output field connector id string unique identifier type string type of the resource fields object output field fields issuetype string type of the resource priority string output field priority parent object output field parent name string name of the resource severity string output field severity status string status value duration object output field duration closed at object output field closed at closed by object output field closed by example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "674", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 29 sep 2023 06 14 33 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "warning" "299 kibana 8 10 2 \\"deprecated query parameter includecomments\\"", "x cloud request id" "cas2n9xfrzqo7f19eomcdg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17" }, "reason" "ok", "json body" { "description" "a case description ", "title" "case title 1", "tags" \[], "settings" {}, "owner" "cases", "category" null, "assignees" \[], "connector" {}, "severity" "low", "status" "open", "duration" null, "closed at" null, "closed by" null, "created at" "2023 09 29t06 09 04 418z", "created by" {} } } ] get connector retrieves a specific elastic kibana 8 security connector by its unique identifier (id) endpoint url /api/actions/connector/{{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier name string name of the resource config object output field config connectortype string type of the resource mappings object output field mappings rulenameconfig object name of the resource id string unique identifier name string name of the resource key string output field key fieldtype string type of the resource alertidconfig object unique identifier caseidconfig object unique identifier casenameconfig object name of the resource commentsconfig object output field commentsconfig severityconfig object output field severityconfig descriptionconfig object output field descriptionconfig appid string unique identifier apiurl string url endpoint for the request connector type id string unique identifier is preconfigured boolean output field is preconfigured is deprecated boolean output field is deprecated is missing secrets boolean output field is missing secrets is system action boolean output field is system action example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "535", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "mon, 09 oct 2023 06 10 38 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "29grvbnksyk8arwlh18zra", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "id" "73cdcf10 5eea 11ee 924f eb8f01880390", "name" "my swimlane connector", "config" {}, "connector type id" " swimlane", "is preconfigured" false, "is deprecated" false, "is missing secrets" false, "is system action" false } } ] get current connector retrieves the list of current connectors available to the user in the elastic security ui endpoint url /api/cases/configure method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "695", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "mon, 09 oct 2023 06 03 55 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "dyqw495ktsqexeohvd lxq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" \[ {} ] } ] get detection rule retrieves a specific detection rule from elastic kibana 8 security using the provided rule id endpoint url /api/detection engine/rules?id={{id}} method get input argument name type required description id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase id string unique identifier updated at string output field updated at updated by string output field updated by created at string output field created at created by string output field created by name string name of the resource tags array output field tags file name string name of the resource file string output field file interval string output field interval enabled boolean output field enabled revision number output field revision description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields file name string name of the resource file string output field file author array output field author file name string name of the resource file string output field file false positives array output field false positives example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 12 58 45 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "asys8zyxq8oekvs yyxyjq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "id" "e4099430 629b 11ee 924f eb8f01880390", "updated at" "2023 10 04t10 23 36 702z", "updated by" "elastic", "created at" "2023 10 04t09 53 38 591z", "created by" "elastic", "name" "bad ip threat match update", "tags" \[], "interval" "5m", "enabled" true, "revision" 1, "description" "checks for bad ip addresses listed in the ip threat list index", "risk score" 50, "severity" "medium", "output index" "", "investigation fields" \[] } } ] get endpoint retrieves metadata for a specified host with elastic defend by using the provided endpoint id endpoint url /api/endpoint/metadata/{{endpoint id}} method get input argument name type required description endpoint id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase host status string status value last checkin string output field last checkin metadata object response data @timestamp string output field @timestamp endpoint object output field endpoint capabilities array output field capabilities configuration object output field configuration isolation boolean output field isolation policy object output field policy applied object output field applied endpoint policy version string output field endpoint policy version id string unique identifier name string name of the resource status string status value version string output field version state object output field state isolation boolean output field isolation status string status value agent object output field agent build object output field build original string output field original id string unique identifier type string type of the resource example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "115", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 06 36 00 gmt", "elastic api version" "2023 10 31", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "ttrip cqtqciwwo5slhg8w", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "host status" "healthy", "last checkin" "2023 07 04t15 48 57 360z", "metadata" {}, "policy info" {} } } ] get kibana space retrieves information about available kibana spaces within the elastic kibana 8 security environment endpoint url /api/spaces/space method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "287", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 09 06 29 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "7bu6irovqya7qqxs2hrxhg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" \[ {}, {} ] } ] get processes retrieves a list of running processes from specified hosts within elastic defend using provided endpoint ids endpoint url /api/endpoint/action/running procs method post input argument name type required description endpoint ids array required unique identifier alert ids array optional unique identifier case ids array optional unique identifier comment string optional parameter for get processes output parameter type description status code number http status code of the response reason string response reason phrase data object response data id string unique identifier agents array output field agents command string output field command isexpired boolean output field isexpired iscompleted boolean output field iscompleted wassuccessful boolean whether the operation was successful errors array error message if any file name string name of the resource file string output field file startedat string output field startedat completedat string output field completedat outputs object output field outputs ed518850 681a 4d60 bb98 e22640cae2a8 object output field ed518850 681a 4d60 bb98 e22640cae2a8 type string type of the resource content object response content key string output field key createdby string output field createdby comment string output field comment example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "115", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 06 36 00 gmt", "elastic api version" "2023 10 31", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "ttrip cqtqciwwo5slhg8w", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "data" {} } } ] get signals obtain an overview of detected threats and anomalies by retrieving signals from elastic kibana 8 security endpoint url /api/detection engine/signals/search method post input argument name type required description aggs object optional parameter for get signals latest object optional parameter for get signals max object optional parameter for get signals field string optional parameter for get signals oldest object optional parameter for get signals min object optional parameter for get signals field string optional parameter for get signals query object optional parameter for get signals bool object optional parameter for get signals filter array optional parameter for get signals match object optional parameter for get signals range object optional parameter for get signals output parameter type description status code number http status code of the response reason string response reason phrase took number output field took timed out boolean output field timed out shards object output field shards total number output field total successful number whether the operation was successful skipped number output field skipped failed number output field failed hits object output field hits total object output field total value number value for the parameter relation string output field relation max score number score value hits array output field hits index string output field index id string unique identifier score number score value source object output field source kibana version string output field kibana version kibana alert rule category string output field kibana alert rule category kibana alert rule consumer string output field kibana alert rule consumer kibana alert rule execution uuid string unique identifier kibana alert rule name string name of the resource kibana alert rule producer string output field kibana alert rule producer example \[ { "status code" 200, "response headers" { "x content type options" "nosniff", "referrer policy" "no referrer when downgrade", "kbn name" "ubu2004template", "kbn license sig" "a43abc045d066ce42208f51f7d1f6ab599a400a120e87ef8e5ed3b4b62b5bfea", "content type" "application/json; charset=utf 8", "cache control" "private, no cache, no store, must revalidate", "vary" "accept encoding", "content encoding" "gzip", "date" "wed, 15 mar 2023 20 49 15 gmt", "connection" "keep alive", "keep alive" "timeout=120", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "took" 443, "timed out" false, " shards" {}, "hits" {}, "aggregations" {} } } ] get tags aggregates and returns all unique tags from security rules in elastic kibana 8 endpoint url /api/detection engine/tags method get output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 08 49 08 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "ogihx75mqqabipipfjytyq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" \[ "data source apm", "data source aws", "data source active directory" ] } ] isolate a host isolates a host from the network in elastic defend by utilizing the endpoint ids provided in the json body endpoint url /api/endpoint/action/isolate method post input argument name type required description endpoint ids array required unique identifier alert ids array optional unique identifier case ids array optional unique identifier comment string optional parameter for isolate a host output parameter type description status code number http status code of the response reason string response reason phrase action string output field action data object response data id string unique identifier agents array output field agents command string output field command isexpired boolean output field isexpired iscompleted boolean output field iscompleted wassuccessful boolean whether the operation was successful errors array error message if any file name string name of the resource file string output field file startedat string output field startedat completedat string output field completedat outputs object output field outputs ed518850 681a 4d60 bb98 e22640cae2a8 object output field ed518850 681a 4d60 bb98 e22640cae2a8 type string type of the resource content object response content key string output field key createdby string output field createdby comment string output field comment entity id string unique identifier example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "115", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 06 36 00 gmt", "elastic api version" "2023 10 31", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "ttrip cqtqciwwo5slhg8w", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "action" "233db9ea 6733 4849 9226 5a7039c7161d", "data" {} } } ] list endpoints retrieves a comprehensive list of hosts running elastic defend for enhanced security oversight and management endpoint url /api/endpoint/metadata method get input argument name type required description page number optional parameter for list endpoints page size number optional parameter for list endpoints kuery string optional parameter for list endpoints hoststatuses array optional status value sortfield string optional parameter for list endpoints sortdirection string optional parameter for list endpoints output parameter type description status code number http status code of the response reason string response reason phrase data array response data file name string name of the resource file string output field file total number output field total page number output field page pagesize number output field pagesize sortfield string output field sortfield sortdirection string output field sortdirection example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "92", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 07 16 18 gmt", "elastic api version" "2023 10 31", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "fbx1ad5hqhypgkbbajvtqg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17" }, "reason" "ok", "json body" { "data" \[], "total" 0, "page" 0, "pagesize" 10, "sortfield" "enrolled at", "sortdirection" "asc" } } ] list response actions retrieve a list of available response actions from elastic kibana 8 security endpoint url /api/endpoint/action method get input argument name type required description page number optional parameter for list response actions pagesize number optional parameter for list response actions commands array optional parameter for list response actions agentids array optional unique identifier userids array optional unique identifier startdate string optional a start date in iso format or date math format enddate string optional a end date in iso format or date math format output parameter type description status code number http status code of the response reason string response reason phrase page number output field page pagesize number output field pagesize total number output field total startdate string date value enddate string date value elasticagentids array unique identifier data array response data id string unique identifier agents array output field agents command string output field command startedat string output field startedat iscompleted boolean output field iscompleted completedat string output field completedat wassuccessful boolean whether the operation was successful isexpired boolean output field isexpired createdby string output field createdby example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "76", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 07 27 39 gmt", "elastic api version" "2023 10 31", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "zci6kahjq0ecpglphfa4fw", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "page" 1, "pagesize" 10, "total" 4, "startdate" "now 24h/h", "enddate" "now", "elasticagentids" \[], "data" \[] } } ] prepackaged elastic prebuilt detection rules load and update elastic kibana 8's prebuilt detection rules to enhance security monitoring capabilities endpoint url /api/detection engine/rules/prepackaged method put output parameter type description status code number http status code of the response reason string response reason phrase rules installed number output field rules installed rules updated number output field rules updated timelines installed number output field timelines installed timelines updated number output field timelines updated example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "88", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 13 08 48 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "0ivpusctr wh8fpgrdcuza", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "rules installed" 938, "rules updated" 0, "timelines installed" 10, "timelines updated" 0 } } ] prepackaged get detection rule status retrieve the current status of prepackaged detection rules in elastic kibana 8 security endpoint url /api/detection engine/rules/prepackaged/ status method get output parameter type description status code number http status code of the response reason string response reason phrase rules custom installed number output field rules custom installed rules installed number output field rules installed rules not installed number output field rules not installed rules not updated number output field rules not updated timelines installed number output field timelines installed timelines not installed number output field timelines not installed timelines not updated number output field timelines not updated example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "175", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 13 12 12 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "s 2x1u44stmxut6111iddw", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "rules custom installed" 4, "rules installed" 938, "rules not installed" 0, "rules not updated" 0, "timelines installed" 10, "timelines not installed" 0, "timelines not updated" 0 } } ] release an isolated host removes isolation status from specified hosts in elastic kibana 8 security, allowing network reconnection requires 'endpoint ids' endpoint url /api/endpoint/action/unisolate method post input argument name type required description endpoint ids array required unique identifier alert ids array optional unique identifier case ids array optional unique identifier comment string optional parameter for release an isolated host output parameter type description status code number http status code of the response reason string response reason phrase action string output field action data object response data id string unique identifier agents array output field agents command string output field command isexpired boolean output field isexpired iscompleted boolean output field iscompleted wassuccessful boolean whether the operation was successful errors array error message if any file name string name of the resource file string output field file startedat string output field startedat completedat string output field completedat outputs object output field outputs ed518850 681a 4d60 bb98 e22640cae2a8 object output field ed518850 681a 4d60 bb98 e22640cae2a8 type string type of the resource content object response content key string output field key createdby string output field createdby comment string output field comment entity id string unique identifier example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "115", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 06 36 00 gmt", "elastic api version" "2023 10 31", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "ttrip cqtqciwwo5slhg8w", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "action" "233db9ea 6733 4849 9226 5a7039c7161d", "data" {} } } ] retrieve blocklist entry retrieves a specific blocklist entry from elastic kibana 8 security using the provided namespace type and id endpoint url /api/exception lists/items method get input argument name type required description id string required unique identifier namespace type string required name of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field value array value for the parameter type string type of the resource operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "681", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 10 12 25 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "tmtxygbxq6oxzr5uhx6v4w", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1odismv0=", "comments" \[], "created at" "2023 10 05t09 23 56 384z", "created by" "elastic", "description" "these applications must be blocked", "entries" \[], "id" "e880f600 6360 11ee 924f eb8f01880390", "item id" "695590a7 5655 480d 8375 f486de462cfb", "list id" "endpoint blocklists", "name" "linux process exceptions updates", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "3f770c4b fe1d 4293 ab3a c61f0517ae98", "type" "simple" } } ] retrieve event filter retrieve a specific event filter from elastic kibana 8 security by specifying 'id' and 'namespace type' endpoint url /api/exception lists/items method get input argument name type required description id string required unique identifier namespace type string required name of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comment string output field comment created at string output field created at created by string output field created by id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field operator string output field operator type string type of the resource value string value for the parameter id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "954", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 13 38 23 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "o23y9b1 q7iny0tndfejjq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1odysmv0=", "comments" \[], "created at" "2023 10 05t10 32 35 833z", "created by" "elastic", "description" "some description about this entry updated", "entries" \[], "id" "7fe2fe90 636a 11ee 924f eb8f01880390", "item id" "2afcc085 e670 4042 88c7 c686400075e2", "list id" "endpoint event filters", "name" "some name for this item updated", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "2ccdba14 27d4 4c94 851f ac0dff40b4a0", "type" "simple" } } ] retrieve host isolation exception retrieve details of a specific host isolation exception in elastic kibana 8 security using the provided id and namespace type endpoint url /api/exception lists/items method get input argument name type required description id string required unique identifier namespace type string required name of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field type string type of the resource value string value for the parameter operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "663", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 17 12 27 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "kknm8eyjtt6p9j6 cvks g", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1otasmv0=", "comments" \[], "created at" "2023 10 05t16 59 10 441z", "created by" "elastic", "description" "via api", "entries" \[], "id" "80f34d90 63a0 11ee 924f eb8f01880390", "item id" "fb00f1ac 11cd 432e be2f 1bb7fa5ca7e0", "list id" "endpoint host isolation exceptions", "name" "host isolation exception created with api update", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "3d200c83 5581 42f7 ba46 4c16792276a4", "type" "simple" } } ] retrieve trusted application retrieve details for a specific trusted application in elastic kibana 8 security using its id and namespace type endpoint url /api/exception lists/items method get input argument name type required description id string required unique identifier namespace type string required name of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comment string output field comment created at string output field created at created by string output field created by id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field value string value for the parameter type string type of the resource operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource example \[ { "status code" 200, "response headers" { "accept ranges" "bytes", "cache control" "private, no cache, no store, must revalidate", "content length" "786", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 06 23 26 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "tpbazsnqqm rldl2go f5q", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1otusmv0=", "comments" \[], "created at" "2023 10 06t06 11 43 715z", "created by" "elastic", "description" "this app is good", "entries" \[], "id" "38e91330 640f 11ee 924f eb8f01880390", "item id" "cbc73361 5d6f 4cbd 84c2 eb3564a934ae", "list id" "endpoint trusted app", "name" "create endpoint trusted app updated!", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "80021764 e6b0 4000 895d 9d324ec3f273", "type" "simple" } } ] set alert status updates the status of specified alerts in elastic kibana 8 security using a provided status value endpoint url /api/detection engine/signals/status method post input argument name type required description signal ids array optional unique identifier status string required status value query object optional parameter for set alert status bool object optional parameter for set alert status filter array optional parameter for set alert status range object optional parameter for set alert status output parameter type description status code number http status code of the response reason string response reason phrase took number output field took timed out boolean output field timed out total number output field total updated number output field updated deleted number output field deleted batches number output field batches version conflicts number output field version conflicts noops number output field noops retries object output field retries bulk number output field bulk search number output field search throttled millis number output field throttled millis requests per second number output field requests per second throttled until millis number output field throttled until millis failures array output field failures file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "x content type options" "nosniff", "referrer policy" "no referrer when downgrade", "kbn name" "ubu2004template", "kbn license sig" "a43abc045d066ce42208f51f7d1f6ab599a400a120e87ef8e5ed3b4b62b5bfea", "content type" "application/json; charset=utf 8", "cache control" "private, no cache, no store, must revalidate", "vary" "accept encoding", "content encoding" "gzip", "date" "wed, 15 mar 2023 20 49 15 gmt", "connection" "keep alive", "keep alive" "timeout=120", "transfer encoding" "chunked" }, "reason" "ok", "json body" { "took" 9594, "timed out" false, "total" 8794, "updated" 8794, "deleted" 0, "batches" 9, "version conflicts" 0, "noops" 0, "retries" {}, "throttled millis" 0, "requests per second" 1, "throttled until millis" 0, "failures" \[] } } ] set default elastic security configures the default connector and closure type for elastic security ui, requiring a specified connector and closure type endpoint url /api/cases/configure method post input argument name type required description connector object required parameter for set default elastic security id string required unique identifier name string required name of the resource type string required type of the resource fields object required parameter for set default elastic security caseid object optional unique identifier closure type string required type of the resource owner string optional parameter for set default elastic security output parameter type description status code number http status code of the response reason string response reason phrase closure type string type of the resource connector object output field connector id string unique identifier type string type of the resource fields object output field fields caseid object unique identifier name string name of the resource owner string output field owner created at string output field created at created by object output field created by username string name of the resource full name object name of the resource email object output field email updated at object output field updated at updated by object output field updated by mappings array output field mappings source string output field source target string output field target action type string type of the resource version string output field version error object error message if any id string unique identifier example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "626", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "tue, 03 oct 2023 17 21 57 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "qnu5n2icqbm usce vwlwg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "closure type" "close by user", "connector" {}, "owner" "securitysolution", "created at" "2023 10 03t17 21 56 448z", "created by" {}, "updated at" null, "updated by" null, "mappings" \[], "version" "wze4ldfd", "error" null, "id" "5a48f180 6211 11ee 924f eb8f01880390" } } ] set signal status updates the status of specified signals in elastic kibana 8 security using provided signal ids endpoint url /api/detection engine/signals/status method post input argument name type required description status string required status value signal ids array required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "160", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 13 41 10 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "gl qihidt uz2 pkkhdfia", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" {} } ] suspend a process suspend a specific process on a host with elastic defend using the provided parameters endpoint url /api/endpoint/action/suspend process method post input argument name type required description endpoint ids array optional unique identifier alert ids array optional unique identifier case ids array optional unique identifier pid string required unique identifier comment string optional parameter for suspend a process output parameter type description status code number http status code of the response reason string response reason phrase data object response data data object response data id string unique identifier agents array output field agents command string output field command isexpired boolean output field isexpired iscompleted boolean output field iscompleted wassuccessful boolean whether the operation was successful errors array error message if any file name string name of the resource file string output field file startedat string output field startedat completedat string output field completedat outputs object output field outputs ed518850 681a 4d60 bb98 e22640cae2a8 object output field ed518850 681a 4d60 bb98 e22640cae2a8 type string type of the resource content object response content createdby string output field createdby comment string output field comment pid string unique identifier example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "115", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 06 36 00 gmt", "elastic api version" "2023 10 31", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "ttrip cqtqciwwo5slhg8w", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "data" {} } } ] terminate a process terminates a process on selected hosts in elastic defend by specifying endpoint ids and parameters endpoint url /api/endpoint/action/kill process method post input argument name type required description endpoint ids array required unique identifier alert ids array optional unique identifier case ids array optional unique identifier pid string required unique identifier comment string optional parameter for terminate a process output parameter type description status code number http status code of the response reason string response reason phrase data object response data id string unique identifier agents array output field agents command string output field command isexpired boolean output field isexpired iscompleted boolean output field iscompleted wassuccessful boolean whether the operation was successful errors array error message if any file name string name of the resource file string output field file startedat string output field startedat completedat string output field completedat outputs object output field outputs ed518850 681a 4d60 bb98 e22640cae2a8 object output field ed518850 681a 4d60 bb98 e22640cae2a8 type string type of the resource content object response content key string output field key createdby string output field createdby comment string output field comment pid string unique identifier example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "115", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 06 36 00 gmt", "elastic api version" "2023 10 31", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "ttrip cqtqciwwo5slhg8w", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "data" {} } } ] update blocklist entry updates a blocklist entry in elastic kibana 8 security, including description, entries, id, item id, name, namespace type, os types, and type endpoint url /api/exception lists/items method put input argument name type required description version string optional parameter for update blocklist entry name string required name of the resource description string required parameter for update blocklist entry entries array required parameter for update blocklist entry field string required parameter for update blocklist entry value array required value for the parameter type string required type of the resource operator string required parameter for update blocklist entry os types array required type of the resource tags array optional parameter for update blocklist entry id string required unique identifier comments array optional parameter for update blocklist entry file name string required name of the resource file string required parameter for update blocklist entry item id string required unique identifier namespace type string required name of the resource type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field value array value for the parameter type string type of the resource operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "478", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 09 55 38 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "zxtys5xzt3edixskrafrpg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1odismv0=", "comments" \[], "created at" "2023 10 05t09 23 56 384z", "created by" "elastic", "description" "these applications must be blocked", "entries" \[], "id" "e880f600 6360 11ee 924f eb8f01880390", "item id" "695590a7 5655 480d 8375 f486de462cfb", "list id" "endpoint blocklists", "name" "linux process exceptions updates", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "3f770c4b fe1d 4293 ab3a c61f0517ae98", "type" "simple" } } ] update cases updates specified cases in elastic kibana 8 security with details provided in the json body endpoint url /api/cases method patch input argument name type required description cases array required parameter for update cases id string required unique identifier version string required parameter for update cases connector object optional parameter for update cases id string required unique identifier name string required name of the resource type string required type of the resource fields object required parameter for update cases issuetype string required type of the resource priority object required parameter for update cases parent object required parameter for update cases caseid string optional unique identifier description string optional parameter for update cases tags array optional parameter for update cases assignees array optional parameter for update cases file name string required name of the resource file string required parameter for update cases settings object optional parameter for update cases syncalerts boolean required parameter for update cases severity string optional parameter for update cases status string optional status value title string optional parameter for update cases output parameter type description status code number http status code of the response reason string response reason phrase example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "165", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 09 04 04 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "0v3ctz9aq5 dm0uxksmhag", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" \[ {} ] } ] update detection event correlation rule updates an existing event correlation detection rule in elastic kibana 8 security with specified id, name, risk score, severity, and type endpoint url /api/detection engine/rules method patch input argument name type required description id string required unique identifier risk score number required score value description string required parameter for update detection event correlation rule name string required name of the resource severity string required parameter for update detection event correlation rule tags array optional parameter for update detection event correlation rule type string required type of the resource language string required parameter for update detection event correlation rule query string optional parameter for update detection event correlation rule output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields file name string name of the resource file string output field file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author file name string name of the resource file string output field file false positives array output field false positives file name string name of the resource file string output field file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping file name string name of the resource file string output field file severity mapping array output field severity mapping example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 10 18 52 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "cs8ky2kerpspozqkg3dqhq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "name" "rundll32 exe network connection update", "description" "unusual rundll32 exe network connection", "risk score" 21, "severity" "low", "output index" "", "investigation fields" \[], "tags" \[], "interval" "5m", "enabled" true, "author" \[], "false positives" \[], "from" "now 6m", "max signals" 100, "risk score mapping" \[], "severity mapping" \[] } } ] update detection indicator match rule updates an existing indicator match rule with parameters such as risk score and severity in elastic kibana 8 security endpoint url /api/detection engine/rules method patch input argument name type required description id string required unique identifier type string required type of the resource index array optional parameter for update detection indicator match rule query string optional parameter for update detection indicator match rule threat index array required parameter for update detection indicator match rule threat query string required parameter for update detection indicator match rule threat mapping array required parameter for update detection indicator match rule entries array optional parameter for update detection indicator match rule field string optional parameter for update detection indicator match rule type string optional type of the resource value string optional value for the parameter risk score number required score value severity string required parameter for update detection indicator match rule name string required name of the resource description string required parameter for update detection indicator match rule output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields file name string name of the resource file string output field file tags array output field tags file name string name of the resource file string output field file interval string output field interval enabled boolean output field enabled author array output field author file name string name of the resource file string output field file false positives array output field false positives file name string name of the resource file string output field file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping file name string name of the resource example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 10 23 37 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "4rs5iksfspa3bmyyu2fgag", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "name" "bad ip threat match update", "description" "checks for bad ip addresses listed in the ip threat list index", "risk score" 50, "severity" "medium", "output index" "", "investigation fields" \[], "tags" \[], "interval" "5m", "enabled" true, "author" \[], "false positives" \[], "from" "now 6m", "max signals" 100, "risk score mapping" \[], "severity mapping" \[] } } ] update detection ml rule updates an existing machine learning rule in elastic kibana 8 security, adjusting parameters such as risk score, severity, and more endpoint url /api/detection engine/rules method patch input argument name type required description anomaly threshold number required parameter for update detection ml rule id string required unique identifier risk score number required score value machine learning job id string required unique identifier description string required parameter for update detection ml rule interval string optional parameter for update detection ml rule name string required name of the resource note string optional parameter for update detection ml rule severity string required parameter for update detection ml rule tags array optional parameter for update detection ml rule type string required type of the resource from string optional parameter for update detection ml rule enabled boolean optional parameter for update detection ml rule throttle string optional parameter for update detection ml rule actions array optional parameter for update detection ml rule action type id string optional unique identifier group string optional parameter for update detection ml rule id string optional unique identifier params object optional parameter for update detection ml rule message string optional response message output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity note string output field note output index string output field output index investigation fields array output field investigation fields file name string name of the resource file string output field file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author file name string name of the resource file string output field file false positives array output field false positives file name string name of the resource file string output field file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping file name string name of the resource file string output field file example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 10 30 34 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "ugx4j7g6rpiovpe3vb7b5q", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "name" "anomalous linux network activity update", "description" "generates alerts when the job discovers anomalies over 70", "risk score" 70, "severity" "high", "note" "shut down the internet ", "output index" "", "investigation fields" \[], "tags" \[], "interval" "5m", "enabled" true, "author" \[], "false positives" \[], "from" "now 6m", "max signals" 100, "risk score mapping" \[] } } ] update detection query rule updates an existing query detection rule in elastic kibana 8 security with specified id, name, risk score, severity, type, and query endpoint url /api/detection engine/rules method patch input argument name type required description id string required unique identifier risk score number required score value description string required parameter for update detection query rule interval string optional parameter for update detection query rule name string required name of the resource severity string required parameter for update detection query rule tags array optional parameter for update detection query rule type string required type of the resource from string optional parameter for update detection query rule query string required parameter for update detection query rule language string optional parameter for update detection query rule filters array optional parameter for update detection query rule query object optional parameter for update detection query rule match object optional parameter for update detection query rule event action object optional parameter for update detection query rule enabled boolean optional parameter for update detection query rule output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields file name string name of the resource file string output field file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author file name string name of the resource file string output field file false positives array output field false positives file name string name of the resource file string output field file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping file name string name of the resource file string output field file severity mapping array output field severity mapping example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 10 15 08 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "r1hycu3atd fevzfaixwzg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "name" "ms office child process update", "description" "process started by ms office program possible payload", "risk score" 50, "severity" "low", "output index" "", "investigation fields" \[], "tags" \[], "interval" "1h", "enabled" false, "author" \[], "false positives" \[], "from" "now 70m", "max signals" 100, "risk score mapping" \[], "severity mapping" \[] } } ] update detection threshold rule updates an existing query threshold rule in elastic kibana 8 security with parameters such as id, name, risk score, and severity endpoint url /api/detection engine/rules method patch input argument name type required description description string required parameter for update detection threshold rule enabled boolean optional parameter for update detection threshold rule from string optional parameter for update detection threshold rule index array optional parameter for update detection threshold rule interval string optional parameter for update detection threshold rule name string required name of the resource query string required parameter for update detection threshold rule risk score number required score value id string required unique identifier severity string required parameter for update detection threshold rule severity mapping array optional parameter for update detection threshold rule field string optional parameter for update detection threshold rule operator string optional parameter for update detection threshold rule severity string optional parameter for update detection threshold rule value string optional value for the parameter tags array optional parameter for update detection threshold rule threshold object required parameter for update detection threshold rule field string required parameter for update detection threshold rule value number required value for the parameter type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase name string name of the resource description string output field description risk score number score value severity string output field severity output index string output field output index investigation fields array output field investigation fields file name string name of the resource file string output field file tags array output field tags interval string output field interval enabled boolean output field enabled author array output field author file name string name of the resource file string output field file false positives array output field false positives file name string name of the resource file string output field file from string output field from max signals number output field max signals risk score mapping array output field risk score mapping file name string name of the resource file string output field file severity mapping array output field severity mapping example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content encoding" "gzip", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "wed, 04 oct 2023 10 41 52 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "vary" "accept encoding", "x cloud request id" "hccyn59lrbianxeuwy6 sg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "name" "liverpool windows server prml 19 update", "description" "detects when there are 20 or more failed login attempts from the same ip address ", "risk score" 30, "severity" "low", "output index" "", "investigation fields" \[], "tags" \[], "interval" "2m", "enabled" true, "author" \[], "false positives" \[], "from" "now 180s", "max signals" 100, "risk score mapping" \[], "severity mapping" \[] } } ] update elastic security case closure connector updates the case closure connector settings in elastic kibana 8 security with a given configuration id and version endpoint url /api/cases/configure/{{configuration id}} method patch input argument name type required description configuration id string required unique identifier connector object required parameter for update elastic security case closure connector id string required unique identifier name string required name of the resource type string required type of the resource fields object required parameter for update elastic security case closure connector caseid object optional unique identifier closure type string optional type of the resource version string required parameter for update elastic security case closure connector output parameter type description status code number http status code of the response reason string response reason phrase closure type string type of the resource connector object output field connector id string unique identifier type string type of the resource fields object output field fields caseid object unique identifier name string name of the resource owner string output field owner created at string output field created at created by object output field created by username string name of the resource full name object name of the resource email object output field email updated at string output field updated at updated by object output field updated by username string name of the resource full name object name of the resource email object output field email mappings array output field mappings source string output field source target string output field target action type string type of the resource version string output field version example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "693", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "tue, 03 oct 2023 17 35 06 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "xu89vi5jqlojiqsmleb2bw", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { "closure type" "close by pushing", "connector" {}, "owner" "securitysolution", "created at" "2023 10 03t17 21 56 448z", "created by" {}, "updated at" "2023 10 03t17 35 06 557z", "updated by" {}, "mappings" \[], "version" "wzixldfd", "error" null, "id" "5a48f180 6211 11ee 924f eb8f01880390" } } ] update event filter updates an existing event filter in elastic kibana 8 security, including description, entries, id, item id, name, namespace type, os types, and type endpoint url /api/exception lists/items method put input argument name type required description version string optional parameter for update event filter name string required name of the resource description string required parameter for update event filter entries array required parameter for update event filter field string required parameter for update event filter operator string required parameter for update event filter type string required type of the resource value string required value for the parameter os types array required type of the resource tags array optional parameter for update event filter id string required unique identifier comments array optional parameter for update event filter comment string optional parameter for update event filter id string optional unique identifier item id string required unique identifier namespace type string required name of the resource type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comment string output field comment created at string output field created at created by string output field created by id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field operator string output field operator type string type of the resource value string value for the parameter id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "954", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 13 17 44 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "ge1s4btzsh6xwc94lpbxlq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1odysmv0=", "comments" \[], "created at" "2023 10 05t10 32 35 833z", "created by" "elastic", "description" "some description about this entry updated", "entries" \[], "id" "7fe2fe90 636a 11ee 924f eb8f01880390", "item id" "2afcc085 e670 4042 88c7 c686400075e2", "list id" "endpoint event filters", "name" "some name for this item updated", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "2ccdba14 27d4 4c94 851f ac0dff40b4a0", "type" "simple" } } ] update host isolation exception updates an existing host isolation exception in elastic kibana 8 security, including description, entries, id, and os types endpoint url /api/exception lists/items method put input argument name type required description version string optional parameter for update host isolation exception description string required parameter for update host isolation exception entries array required parameter for update host isolation exception field string required parameter for update host isolation exception type string required type of the resource value string required value for the parameter operator string required parameter for update host isolation exception id string required unique identifier item id string required unique identifier name string required name of the resource namespace type string required name of the resource tags array optional parameter for update host isolation exception os types array required type of the resource type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments file name string name of the resource file string output field file created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field type string type of the resource value string value for the parameter operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "663", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 17 07 27 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "saiyedlptio2jqujg8yfra", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1otasmv0=", "comments" \[], "created at" "2023 10 05t16 59 10 441z", "created by" "elastic", "description" "via api", "entries" \[], "id" "80f34d90 63a0 11ee 924f eb8f01880390", "item id" "fb00f1ac 11cd 432e be2f 1bb7fa5ca7e0", "list id" "endpoint host isolation exceptions", "name" "host isolation exception created with api update", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "3d200c83 5581 42f7 ba46 4c16792276a4", "type" "simple" } } ] update list container updates an existing list container in elastic kibana 8 security using the provided 'id', 'name', and 'description' endpoint url /api/lists method patch input argument name type required description name string required name of the resource description string required parameter for update list container version string optional parameter for update list container id string required unique identifier output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by description string output field description deserializer string output field deserializer id string unique identifier immutable boolean output field immutable name string name of the resource serializer string output field serializer tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by version number output field version example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "495", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 06 06 07 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "8stglzsssfi6cbsdezcxpa", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzmsmv0=", "created at" "2023 10 04t17 23 14 443z", "created by" "elastic", "description" "contains list items that exclude internal ip addresses from detection rules ", "deserializer" "{{{gte}}} {{{lte}}}", "id" "internal ip range excludes", "immutable" false, "name" "exclude internal ip addresses update", "serializer" "(?\<gte> +)/(?\<lte> +)", "tie breaker id" "10382723 9f9d 4959 b50f bd02b9c973ba", "type" "ip", "updated at" "2023 10 05t06 06 06 393z", "updated by" "elastic", "version" 2 } } ] update list item updates an existing list item in elastic kibana 8 security using the specified 'id' and 'value' endpoint url /api/lists/items method patch input argument name type required description id string required unique identifier value string required value for the parameter version string optional parameter for update list item output parameter type description status code number http status code of the response reason string response reason phrase version string output field version created at string output field created at created by string output field created by id string unique identifier list id string unique identifier tie breaker id string unique identifier type string type of the resource updated at string output field updated at updated by string output field updated by value string value for the parameter example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "291", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "thu, 05 oct 2023 06 34 58 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "gailx5 ltve6m8nfhyeksg", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzesmv0=", "created at" "2023 10 04t17 29 19 819z", "created by" "elastic", "id" "internal ip 1", "list id" "internal ip excludes", "tie breaker id" "9e492985 270f 45fe 9d3f c07dc94285de", "type" "ip", "updated at" "2023 10 05t06 34 58 159z", "updated by" "elastic", "value" "10 0 0 12" } } ] update trusted application updates an existing trusted application in elastic kibana 8 security, including description, entries, id, and os types endpoint url /api/exception lists/items method put input argument name type required description version string optional parameter for update trusted application name string required name of the resource description string required parameter for update trusted application entries array required parameter for update trusted application field string required parameter for update trusted application value string required value for the parameter type string required type of the resource operator string required parameter for update trusted application os types array required type of the resource tags array optional parameter for update trusted application id string required unique identifier comments array optional parameter for update trusted application comment string optional parameter for update trusted application item id string required unique identifier namespace type string required name of the resource type string required type of the resource output parameter type description status code number http status code of the response reason string response reason phrase version string output field version comments array output field comments comment string output field comment created at string output field created at created by string output field created by id string unique identifier created at string output field created at created by string output field created by description string output field description entries array output field entries field string output field field value string value for the parameter type string type of the resource operator string output field operator id string unique identifier item id string unique identifier list id string unique identifier name string name of the resource namespace type string name of the resource os types array type of the resource tags array output field tags tie breaker id string unique identifier type string type of the resource example \[ { "status code" 200, "response headers" { "cache control" "private, no cache, no store, must revalidate", "content length" "786", "content security policy" "script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self'", "content type" "application/json; charset=utf 8", "cross origin opener policy" "same origin", "date" "fri, 06 oct 2023 06 19 54 gmt", "kbn license sig" "32d677b996af4c7f688b50f4fe5a1f16e20a7342641acb3e8f21395ff4e79519", "kbn name" "instance 0000000000", "permissions policy" "camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), ", "referrer policy" "no referrer when downgrade", "x cloud request id" "sfj5uzinq7slh06gmmr8iq", "x content type options" "nosniff", "x found handling cluster" "397bafc2854d4f8ebe25ade55fbf3b17", "x found handling instance" "instance 0000000000" }, "reason" "ok", "json body" { " version" "wzi1otusmv0=", "comments" \[], "created at" "2023 10 06t06 11 43 715z", "created by" "elastic", "description" "this app is good", "entries" \[], "id" "38e91330 640f 11ee 924f eb8f01880390", "item id" "cbc73361 5d6f 4cbd 84c2 eb3564a934ae", "list id" "endpoint trusted app", "name" "create endpoint trusted app updated!", "namespace type" "agnostic", "os types" \[], "tags" \[], "tie breaker id" "80021764 e6b0 4000 895d 9d324ec3f273", "type" "simple" } } ] response headers header description example accept ranges http response header accept ranges bytes cache control directives for caching mechanisms private, no cache, no store, must revalidate connection http response header connection keep alive content disposition http response header content disposition attachment; filename="export ndjson" content encoding http response header content encoding gzip content length the length of the response body in bytes 287 content security policy http response header content security policy script src 'self'; worker src blob 'self'; style src 'unsafe inline' 'self' content type the media type of the resource application/ndjson cross origin opener policy http response header cross origin opener policy same origin date the date and time at which the message was originated thu, 05 oct 2023 09 23 57 gmt elastic api version http response header elastic api version 2023 10 31 kbn license sig http response header kbn license sig a43abc045d066ce42208f51f7d1f6ab599a400a120e87ef8e5ed3b4b62b5bfea kbn name http response header kbn name ubu2004template keep alive http response header keep alive timeout=120 permissions policy http response header permissions policy camera=(), display capture=(), fullscreen=(self), geolocation=(), microphone=(), web share=() referrer policy http response header referrer policy no referrer when downgrade transfer encoding http response header transfer encoding chunked vary http response header vary accept encoding warning http response header warning 299 kibana 8 10 2 "deprecated query parameter includecomments" x cloud request id http response header x cloud request id xkevmdbcqk2mp3mqydtvta x content type options http response header x content type options nosniff x found handling cluster http response header x found handling cluster 397bafc2854d4f8ebe25ade55fbf3b17 x found handling instance http response header x found handling instance instance 0000000000 notes for more information, see the elactic security api documentation (8 10(current)) https //www elastic co/guide/en/kibana/8 10/api html this connector was last tested against product version elastic kibana 8 10