Path parameters

• execution_uuid string(nonempty) Required

  The unique identifier for the Attack discovery generation execution. This UUID is returned at the start of an Attack discovery generation.

  Minimum length is 1.

Query parameters

• enable_field_rendering boolean

  Enables a markdown syntax used to render pivot fields, for example {{ user.name james }}. When disabled, the same example would be rendered as james. This is primarily used for Attack discovery views within Kibana. Defaults to false.

  Default value is false.

• with_replacements boolean

  When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown, entitySummaryMarkdown, summaryMarkdown, and title fields. Defaults to true.

  Default value is true.

Responses

• 200 application/json

  Successful response

  Hide response attributes Show response attributes object

  • data array[object] Required

    Array of Attack discoveries generated during this execution.

    An attack discovery that's also an alert (Public API with snake_case)

    Hide data attributes Show data attributes object

    • alert_ids array[string] Required

      The alert IDs that the attack discovery is based on

    • alert_rule_uuid string

      The optional kibana.alert.rule.uuid of the rule that generated this attack discovery (not applicable to ad hock runs)

    • alert_start string

      The optional time the attack discovery alert was created

    • alert_updated_at string

      The optional time the attack discovery alert was last updated

    • alert_updated_by_user_id string

      The optional id of the user who last updated the attack discovery alert

    • alert_updated_by_user_name string

      The optional username of the user who updated the attack discovery alert

    • alert_workflow_status string

      The optional kibana.alert.workflow_status of this attack discovery

    • alert_workflow_status_updated_at string

      The optional time the attack discovery alert workflow status was last updated

    • connector_id string Required

      The ID of the connector that generated the attack discovery

    • connector_name string Required

      The (human readable) name of the connector that generated the attack discovery

    • details_markdown string Required

      Details of the attack with bulleted markdown that always uses special syntax for field names and values from the source data.

    • entity_summary_markdown string

      An optional, short (no more than a sentence) summary of the attack discovery featuring only the host.name and user.name fields (when they are applicable), using the same syntax

    • generation_uuid string Required

      The generation ID of the run that created the attack discovery

    • id string Required

      The unique ID of the attack discovery

    • mitre_attack_tactics array[string]

      An optional array of MITRE ATT&CK tactic for the attack discovery

    • replacements object

      Replacements object used to anonymize/deanonymize messages

      Hide replacements attribute Show replacements attribute object

      • * string Additional properties
    • risk_score integer

      The optional, (but typically populated after generation) risk score of the alert

    • summary_markdown string Required

      A markdown summary of attack discovery, using the same syntax

    • timestamp string(nonempty) Required

      A string that represents a timestamp in ISO 8601 format and does not contain only whitespace characters.

      Minimum length is 1.

    • title string Required

      A title for the attack discovery, in plain text

    • user_id string

      The optional id of the user who generated the attack discovery

    • user_name string

      The optional username of the user who generated the attack discovery, (not applicable to attack discoveries generated by rules)

    • users array[object]

      The optional array of users who may view the attack discovery. When empty, (or not present), all users may view the attack discovery.

      Could be any string, not necessarily a UUID.

      Hide users attributes Show users attributes object

      • id string

        User id.

      • name string

        User name.

  • generation object
    Hide generation attributes Show generation attributes object

    • alerts_context_count number

      The number of alerts sent as context (max kibana.alert.rule.execution.metrics.alert_counts.active) to the LLM for the generation

    • connector_id string Required

      The connector id (event.dataset) for this generation

    • connector_stats object

      Stats applicable to the connector for this generation

      Hide connector_stats attributes Show connector_stats attributes object

      • average_successful_duration_nanoseconds number

        The average duration (avg event.duration) in nanoseconds of successful generations for the same connector id, for the current user

      • successful_generations number

        The number of successful generations for the same connector id, for the current user

    • discoveries number Required

      The number of new Attack discovery alerts (max kibana.alert.rule.execution.metrics.alert_counts.new) for this generation

    • end string

      When generation ended (max event.end)

    • execution_uuid string Required

      The unique identifier (kibana.alert.rule.execution.uuid) for the generation

    • loading_message string Required

      Generation loading message (kibana.alert.rule.execution.status)

    • reason string

      Reason for failed generations (event.reason)

    • start string Required

      When generation started (min event.start)

    • status string Required

      The status of the attack discovery generation

      Values are canceled, dismissed, failed, started, or succeeded.

• 400 application/json

  Generic Error

  Hide response attributes Show response attributes object

  • error string Required

    Error type

  • message string Required

    Human-readable error message describing what went wrong with the request

  • status_code number Required

    HTTP status code