Create an agentless policy Technical Preview; added in 9.3.0

POST /api/fleet/agentless_policies
Api key auth Basic auth

Spaces method and path for this operation:

post /s/{space_id}/api/fleet/agentless_policies

Refer to Spaces for more information.

Create an agentless policy

Headers

  • kbn-xsrf string Required

    A required header to protect against CSRF attacks

Query parameters

  • format string

    The format of the response package policy.

    Values are legacy or simplified. Default value is simplified.

application/json

Body

  • additional_datastreams_permissions array[string] | null

    Additional datastream permissions, that will be added to the agent policy.

  • cloud_connector object

    Additional properties are NOT allowed.

    Hide cloud_connector attributes Show cloud_connector attributes object
    • cloud_connector_id string

      ID of an existing cloud connector to reuse. If not provided, a new connector will be created.

    • enabled boolean

      Whether cloud connectors are enabled for this policy.

      Default value is false.

    • name string

      Optional name for the cloud connector. If not provided, will be auto-generated from credentials.

  • description string

    Policy description.

  • force boolean

    Force package policy creation even if the package is not verified, or if the agent policy is managed.

  • id string

    Policy unique identifier.

  • inputs object

    Package policy inputs. Refer to the integration documentation to know which inputs are available.

    Hide inputs attribute Show inputs attribute object
    • * object Additional properties

      Additional properties are NOT allowed.

      Hide * attributes Show * attributes object
      • enabled boolean

        Enable or disable that input. Defaults to true (enabled).

      • streams object

        Input streams. Refer to the integration documentation to know which streams are available.

        Hide streams attribute Show streams attribute object
        • * object Additional properties

          Additional properties are NOT allowed.

          Hide * attributes Show * attributes object
          • enabled boolean

            Enable or disable that stream. Defaults to true (enabled).

          • vars object

            Input/stream level variable. Refer to the integration documentation for more information.

      • vars object

        Input/stream level variable. Refer to the integration documentation for more information.

  • name string Required

    Unique name for the policy.

  • namespace string

    Policy namespace. When not specified, it inherits the agent policy namespace.

  • package object Required

    Additional properties are NOT allowed.

    Hide package attributes Show package attributes object
    • experimental_data_stream_features array[object]
      Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
      • data_stream string Required
      • features object Required

        Additional properties are NOT allowed.

        Hide features attributes Show features attributes object
        • doc_value_only_numeric boolean
        • doc_value_only_other boolean
        • synthetic_source boolean
        • tsdb boolean
    • fips_compatible boolean
    • name string Required

      Package name

    • requires_root boolean
    • title string
    • version string Required

      Package version

  • vars object

    Input/stream level variable. Refer to the integration documentation for more information.

Responses

  • 200 application/json

    Indicates a successful response

    Hide response attribute Show response attribute object
    • item object Required

      The created agentless package policy.

      Additional properties are NOT allowed.

      Hide item attributes Show item attributes object
      • additional_datastreams_permissions array[string] | null

        Additional datastream permissions, that will be added to the agent policy.

      • agents number
      • cloud_connector_id string | null

        ID of the cloud connector associated with this package policy.

      • created_at string Required
      • created_by string Required
      • description string

        Package policy description

      • elasticsearch object

        Additional properties are allowed.

        Hide elasticsearch attribute Show elasticsearch attribute object
        • privileges object

          Additional properties are allowed.

          Hide privileges attribute Show privileges attribute object
          • cluster array[string]
      • enabled boolean Required
      • id string Required

        Package policy unique identifier.

      • inputs array[object] | object Required

        Package policy inputs.

        Any of:
        array-1 array[object] object-2 object
        Hide attributes Show attributes object
        • config object

          Package variable (see integration documentation for more information)

          Hide config attribute Show config attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
            • frozen boolean
            • type string
        • enabled boolean Required
        • id string
        • keep_enabled boolean
        • policy_template string
        • streams array[object] Required
          Hide streams attributes Show streams attributes object
          • config object

            Package variable (see integration documentation for more information)

            Hide config attribute Show config attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
              • frozen boolean
              • type string
          • data_stream object Required

            Additional properties are NOT allowed.

            Hide data_stream attributes Show data_stream attributes object
            • dataset string Required
            • elasticsearch object

              Additional properties are NOT allowed.

              Hide elasticsearch attributes Show elasticsearch attributes object
              • dynamic_dataset boolean
              • dynamic_namespace boolean
              • privileges object

                Additional properties are NOT allowed.

                Hide privileges attribute Show privileges attribute object
                • indices array[string]
            • type string Required
          • enabled boolean Required
          • id string
          • keep_enabled boolean
          • release string

            Values are ga, beta, or experimental.

          • vars object

            Package variable (see integration documentation for more information)

            Hide vars attribute Show vars attribute object
            • * object Additional properties

              Additional properties are NOT allowed.

              Hide * attributes Show * attributes object
              • frozen boolean
              • type string
        • type string Required
        • vars object

          Package variable (see integration documentation for more information)

          Hide vars attribute Show vars attribute object
          • * object Additional properties

            Additional properties are NOT allowed.

            Hide * attributes Show * attributes object
            • frozen boolean
            • type string
      • is_managed boolean
      • name string Required

        Unique name for the package policy.

      • namespace string

        The package policy namespace. Leave blank to inherit the agent policy's namespace.

      • output_id string | null
      • overrides object | null

        Override settings that are defined in the package policy. The override option should be used only in unusual circumstances and not as a routine procedure.

        Additional properties are NOT allowed.

        Hide overrides attribute Show overrides attribute object | null
        • inputs object

          Additional properties are allowed.

      • package object

        Additional properties are NOT allowed.

        Hide package attributes Show package attributes object
        • experimental_data_stream_features array[object]
          Hide experimental_data_stream_features attributes Show experimental_data_stream_features attributes object
          • data_stream string Required
          • features object Required

            Additional properties are NOT allowed.

            Hide features attributes Show features attributes object
            • doc_value_only_numeric boolean
            • doc_value_only_other boolean
            • synthetic_source boolean
            • tsdb boolean
        • fips_compatible boolean
        • name string Required

          Package name

        • requires_root boolean
        • title string
        • version string Required

          Package version

      • policy_id string | null Deprecated

        ID of the agent policy which the package policy will be added to.

      • policy_ids array[string]

        IDs of the agent policies which that package policy will be added to.

      • revision number Required

        Package policy revision.

      • secret_references array[object]
        Hide secret_references attribute Show secret_references attribute object
        • id string Required
      • spaceIds array[string]
      • supports_agentless boolean | null

        Indicates whether the package policy belongs to an agentless agent policy.

        Default value is false.

      • supports_cloud_connector boolean | null

        Indicates whether the package policy supports cloud connectors.

        Default value is false.

      • updated_at string Required
      • updated_by string Required

      • vars object

        Package level variable.

        Any of:
        object-1 object object-2 object

        Input/stream level variable. Refer to the integration documentation for more information.

      • version string

        Package policy ES version.
  • 400 application/json

    Bad Request

    Hide response attributes Show response attributes object
    • error string
    • errorType string
    • message string Required
    • statusCode number
  • 409 application/json

    Conflict

    Hide response attributes Show response attributes object
    • error string
    • errorType string
    • message string Required
    • statusCode number
POST /api/fleet/agentless_policies 
curl \ --request POST 'https://localhost:5601/api/fleet/agentless_policies' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --header "kbn-xsrf: true" \ --data '{"name":"ess_billing-1","inputs":{"ESS Billing-cel":{"vars":{"api_key":"\u003cREPLACE_WITH_YOUR_API_KEY\u003e","organization_id":"1234"},"enabled":true,"streams":{"ess_billing.billing":{"vars":{"tags":["forwarded","billing"],"lookbehind":365,"hide_sensitive":true,"http_client_timeout":"30s"},"enabled":true},"ess_billing.credits":{"enabled":false}}}},"package":{"name":"ess_billing","version":"1.6.0"},"namespace":"default","description":"test"}'
Request examples
Example request to create agentless policies 
{ "name": "ess_billing-1", "inputs": { "ESS Billing-cel": { "vars": { "api_key": "<REPLACE_WITH_YOUR_API_KEY>", "organization_id": "1234" }, "enabled": true, "streams": { "ess_billing.billing": { "vars": { "tags": [ "forwarded", "billing" ], "lookbehind": 365, "hide_sensitive": true, "http_client_timeout": "30s" }, "enabled": true }, "ess_billing.credits": { "enabled": false } } } }, "package": { "name": "ess_billing", "version": "1.6.0" }, "namespace": "default", "description": "test" }
Example request to create agentless policy reusing an existing AWS cloud connector 
{ "name": "cspm-aws-reuse-policy", "vars": { "posture": "cspm", "deployment": "aws" }, "inputs": { "cspm-cloudbeat/cis_aws": { "vars": { "cloud_formation_template": "https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml" }, "enabled": true, "streams": { "cloud_security_posture.findings": { "vars": { "role_arn": "arn:aws:iam::123456789012:role/TestRole", "external_id": { "id": "ABCDEFGHIJKLMNOPQRST", "isSecretRef": true }, "aws.account_type": "organization-account", "aws.credentials.type": "cloud_connector", "aws.supports_cloud_connectors": true }, "enabled": true } } }, "cspm-cloudbeat/cis_gcp": { "enabled": false }, "cspm-cloudbeat/cis_azure": { "enabled": false } }, "package": { "name": "cloud_security_posture", "version": "3.1.1" }, "namespace": "default", "description": "CSPM integration for AWS reusing existing cloud connector", "cloud_connector": { "target_csp": "aws", "cloud_connector_id": "existing-aws-connector-id" } }
Example request to create agentless policy with AWS cloud connector 
{ "name": "cspm-aws-policy", "vars": { "posture": "cspm", "deployment": "aws" }, "inputs": { "cspm-cloudbeat/cis_aws": { "vars": { "cloud_formation_template": "https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml" }, "enabled": true, "streams": { "cloud_security_posture.findings": { "vars": { "role_arn": "arn:aws:iam::123456789012:role/TestRole", "external_id": { "id": "ABCDEFGHIJKLMNOPQRST", "isSecretRef": true }, "aws.account_type": "organization-account", "aws.credentials.type": "cloud_connector", "aws.supports_cloud_connectors": true }, "enabled": true } } }, "cspm-cloudbeat/cis_gcp": { "enabled": false }, "cspm-cloudbeat/cis_azure": { "enabled": false } }, "package": { "name": "cloud_security_posture", "version": "3.1.1" }, "namespace": "default", "description": "CSPM integration for AWS with cloud connector", "cloud_connector": { "target_csp": "aws" } }
Example request to create agentless policy with Azure cloud connector 
{ "name": "cspm-azure-policy", "vars": { "posture": "cspm", "deployment": "azure" }, "inputs": { "cspm-cloudbeat/cis_aws": { "enabled": false }, "cspm-cloudbeat/cis_gcp": { "enabled": false }, "cspm-cloudbeat/cis_azure": { "enabled": true, "streams": { "cloud_security_posture.findings": { "vars": { "client_id": { "id": "client-secret-id", "isSecretRef": true }, "tenant_id": { "id": "tenant-secret-id", "isSecretRef": true }, "azure.account_type": "organization-account", "azure_credentials_cloud_connector_id": { "type": "text", "value": "existing-azure-credentials-connector-id" } }, "enabled": true } } } }, "package": { "name": "cloud_security_posture", "version": "3.1.1" }, "namespace": "default", "description": "CSPM integration for Azure with cloud connector", "cloud_connector": { "target_csp": "azure" } }
Response examples (200)
Example response showing the successful result of communication initialisation over MCP protocol 
{ "item": { "id": "d52a7812-5736-4fdc-aed8-72152afa1ffa", "name": "ess_billing-1", "inputs": { "ESS Billing-cel": { "vars": { "url": "https://billing.elastic-cloud.com", "api_key": { "id": "QY1sWpoBbWcMW-edr0Ee", "isSecretRef": true }, "organization_id": "1234" }, "enabled": true, "streams": { "ess_billing.billing": { "vars": { "tags": [ "forwarded", "billing" ], "lookbehind": 365, "hide_sensitive": true, "http_client_timeout": "30s" }, "enabled": true }, "ess_billing.credits": { "enabled": false } } } }, "enabled": true, "package": { "name": "ess_billing", "title": "Elasticsearch Service Billing", "version": "1.6.0" }, "version": "WzE0OTgsMV0=", "revision": 1, "namespace": "default", "created_at": "2025-11-06T18:27:43.541Z", "created_by": "test_user", "updated_at": "2025-11-06T18:27:43.541Z", "updated_by": "test_user", "description": "test", "secret_references": [ { "id": "QY1sWpoBbWcMW-edr0Ee" } ], "supports_agentless": true } }
Example response for AWS cloud connector integration 
{ "item": { "id": "aws-policy-12345", "name": "cspm-aws-policy", "vars": { "posture": "cspm", "deployment": "aws" }, "inputs": { "cspm-cloudbeat/cis_aws": { "vars": { "cloud_formation_template": "https://console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateURL=https://elastic-cspm-cft.s3.eu-central-1.amazonaws.com/cloudformation-cspm-ACCOUNT_TYPE-9.2.0.yml" }, "enabled": true, "streams": { "cloud_security_posture.findings": { "vars": { "role_arn": "arn:aws:iam::123456789012:role/TestRole", "external_id": { "id": "secret-external-id-123", "isSecretRef": true }, "aws.account_type": "organization-account", "aws.credentials.type": "cloud_connector" }, "enabled": true } } }, "cspm-cloudbeat/cis_gcp": { "enabled": false }, "cspm-cloudbeat/cis_azure": { "enabled": false } }, "enabled": true, "package": { "name": "cloud_security_posture", "title": "Cloud Security Posture Management", "version": "3.1.1" }, "version": "WzE0OTgsMV0=", "revision": 1, "namespace": "default", "created_at": "2025-11-06T18:27:43.541Z", "created_by": "test_user", "updated_at": "2025-11-06T18:27:43.541Z", "updated_by": "test_user", "description": "CSPM integration for AWS with cloud connector", "secret_references": [ { "id": "secret-external-id-123" } ], "cloud_connector_id": "aws-connector-67890", "supports_agentless": true, "supports_cloud_connector": true } }
Example response for Azure cloud connector integration 
{ "item": { "id": "azure-policy-12345", "name": "cspm-azure-policy", "vars": { "posture": "cspm", "deployment": "azure" }, "inputs": { "cspm-cloudbeat/cis_aws": { "enabled": false }, "cspm-cloudbeat/cis_gcp": { "enabled": false }, "cspm-cloudbeat/cis_azure": { "enabled": true, "streams": { "cloud_security_posture.findings": { "vars": { "client_id": { "id": "client-secret-id-456", "isSecretRef": true }, "tenant_id": { "id": "tenant-secret-id-123", "isSecretRef": true }, "azure.account_type": "organization-account", "azure_credentials_cloud_connector_id": { "type": "text", "value": "existing-azure-credentials-connector-id" } }, "enabled": true } } } }, "enabled": true, "package": { "name": "cloud_security_posture", "title": "Cloud Security Posture Management", "version": "3.1.1" }, "version": "WzE0OTgsMV0=", "revision": 1, "namespace": "default", "created_at": "2025-11-06T18:27:43.541Z", "created_by": "test_user", "updated_at": "2025-11-06T18:27:43.541Z", "updated_by": "test_user", "description": "CSPM integration for Azure with cloud connector", "secret_references": [ { "id": "tenant-secret-id-123" }, { "id": "client-secret-id-456" } ], "cloud_connector_id": "azure-connector-67890", "supports_agentless": true, "supports_cloud_connector": true } }
Response examples (400)
Example of a generic error response 
{ "error": "Bad Request", "message": "An error message describing what went wrong", "statusCode": 400 }
Response examples (409)
Example of a conflict error response 
{ "error": "Conflict", "message": "An error message describing what went wrong", "statusCode": 409 }