Run connector API
editRun connector API
editRuns a connector by ID.
Request
editPOST <kibana host>:<port>/api/actions/connector/<id>/_execute
POST <kibana host>:<port>/s/<space_id>/api/actions/connector/<id>/_execute
Prerequisites
editYou must have read
privileges for the Actions and Connectors feature in the
Management section of the
Kibana feature privileges.
If you use an index connector, you must also have all
, create
, index
, or
write
indices privileges.
Description
editYou can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.
Path parameters
edit-
id
- (Required, string) The ID of the connector.
-
space_id
-
(Optional, string) An identifier for the space. If
space_id
is not provided in the URL, the default space is used.
Request body
edit-
params
-
(Required, object) The parameters of the connector. Parameter properties vary depending on the connector type. For information about the parameter properties, refer to Connectors.
Params
propertiesIndex connectors
-
documents
- (Required, array of objects) The documents to index in JSON format.
For more information, refer to Index connector and action.
Jira connectors
-
subAction
-
(Required, string) The action to test. Valid values include:
fieldsByIssueType
,getFields
,getIncident
,issue
,issues
,issueTypes
, andpushToService
. -
subActionParams
-
(Required*, object) The set of configuration properties, which vary depending on the
subAction
value. This object is not required whensubAction
isgetFields
orissueTypes
.Properties when
subAction
isfieldsByIssueType
-
id
-
(Required, string) The Jira issue type identifier. For example,
10024
.
Properties when
subAction
isgetIncident
-
externalId
-
(Required, string) The Jira issue identifier. For example,
71778
.
Properties when
subAction
isissue
-
id
-
(Required, string) The Jira issue identifier. For example,
71778
.
Properties when
subAction
isissues
-
title
- (Required, string) The title of the Jira issue.
Properties when
subAction
ispushToService
-
comments
-
(Optional, array of objects) Additional information that is sent to Jira.
Properties of
comments
-
comment
- (string) A comment related to the incident. For example, describe how to troubleshoot the issue.
-
commentId
- (integer) A unique identifier for the comment.
-
-
incident
-
(Required, object) Information necessary to create or update a Jira incident.
Properties of
incident
-
description
- (Optional, string) The details about the incident.
-
externalId
- (Optional, string) The Jira issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
-
labels
-
(Optional, array of strings) The labels for the incident. For example,
["LABEL1"]
. NOTE: Labels cannot contain spaces. -
issueType
-
(Optional, integer) The type of incident. For example,
10006
. To obtain the list of valid values, setsubAction
toissueTypes
. -
parent
-
(Optional, string) The ID or key of the parent issue. Applies only to
Sub-task
types of issues. -
priority
-
(Optional, string) The incident priority level. For example,
Lowest
. -
summary
- (Required, string) A summary of the incident.
-
title
- (Optional, string) A title for the incident, used for searching the contents of the knowledge base.
-
-
For more information, refer to Jira connector and action.
ServiceNow ITOM connectors
-
subAction
-
(Required, string) The action to test. Valid values include:
addEvent
andgetChoices
. -
subActionParams
-
(Required*, object) The set of configuration properties, which vary depending on the
subAction
value.Properties when
subAction
isaddEvent
-
additional_info
- (Optional, string) Additional information about the event.
-
description
- (Optional, string) The details about the event.
-
event_class
- (Optional, string) A specific instance of the source.
-
message_key
-
(Optional, string) All actions sharing this key are associated with the same
ServiceNow alert. The default value is
<rule ID>:<alert instance ID>
. -
metric_name
- (Optional, string) The name of the metric.
-
node
- (Optional, string) The host that the event was triggered for.
-
resource
- (Optional, string) The name of the resource.
-
severity
- (Optional, string) The severity of the event.
-
source
- (Optional, string) The name of the event source type.
-
time_of_event
- (Optional, string) The time of the event.
-
type
- (Optional, string) The type of event.
Properties when
subAction
isgetChoices
-
fields
-
(Required, array of strings) An array of fields. For example,
["severity"]
.
-
ServiceNow ITSM connectors
-
subAction
-
(Required, string) The action to test. Valid values include:
getFields
,getIncident
,getChoices
, andpushToService
. -
subActionParams
-
(Required*, object) The set of configuration properties, which vary depending on the
subAction
value. This object is not required whensubAction
isgetFields
.Properties when
subAction
isgetChoices
-
fields
-
(Required, array of strings) An array of fields. For example,
["category","impact"]
.
Properties when
subAction
isgetIncident
-
externalId
- (Required, string) The ServiceNow ITSM issue identifier.
Properties when
subAction
ispushToService
-
comments
-
(Optional, array of objects) Additional information that is sent to ServiceNow SecOps.
Properties of
comments
-
comment
- (string) A comment related to the incident. For example, describe how to troubleshoot the issue.
-
commentId
- (integer) A unique identifier for the comment.
-
-
incident
-
(Required, object) Information necessary to create or update a ServiceNow SecOps incident.
Properties of
incident
-
category
- (Optional, string) The category of the incident.
-
correlation_display
- (Optional, string) A descriptive label of the alert for correlation purposes in ServiceNow.
-
correlation_id
-
(Optional, string) The correlation identifier for the security incident. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as
{{ruleID}}:{{alert ID}}
to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters.Using the default configuration of
{{ruleID}}:{{alert ID}}
ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. -
description
- (Optional, string) The details about the incident.
-
externalId
- (Optional, string) The ServiceNow ITSM issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
-
impact
- (Optional, string) The impact in ServiceNow ITSM.
-
severity
- (Optional, string) The severity of the incident.
-
short_description
- (Required, string) A short description for the incident, used for searching the contents of the knowledge base.
-
subcategory
- (Optional, string) The subcategory in ServiceNow ITSM.
-
urgency
- (Optional, string) The urgency in ServiceNow ITSM.
-
-
ServiceNow SecOps connectors
-
subAction
-
(Required, string) The action to test. Valid values include:
getFields
,getIncident
,getChoices
, andpushToService
. -
subActionParams
-
(Required*, object) The set of configuration properties, which vary depending on the
subAction
value. This object is not required whensubAction
isgetFields
.Properties when
subAction
isgetChoices
-
fields
-
(Required, array of strings) An array of fields. For example,
["priority","category"]
.
Properties when
subAction
isgetIncident
-
externalId
- (Required, string) The ServiceNow SecOps issue identifier.
Properties when
subAction
ispushToService
-
comments
-
(Optional, array of objects) Additional information that is sent to ServiceNow SecOps.
Properties of
comments
-
comment
- (string) A comment related to the incident. For example, describe how to troubleshoot the issue.
-
commentId
- (integer) A unique identifier for the comment.
-
-
incident
-
(Required, object) Information necessary to create or update a ServiceNow SecOps incident.
Properties of
incident
-
category
- (Optional, string) The category of the incident.
-
correlation_display
- (Optional, string) A descriptive label of the alert for correlation purposes in ServiceNow.
-
correlation_id
-
(Optional, string) The correlation identifier for the security incident. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as
{{ruleID}}:{{alert ID}}
to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters.Using the default configuration of
{{ruleID}}:{{alert ID}}
ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert. -
description
- (Optional, string) The details about the incident.
-
dest_ip
- (Optional, string or array of strings) A list of destination IP addresses related to the security incident. The IPs are added as observables to the security incident.
-
externalId
- (Optional, string) The ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
-
malware_hash
- (Optional, string or array of strings) A list of malware URLs related to the security incident. The URLs are added as observables to the security incident.
-
priority
- (Optional, string) The priority of the incident.
-
short_description
- (Required, string) A short description for the incident, used for searching the contents of the knowledge base.
-
source_ip
- (Optional, string or array of strings) A list of source IP addresses related to the security incident. The IPs are added as observables to the security incident.
-
subcategory
- (Optional, string) The subcategory of the incident.
-
-
Server log connectors
-
level
-
(Optional, string) The log level of the message:
trace
,debug
,info
,warn
,error
, orfatal
. Defaults toinfo
. -
message
- (Required, string) The message to log.
Swimlane connectors
-
subAction
-
(Required, string) The action to test. It must be
pushToService
. -
subActionParams
-
(Required, object) The set of configuration properties.
Properties of
subActionParams
-
comments
-
(Optional, array of objects) Additional information that is sent to Swimlane.
Properties of
comments
objects- comment
- (string) A comment related to the incident. For example, describe how to troubleshoot the issue.
- commentId
- (integer) A unique identifier for the comment.
-
incident
-
(Required, object) Information necessary to create or update a Swimlane incident.
Properties of
incident
-
alertId
- (Optional, string) The alert identifier.
-
caseId
- (Optional, string) The case identifier for the incident.
-
caseName
- (Optional, string) The case name for the incident.
-
description
- (Optional, string) The description of the incident.
-
ruleName
- (Optional, string) The rule name.
-
severity
- (Optional, string) The severity of the incident.
-
-
-
Response codes
edit-
200
- Indicates a successful call.
Examples
editRun an index connector:
POST api/actions/connector/c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad/_execute { "params": { "documents": [ { "id": "test_doc_id", "name": "test_doc_name", "message": "hello, world" } ] } }
The API returns the following:
{ "status": "ok", "data": { "took": 10, "errors": false, "items": [ { "index": { "_index": "test-index", "_id": "iKyijHcBKCsmXNFrQe3T", "_version": 1, "result": "created", "_shards": { "total": 2, "successful": 1, "failed": 0 }, "_seq_no": 0, "_primary_term": 1, "status": 201 } } ] }, "connector_id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad" }
Run a server log connector:
POST api/actions/connector/7fc7b9a0-ecc9-11ec-8736-e7d63118c907/_execute { "params": { "level": "warn", "message": "Test warning message" } }
The API returns the following:
{"status":"ok","connector_id":"7fc7b9a0-ecc9-11ec-8736-e7d63118c907"}
Retrieve the list of issue types for a Jira connector:
POST api/actions/connector/b3aad810-edbe-11ec-82d1-11348ecbf4a6/_execute { "params": { "subAction": "issueTypes" } }
The API returns the following:
{ "status":"ok", "data":[ {"id":"10024","name":"Improvement"},{"id":"10006","name":"Task"}, {"id":"10007","name":"Sub-task"},{"id":"10025","name":"New Feature"}, {"id":"10023","name":"Bug"},{"id":"10000","name":"Epic"} ], "connector_id":"b3aad810-edbe-11ec-82d1-11348ecbf4a6" }
Create then update a Swimlane incident:
POST api/actions/connector/a4746470-2f94-11ed-b0e0-87533c532698/_execute { "params":{ "subAction":"pushToService", "subActionParams":{ "incident":{ "description":"Description of the incident", "caseName":"Case name", "caseId":"1000" }, "comments":[ {"commentId":"1","comment":"A comment about the incident"} ] } } } POST api/actions/connector/a4746470-2f94-11ed-b0e0-87533c532698/_execute { "params":{ "subAction":"pushToService", "subActionParams":{ "incident":{ "caseId":"1000", "caseName":"A new case name" } } } }
Retrieve the list of choices for a ServiceNow ITOM connector:
POST api/actions/connector/9d9be270-2fd2-11ed-b0e0-87533c532698/_execute { "params": { "subAction": "getChoices", "subActionParams": { "fields": [ "severity","urgency" ] } } }
The API returns the severity and urgency choices, for example:
{ "status": "ok", "data":[ {"dependent_value":"","label":"Critical","value":"1","element":"severity"}, {"dependent_value":"","label":"Major","value":"2","element":"severity"}, {"dependent_value":"","label":"Minor","value":"3","element":"severity"}, {"dependent_value":"","label":"Warning","value":"4","element":"severity"}, {"dependent_value":"","label":"OK","value":"5","element":"severity"}, {"dependent_value":"","label":"Clear","value":"0","element":"severity"}, {"dependent_value":"","label":"1 - High","value":"1","element":"urgency"}, {"dependent_value":"","label":"2 - Medium","value":"2","element":"urgency"}, {"dependent_value":"","label":"3 - Low","value":"3","element":"urgency"}], "connector_id":"9d9be270-2fd2-11ed-b0e0-87533c532698" }