Run connector API

edit

Runs a connector by ID.

Request

edit

POST <kibana host>:<port>/api/actions/connector/<id>/_execute

POST <kibana host>:<port>/s/<space_id>/api/actions/connector/<id>/_execute

Prerequisites

edit

You must have read privileges for the Actions and Connectors feature in the Management section of the Kibana feature privileges.

If you use an index connector, you must also have all, create, index, or write indices privileges.

Description

edit

You can use this API to test an action that involves interaction with Kibana services or integrations with third-party systems.

Path parameters

edit
id
(Required, string) The ID of the connector.
space_id
(Optional, string) An identifier for the space. If space_id is not provided in the URL, the default space is used.

Request body

edit
params

(Required, object) The parameters of the connector. Parameter properties vary depending on the connector type. For information about the parameter properties, refer to Connectors.

Params properties
Index connectors
documents
(Required, array of objects) The documents to index in JSON format.

For more information, refer to Index connector and action.

Jira connectors
subAction
(Required, string) The action to test. Valid values include: fieldsByIssueType, getFields, getIncident, issue, issues, issueTypes, and pushToService.
subActionParams

(Required*, object) The set of configuration properties, which vary depending on the subAction value. This object is not required when subAction is getFields or issueTypes.

Properties when subAction is fieldsByIssueType
id
(Required, string) The Jira issue type identifier. For example, 10024.
Properties when subAction is getIncident
externalId
(Required, string) The Jira issue identifier. For example, 71778.
Properties when subAction is issue
id
(Required, string) The Jira issue identifier. For example, 71778.
Properties when subAction is issues
title
(Required, string) The title of the Jira issue.
Properties when subAction is pushToService
comments

(Optional, array of objects) Additional information that is sent to Jira.

Properties of comments
comment
(string) A comment related to the incident. For example, describe how to troubleshoot the issue.
commentId
(integer) A unique identifier for the comment.
incident

(Required, object) Information necessary to create or update a Jira incident.

Properties of incident
description
(Optional, string) The details about the incident.
externalId
(Optional, string) The Jira issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
labels
(Optional, array of strings) The labels for the incident. For example, ["LABEL1"]. NOTE: Labels cannot contain spaces.
issueType
(Optional, integer) The type of incident. For example, 10006. To obtain the list of valid values, set subAction to issueTypes.
parent
(Optional, string) The ID or key of the parent issue. Applies only to Sub-task types of issues.
priority
(Optional, string) The incident priority level. For example, Lowest.
summary
(Required, string) A summary of the incident.
title
(Optional, string) A title for the incident, used for searching the contents of the knowledge base.

For more information, refer to Jira connector and action.

ServiceNow ITOM connectors
subAction
(Required, string) The action to test. Valid values include: addEvent and getChoices.
subActionParams

(Required*, object) The set of configuration properties, which vary depending on the subAction value.

Properties when subAction is addEvent
additional_info
(Optional, string) Additional information about the event.
description
(Optional, string) The details about the event.
event_class
(Optional, string) A specific instance of the source.
message_key
(Optional, string) All actions sharing this key are associated with the same ServiceNow alert. The default value is <rule ID>:<alert instance ID>.
metric_name
(Optional, string) The name of the metric.
node
(Optional, string) The host that the event was triggered for.
resource
(Optional, string) The name of the resource.
severity
(Optional, string) The severity of the event.
source
(Optional, string) The name of the event source type.
time_of_event
(Optional, string) The time of the event.
type
(Optional, string) The type of event.
Properties when subAction is getChoices
fields
(Required, array of strings) An array of fields. For example, ["severity"].
ServiceNow ITSM connectors
subAction
(Required, string) The action to test. Valid values include: getFields, getIncident, getChoices, and pushToService.
subActionParams

(Required*, object) The set of configuration properties, which vary depending on the subAction value. This object is not required when subAction is getFields.

Properties when subAction is getChoices
fields
(Required, array of strings) An array of fields. For example, ["category","impact"].
Properties when subAction is getIncident
externalId
(Required, string) The ServiceNow ITSM issue identifier.
Properties when subAction is pushToService
comments

(Optional, array of objects) Additional information that is sent to ServiceNow SecOps.

Properties of comments
comment
(string) A comment related to the incident. For example, describe how to troubleshoot the issue.
commentId
(integer) A unique identifier for the comment.
incident

(Required, object) Information necessary to create or update a ServiceNow SecOps incident.

Properties of incident
category
(Optional, string) The category of the incident.
correlation_display
(Optional, string) A descriptive label of the alert for correlation purposes in ServiceNow.
correlation_id

(Optional, string) The correlation identifier for the security incident. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as {{ruleID}}:{{alert ID}} to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters.

Using the default configuration of {{ruleID}}:{{alert ID}} ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert.

description
(Optional, string) The details about the incident.
externalId
(Optional, string) The ServiceNow ITSM issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
impact
(Optional, string) The impact in ServiceNow ITSM.
severity
(Optional, string) The severity of the incident.
short_description
(Required, string) A short description for the incident, used for searching the contents of the knowledge base.
subcategory
(Optional, string) The subcategory in ServiceNow ITSM.
urgency
(Optional, string) The urgency in ServiceNow ITSM.
ServiceNow SecOps connectors
subAction
(Required, string) The action to test. Valid values include: getFields, getIncident, getChoices, and pushToService.
subActionParams

(Required*, object) The set of configuration properties, which vary depending on the subAction value. This object is not required when subAction is getFields.

Properties when subAction is getChoices
fields
(Required, array of strings) An array of fields. For example, ["priority","category"].
Properties when subAction is getIncident
externalId
(Required, string) The ServiceNow SecOps issue identifier.
Properties when subAction is pushToService
comments

(Optional, array of objects) Additional information that is sent to ServiceNow SecOps.

Properties of comments
comment
(string) A comment related to the incident. For example, describe how to troubleshoot the issue.
commentId
(integer) A unique identifier for the comment.
incident

(Required, object) Information necessary to create or update a ServiceNow SecOps incident.

Properties of incident
category
(Optional, string) The category of the incident.
correlation_display
(Optional, string) A descriptive label of the alert for correlation purposes in ServiceNow.
correlation_id

(Optional, string) The correlation identifier for the security incident. Connectors using the same correlation ID are associated with the same ServiceNow incident. This value determines whether a new ServiceNow incident is created or an existing one is updated. Modifying this value is optional; if not modified, the rule ID and alert ID are combined as {{ruleID}}:{{alert ID}} to form the correlation ID value in ServiceNow. The maximum character length for this value is 100 characters.

Using the default configuration of {{ruleID}}:{{alert ID}} ensures that ServiceNow creates a separate incident record for every generated alert that uses a unique alert ID. If the rule generates multiple alerts that use the same alert IDs, ServiceNow creates and continually updates a single incident record for the alert.

description
(Optional, string) The details about the incident.
dest_ip
(Optional, string or array of strings) A list of destination IP addresses related to the security incident. The IPs are added as observables to the security incident.
externalId
(Optional, string) The ServiceNow SecOps issue identifier. If present, the incident is updated. Otherwise, a new incident is created.
malware_hash
(Optional, string or array of strings) A list of malware URLs related to the security incident. The URLs are added as observables to the security incident.
priority
(Optional, string) The priority of the incident.
short_description
(Required, string) A short description for the incident, used for searching the contents of the knowledge base.
source_ip
(Optional, string or array of strings) A list of source IP addresses related to the security incident. The IPs are added as observables to the security incident.
subcategory
(Optional, string) The subcategory of the incident.
Server log connectors
level
(Optional, string) The log level of the message: trace, debug, info, warn, error, or fatal. Defaults to info.
message
(Required, string) The message to log.
Swimlane connectors
subAction
(Required, string) The action to test. It must be pushToService.
subActionParams

(Required, object) The set of configuration properties.

Properties of subActionParams
comments

(Optional, array of objects) Additional information that is sent to Swimlane.

Properties of comments objects
comment
(string) A comment related to the incident. For example, describe how to troubleshoot the issue.
commentId
(integer) A unique identifier for the comment.
incident

(Required, object) Information necessary to create or update a Swimlane incident.

Properties of incident
alertId
(Optional, string) The alert identifier.
caseId
(Optional, string) The case identifier for the incident.
caseName
(Optional, string) The case name for the incident.
description
(Optional, string) The description of the incident.
ruleName
(Optional, string) The rule name.
severity
(Optional, string) The severity of the incident.

Response codes

edit
200
Indicates a successful call.

Examples

edit

Run an index connector:

POST api/actions/connector/c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad/_execute
{
  "params": {
    "documents": [
      {
        "id": "test_doc_id",
        "name": "test_doc_name",
        "message": "hello, world"
      }
    ]
  }
}

The API returns the following:

{
  "status": "ok",
  "data": {
    "took": 10,
    "errors": false,
    "items": [
      {
        "index": {
          "_index": "test-index",
          "_id": "iKyijHcBKCsmXNFrQe3T",
          "_version": 1,
          "result": "created",
          "_shards": {
            "total": 2,
            "successful": 1,
            "failed": 0
          },
          "_seq_no": 0,
          "_primary_term": 1,
          "status": 201
        }
      }
    ]
  },
  "connector_id": "c55b6eb0-6bad-11eb-9f3b-611eebc6c3ad"
}

Run a server log connector:

POST api/actions/connector/7fc7b9a0-ecc9-11ec-8736-e7d63118c907/_execute
{
  "params": {
    "level": "warn",
    "message": "Test warning message"
  }
}

The API returns the following:

{"status":"ok","connector_id":"7fc7b9a0-ecc9-11ec-8736-e7d63118c907"}

Retrieve the list of issue types for a Jira connector:

POST api/actions/connector/b3aad810-edbe-11ec-82d1-11348ecbf4a6/_execute
{
  "params": {
    "subAction": "issueTypes"
  }
}

The API returns the following:

{
  "status":"ok",
  "data":[
    {"id":"10024","name":"Improvement"},{"id":"10006","name":"Task"},
    {"id":"10007","name":"Sub-task"},{"id":"10025","name":"New Feature"},
    {"id":"10023","name":"Bug"},{"id":"10000","name":"Epic"}
  ],
  "connector_id":"b3aad810-edbe-11ec-82d1-11348ecbf4a6"
}

Create then update a Swimlane incident:

POST api/actions/connector/a4746470-2f94-11ed-b0e0-87533c532698/_execute
{
  "params":{
    "subAction":"pushToService",
    "subActionParams":{
      "incident":{
        "description":"Description of the incident",
        "caseName":"Case name",
        "caseId":"1000"
      },
      "comments":[
        {"commentId":"1","comment":"A comment about the incident"}
      ]
    }
  }
}

POST api/actions/connector/a4746470-2f94-11ed-b0e0-87533c532698/_execute
{
  "params":{
    "subAction":"pushToService",
    "subActionParams":{
      "incident":{
        "caseId":"1000",
        "caseName":"A new case name"
      }
    }
  }
}

Retrieve the list of choices for a ServiceNow ITOM connector:

POST api/actions/connector/9d9be270-2fd2-11ed-b0e0-87533c532698/_execute
{
  "params": {
    "subAction": "getChoices",
    "subActionParams": {
      "fields": [ "severity","urgency" ]
    }
  }
}

The API returns the severity and urgency choices, for example:

{
  "status": "ok",
  "data":[
    {"dependent_value":"","label":"Critical","value":"1","element":"severity"},
    {"dependent_value":"","label":"Major","value":"2","element":"severity"},
    {"dependent_value":"","label":"Minor","value":"3","element":"severity"},
    {"dependent_value":"","label":"Warning","value":"4","element":"severity"},
    {"dependent_value":"","label":"OK","value":"5","element":"severity"},
    {"dependent_value":"","label":"Clear","value":"0","element":"severity"},
    {"dependent_value":"","label":"1 - High","value":"1","element":"urgency"},
    {"dependent_value":"","label":"2 - Medium","value":"2","element":"urgency"},
    {"dependent_value":"","label":"3 - Low","value":"3","element":"urgency"}],
  "connector_id":"9d9be270-2fd2-11ed-b0e0-87533c532698"
}