Create Attack discovery schedule Technical Preview; added in 9.2.0

View as Markdown
POST /api/attack_discovery/schedules
Api key auth Basic auth

Spaces method and path for this operation:

post /s/{space_id}/api/attack_discovery/schedules

Refer to Spaces for more information.

Creates a new Attack discovery schedule that analyzes security alerts at specified intervals. The schedule defines when and how Attack discovery analysis should run, including which alerts to analyze, which AI connector to use, and what actions to take when discoveries are found. Technical preview

application/json

Body Required

Attack discovery schedule configuration including name, parameters, schedule interval, and actions

  • actions array[object]

    The attack discovery schedule actions

    One of:
    Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction object Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction object
  • enabled boolean

    Indicates whether the schedule is enabled

  • name string Required

    The name of the schedule

  • params object Required

    An attack discovery schedule params

    Hide params attributes Show params attributes object
    • alerts_index_pattern string Required

      The index pattern to get alerts from

    • api_config object Required

      LLM API configuration.

      Hide api_config attributes Show api_config attributes object
      • actionTypeId string Required

        Action type ID

      • connectorId string Required

        Connector ID

      • defaultSystemPromptId string

        Default system prompt ID

      • model string

        Model

      • provider string

        Provider

        Values are OpenAI, Azure OpenAI, or Other.

      • name string Required

        The name of the connector

    • combined_filter object

      Additional properties are allowed.

    • end string
    • filters array

      The filter array used to define the conditions for when alerts are selected as an attack discovery context. Defaults to an empty array.

    • query object

      An query condition to filter alerts

      Hide query attributes Show query attributes object
    • size number Required
    • start string
  • schedule object Required
    Hide schedule attribute Show schedule attribute object
    • interval string Required

      The schedule interval

Responses

  • 200 application/json

    Successfully created Attack discovery schedule

    Hide response attributes Show response attributes object
    • actions array[object] Required

      The attack discovery schedule actions

      One of:
      Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction object Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction object
    • created_at string(date-time) Required

      The date the schedule was created

    • created_by string Required

      The name of the user that created the schedule

    • enabled boolean Required

      Indicates whether the schedule is enabled

    • id string Required

      UUID of attack discovery schedule

    • last_execution object

      An attack discovery schedule execution information

      Hide last_execution attributes Show last_execution attributes object
      • date string(date-time) Required

        Date of the execution

      • duration number

        Duration of the execution

      • message string
      • status string Required

        An attack discovery schedule execution status

        Values are ok, active, error, unknown, or warning.

    • name string Required

      The name of the schedule

    • params object Required

      An attack discovery schedule params

      Hide params attributes Show params attributes object
      • alerts_index_pattern string Required

        The index pattern to get alerts from

      • api_config object Required

        LLM API configuration.

        Hide api_config attributes Show api_config attributes object
        • actionTypeId string Required

          Action type ID

        • connectorId string Required

          Connector ID

        • defaultSystemPromptId string

          Default system prompt ID

        • model string

          Model

        • provider string

          Provider

          Values are OpenAI, Azure OpenAI, or Other.

        • name string Required

          The name of the connector

      • combined_filter object

        Additional properties are allowed.

      • end string
      • filters array

        The filter array used to define the conditions for when alerts are selected as an attack discovery context. Defaults to an empty array.

      • query object

        An query condition to filter alerts

        Hide query attributes Show query attributes object
      • size number Required
      • start string
    • schedule object Required
      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The schedule interval

    • updated_at string(date-time) Required

      The date the schedule was updated

    • updated_by string Required

      The name of the user that updated the schedule
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
    • error string

      Error type

    • message string

      Human-readable error message describing what went wrong

    • status_code number

      HTTP status code
POST /api/attack_discovery/schedules 
curl \
 --request POST 'http://localhost:5601/api/attack_discovery/schedules' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{
   "name": "Daily Security Analysis",
   "enabled": true,
   "params": {
     "alerts_index_pattern": ".alerts-security.alerts-default",
     "api_config": {
       "actionTypeId": "bedrock",
       "connectorId": "my-bedrock-connector",
       "name": "Claude 3.5 Sonnet"
     },
     "size": 100,
     "start": "now-24h",
     "end": "now"
   },
   "schedule": {
     "interval": "24h"
   },
   "actions": [
      {
         "action_type_id": ".cases",
         "id": "system-connector-.cases",
         "params": {
           "subAction": "run",
           "subActionParams": {
             "timeWindow": "7d",
             "reopenClosedCases": false,
             "groupingBy": [],
             "templateId": null
           }
         },
         "uuid": "12345678-1234-1234-1234-123456789012"
       }
   ]
 }'
Request example 
{
  "name": "Daily Security Analysis",
  "params": {
    "end": "now",
    "size": 100,
    "start": "now-24h",
    "api_config": {
      "name": "Claude 3.5 Sonnet",
      "connectorId": "my-bedrock-connector",
      "actionTypeId": "bedrock"
    },
    "alerts_index_pattern": ".alerts-security.alerts-default"
  },
  "actions": [],
  "enabled": true,
  "schedule": {
    "interval": "24h"
  }
}
Response examples (200) 
{
  "id": "12345678-1234-1234-1234-123456789012",
  "name": "Daily Security Analysis",
  "params": {
    "end": "now",
    "size": 100,
    "start": "now-24h",
    "api_config": {
      "name": "Claude 3.5 Sonnet",
      "connectorId": "my-bedrock-connector",
      "actionTypeId": "bedrock"
    },
    "alerts_index_pattern": ".alerts-security.alerts-default"
  },
  "actions": [],
  "enabled": true,
  "schedule": {
    "interval": "24h"
  },
  "created_at": "2023-10-31T10:00:00.000Z",
  "created_by": "elastic",
  "updated_at": "2023-10-31T10:00:00.000Z",
  "updated_by": "elastic"
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "Invalid request parameters",
  "status_code": 400
}