Get Attack discovery schedule by ID

GET /api/attack_discovery/schedules/{id}
Api key auth

Retrieves a specific Attack discovery schedule by its unique identifier. Returns complete schedule configuration including parameters, interval settings, associated actions, and execution history.

Path parameters

  • id string(nonempty) Required

    The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when creating a schedule and can be found in schedule listings.

    Minimum length is 1.

Responses

  • 200 application/json

    Successfully retrieved Attack Discovery schedule with complete configuration and metadata

    Hide response attributes Show response attributes object
    • actions array[object] Required

      The attack discovery schedule actions

      Hide actions attributes Show actions attributes object
      • action_type_id string Required

        The action type used for sending notifications.

      • alerts_filter object

        Additional properties are allowed.

      • frequency object

        The action frequency defines when the action runs (for example, only on schedule execution or at specific time intervals).

        Hide frequency attributes Show frequency attributes object
        • notify_when string Required

          The condition for throttling the notification: onActionGroupChange, onActiveAlert, or onThrottleInterval

          Values are onActiveAlert, onThrottleInterval, or onActionGroupChange.

        • summary boolean Required

          Action summary indicates whether we will send a summary notification about all the generate alerts or notification per individual alert

        • throttle string Required

          Defines how often schedule actions are taken. Time interval in seconds, minutes, hours, or days.

          Format should match the following pattern: ^[1-9]\d*[smhd]$.

      • group string

        Groups actions by use cases. Use default for alert notifications.

      • id string Required

        The connector ID.

      • params object Required

        Object containing the allowed connector fields, which varies according to the connector type.

        Additional properties are allowed.

      • uuid string(nonempty)

        A string that does not contain only whitespace characters.

        Minimum length is 1.

    • created_at string(date-time) Required

      The date the schedule was created

    • created_by string Required

      The name of the user that created the schedule

    • enabled boolean Required

      Indicates whether the schedule is enabled

    • id string Required

      UUID of attack discovery schedule

    • last_execution object

      An attack discovery schedule execution information

      Hide last_execution attributes Show last_execution attributes object
      • date string(date-time) Required

        Date of the execution

      • duration number

        Duration of the execution

      • message string
      • status string Required

        An attack discovery schedule execution status

        Values are ok, active, error, unknown, or warning.

    • name string Required

      The name of the schedule

    • params object Required

      An attack discovery schedule params

      Hide params attributes Show params attributes object
      • alerts_index_pattern string Required

        The index pattern to get alerts from

      • api_config object Required

        LLM API configuration.

        Hide api_config attributes Show api_config attributes object
        • actionTypeId string Required

          Action type ID

        • connectorId string Required

          Connector ID

        • defaultSystemPromptId string

          Default system prompt ID

        • model string

          Model

        • provider string

          Provider

          Values are OpenAI, Azure OpenAI, or Other.

        • name string Required

          The name of the connector

      • combined_filter object

        Additional properties are allowed.

      • end string
      • filters array

        The filter array used to define the conditions for when alerts are selected as an attack discovery context. Defaults to an empty array.

      • query object

        An query condition to filter alerts

        Hide query attributes Show query attributes object
      • size number Required
      • start string
    • schedule object Required
      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The schedule interval

    • updated_at string(date-time) Required

      The date the schedule was updated

    • updated_by string Required

      The name of the user that updated the schedule
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
    • error string

      Error type

    • message string

      Human-readable error message describing what went wrong

    • status_code number

      HTTP status code
GET /api/attack_discovery/schedules/{id} 
curl \ --request GET 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json"
Response examples (200) 
{ "id": "12345678-1234-1234-1234-123456789012", "name": "Daily Security Analysis", "params": { "end": "now", "size": 100, "start": "now-24h", "api_config": { "name": "Claude 3.5 Sonnet", "connectorId": "my-bedrock-connector", "actionTypeId": "bedrock" }, "alerts_index_pattern": ".alerts-security.alerts-*" }, "actions": [], "enabled": true, "schedule": { "interval": "24h" }, "created_at": "2023-10-31T10:00:00.000Z", "created_by": "elastic", "updated_at": "2023-10-31T10:00:00.000Z", "updated_by": "elastic", "last_execution": { "date": "2023-10-31T10:00:00.000Z", "status": "ok", "last_duration": 45.2 } }
Response examples (400) 
{ "error": "Bad Request", "message": "Invalid request parameters", "status_code": 400 }