Skip to main content
Server path: /kibana-security | Type: Application | PCID required: Yes

Tools

ToolDescription
kibana_security_create_alerts_indexCreate an alerts index
kibana_security_create_listCreate a value list
kibana_security_create_list_itemCreate a value list item
kibana_security_create_ruleCreate a detection rule
kibana_security_delete_alerts_indexDelete an alerts index
kibana_security_delete_listDelete a value list
kibana_security_delete_list_indexDelete value list data streams
kibana_security_delete_list_itemDelete a value list item
kibana_security_delete_ruleDelete a detection rule
kibana_security_export_list_itemsExport value list items
kibana_security_export_rulesExport detection rules
kibana_security_find_list_itemsGet value list items
kibana_security_find_listsGet value lists
kibana_security_find_rulesList all detection rules
kibana_security_import_list_itemsImport value list items
kibana_security_import_rulesImport detection rules
kibana_security_install_prebuilt_rules_and_timelinesInstall prebuilt detection rules and Timelines
kibana_security_patch_listPatch a value list
kibana_security_patch_list_itemPatch a value list item
kibana_security_patch_rulePatch a detection rule
kibana_security_perform_rules_bulk_actionApply a bulk action to detection rules
kibana_security_read_alerts_indexReads the alert index name if it exists
kibana_security_read_listGet value list details
kibana_security_read_list_indexGet status of value list data streams
kibana_security_read_list_itemGet a value list item
kibana_security_read_list_privilegesGet value list privileges
kibana_security_read_prebuilt_rules_and_timelines_statusRetrieve the status of prebuilt detection rules and Timelines
kibana_security_read_privilegesReturns user privileges for the Kibana space
kibana_security_read_ruleRetrieve a detection rule
kibana_security_read_tagsList all detection rule tags
kibana_security_rule_previewPreview rule alerts generated on specified time range
kibana_security_search_alertsFind and/or aggregate detection alerts
kibana_security_set_alert_assigneesAssign and unassign users from detection alerts
kibana_security_set_alert_tagsAdd and remove detection alert tags
kibana_security_set_alerts_statusSet a detection alert status
kibana_security_update_listUpdate a value list
kibana_security_update_list_itemUpdate a value list item
kibana_security_update_ruleUpdate a detection rule

kibana_security_create_alerts_index

Create an alerts index

kibana_security_create_list

Create a value list Parameters:
ParameterTypeRequiredDefaultDescription
descriptionstringYesDescribes the value list.
idstringNoValue list’s identifier.
metaobjectNoPlaceholder for metadata about the value list.
namestringYesValue list’s name.
typestringYesSpecifies the Elasticsearch data type of excludes the list container holds. Some common examples: - keyword: Many ECS fields are Elasticsearch keywords - ip: IP addresses - ip_range: Range of IP addresses (supports IPv4, IPv6, and CIDR notation)
versionintegerNoThe version value

kibana_security_create_list_item

Create a value list item Parameters:
ParameterTypeRequiredDefaultDescription
idstringNoValue list item’s identifier.
list_idstringYesValue list’s identifier.
metaobjectNoPlaceholder for metadata about the value list item.
refreshstringNoDetermines when changes made by the request are made visible to search.
valuestringYesThe value used to evaluate exceptions.

kibana_security_create_rule

Create a detection rule Parameters:
ParameterTypeRequiredDefaultDescription
bodyobjectYesRequest body

kibana_security_delete_alerts_index

Delete an alerts index

kibana_security_delete_list

Delete a value list Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesValue list’s identifier.
deleteReferencesbooleanNoDetermines whether exception items referencing this value list should be deleted.
ignoreReferencesbooleanNoDetermines whether to delete value list without performing any additional checks of where this list may be utilized.

kibana_security_delete_list_index

Delete value list data streams

kibana_security_delete_list_item

Delete a value list item Parameters:
ParameterTypeRequiredDefaultDescription
idstringNoValue list item’s identifier. Required if list_id and value are not specified.
list_idstringNoValue list’s identifier. Required if id is not specified.
valuestringNoThe value used to evaluate exceptions. Required if id is not specified.
refreshstringNoDetermines when changes made by the request are made visible to search.

kibana_security_delete_rule

Delete a detection rule Parameters:
ParameterTypeRequiredDefaultDescription
idstringNoThe rule’s id value.
rule_idstringNoThe rule’s rule_id value.

kibana_security_export_list_items

Export value list items Parameters:
ParameterTypeRequiredDefaultDescription
list_idstringYesValue list’s id to export.

kibana_security_export_rules

Export detection rules Parameters:
ParameterTypeRequiredDefaultDescription
exclude_export_detailsbooleanNoDetermines whether a summary of the exported rules is returned.
file_namestringNoFile name for saving the exported rules. > info > When using cURL to export rules to a file, use the -O and -J options to save the rules to the file name specified in the URL.
objectsobject[]NoArray of objects with a rule’s rule_id field. Do not use rule’s id here. Exports all rules when unspecified.

kibana_security_find_list_items

Get value list items Parameters:
ParameterTypeRequiredDefaultDescription
list_idstringYesValue list’s identifier.
pageintegerNoThe page number to return.
per_pageintegerNoThe number of list items to return per page.
sort_fieldstringNoDetermines which field is used to sort the results.
sort_orderstringNoDetermines the sort order, which can be desc or asc
cursorstringNoReturns the items that come after the last item returned in the previous call (use the cursor value returned in the previous call). This parameter uses the tie_breaker_id field to ensure all items are sorted and returned correctly.
filterstringNoFilters the returned results according to the value of the specified field, using the <field name>:<field value> syntax.

kibana_security_find_lists

Get value lists Parameters:
ParameterTypeRequiredDefaultDescription
pageintegerNoThe page number to return.
per_pageintegerNoThe number of value lists to return per page.
sort_fieldstringNoDetermines which field is used to sort the results.
sort_orderstringNoDetermines the sort order, which can be desc or asc
cursorstringNoReturns the lists that come after the last lists returned in the previous call (use the cursor value returned in the previous call). This parameter uses the tie_breaker_id field to ensure all lists are sorted and returned correctly.
filterstringNoFilters the returned results according to the value of the specified field, using the <field name>:<field value> syntax.

kibana_security_find_rules

List all detection rules Parameters:
ParameterTypeRequiredDefaultDescription
fieldsstring[]NoThe fields value
filterstringNoSearch query Filters the returned results according to the value of the specified field, using the alert.attributes.<field name>:<field value> syntax, where <field name> can be: - name - enabled - tags - createdBy - interval - updatedBy > info > Even though the JSON rule object uses created_by and updated_by fields, you must use createdBy and updatedBy fields in the filter.
sort_fieldstringNoField to sort by
sort_orderstringNoSort order
pageintegerNoPage number
per_pageintegerNoRules per page
gaps_range_startstringNoGaps range start
gaps_range_endstringNoGaps range end
gap_fill_statusesstring[]NoGap fill statuses
gap_auto_fill_scheduler_idstringNoGap auto fill scheduler ID used to determine gap fill status for rules

kibana_security_import_list_items

Import value list items Parameters:
ParameterTypeRequiredDefaultDescription
list_idstringNoList’s id. Required when importing to an existing list.
typestringNoType of the importing list. Required when importing a new list whose list id is not specified.
refreshstringNoDetermines when changes made by the request are made visible to search.
filestringNoA .txt or .csv file containing newline separated list items.

kibana_security_import_rules

Import detection rules Parameters:
ParameterTypeRequiredDefaultDescription
overwritebooleanNoDetermines whether existing rules with the same rule_id are overwritten.
overwrite_exceptionsbooleanNoDetermines whether existing exception lists with the same list_id are overwritten. Both the exception list container and its items are overwritten.
overwrite_action_connectorsbooleanNoDetermines whether existing actions with the same kibana.alert.rule.actions.id are overwritten.
as_new_listbooleanNoGenerates a new list ID for each imported exception list.
filestringNoThe .ndjson file containing the rules.

kibana_security_install_prebuilt_rules_and_timelines

Install prebuilt detection rules and Timelines

kibana_security_patch_list

Patch a value list Parameters:
ParameterTypeRequiredDefaultDescription
_versionstringNoThe version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
descriptionstringNoDescribes the value list.
idstringYesValue list’s identifier.
metaobjectNoPlaceholder for metadata about the value list.
namestringNoValue list’s name.
versionintegerNoThe document version number.

kibana_security_patch_list_item

Patch a value list item Parameters:
ParameterTypeRequiredDefaultDescription
_versionstringNoThe version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
idstringYesValue list item’s identifier.
metaobjectNoPlaceholder for metadata about the value list item.
refreshstringNoDetermines when changes made by the request are made visible to search.
valuestringNoThe value used to evaluate exceptions.

kibana_security_patch_rule

Patch a detection rule Parameters:
ParameterTypeRequiredDefaultDescription
bodyobjectYes> info > You cannot modify the id or rule_id values.

kibana_security_perform_rules_bulk_action

Apply a bulk action to detection rules Parameters:
ParameterTypeRequiredDefaultDescription
dry_runbooleanNoEnables dry run mode for the request call. Enable dry run mode to verify that bulk actions can be applied to specified rules. Certain rules, such as prebuilt Elastic rules on a Basic subscription, can’t be edited and will return errors in the request response. Error details will contain an explanation, the rule name and/or ID, and additional troubleshooting information. To enable dry run mode on a request, add the query parameter dry_run=true to the end of the request URL. Rules specified in the request will be temporarily updated. These updates won’t be written to Elasticsearch. > info > Dry run mode is not supported for the export bulk action. A 400 error will be returned in the request response.
bodyobjectNoRequest body

kibana_security_read_alerts_index

Reads the alert index name if it exists

kibana_security_read_list

Get value list details Parameters:
ParameterTypeRequiredDefaultDescription
idstringYesValue list’s identifier.

kibana_security_read_list_index

Get status of value list data streams

kibana_security_read_list_item

Get a value list item Parameters:
ParameterTypeRequiredDefaultDescription
idstringNoValue list item identifier. Required if list_id and value are not specified.
list_idstringNoValue list item list’s id identfier. Required if id is not specified.
valuestringNoThe value used to evaluate exceptions. Required if id is not specified.

kibana_security_read_list_privileges

Get value list privileges

kibana_security_read_prebuilt_rules_and_timelines_status

Retrieve the status of prebuilt detection rules and Timelines

kibana_security_read_privileges

Returns user privileges for the Kibana space

kibana_security_read_rule

Retrieve a detection rule Parameters:
ParameterTypeRequiredDefaultDescription
idstringNoThe rule’s id value.
rule_idstringNoThe rule’s rule_id value.

kibana_security_read_tags

List all detection rule tags

kibana_security_rule_preview

Preview rule alerts generated on specified time range Parameters:
ParameterTypeRequiredDefaultDescription
enable_logged_requestsbooleanNoEnables logging and returning in response ES queries, performed during rule execution
bodyobjectYesAn object containing tags to add or remove and alert ids the changes will be applied

kibana_security_search_alerts

Find and/or aggregate detection alerts Parameters:
ParameterTypeRequiredDefaultDescription
_sourceobjectNoThe source value
aggsobjectNoThe aggs value
fieldsstring[]NoThe fields value
queryobjectNoSearch query string
runtime_mappingsobjectNoRuntime Mappings
sizeintegerNoThe size value
sortobjectNoSort order for results
track_total_hitsbooleanNoTrack Total Hits

kibana_security_set_alert_assignees

Assign and unassign users from detection alerts Parameters:
ParameterTypeRequiredDefaultDescription
assigneesobjectYesThe assignees value
idsstring[]YesA list of alerts ids.

kibana_security_set_alert_tags

Add and remove detection alert tags Parameters:
ParameterTypeRequiredDefaultDescription
idsstring[]YesA list of alerts ids.
tagsobjectYesObject with list of tags to add and remove.

kibana_security_set_alerts_status

Set a detection alert status Parameters:
ParameterTypeRequiredDefaultDescription
bodyobjectYesAn object containing desired status and explicit alert ids or a query to select alerts

kibana_security_update_list

Update a value list Parameters:
ParameterTypeRequiredDefaultDescription
_versionstringNoThe version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
descriptionstringYesDescribes the value list.
idstringYesValue list’s identifier.
metaobjectNoPlaceholder for metadata about the value list.
namestringYesValue list’s name.
versionintegerNoThe document version number.

kibana_security_update_list_item

Update a value list item Parameters:
ParameterTypeRequiredDefaultDescription
_versionstringNoThe version id, normally returned by the API when the document is retrieved. Use it ensure updates are done against the latest version.
idstringYesValue list item’s identifier.
metaobjectNoPlaceholder for metadata about the value list item.
valuestringYesThe value used to evaluate exceptions.

kibana_security_update_rule

Update a detection rule Parameters:
ParameterTypeRequiredDefaultDescription
bodyobjectYes> info > All unspecified fields are deleted. You cannot modify the id or rule_id values.