Update Attack discovery schedule Technical Preview; added in 9.2.0

View as Markdown
PUT /api/attack_discovery/schedules/{id}
Api key auth Basic auth

Spaces method and path for this operation:

put /s/{space_id}/api/attack_discovery/schedules/{id}

Refer to Spaces for more information.

Updates an existing Attack discovery schedule with new configuration. All schedule properties can be modified including name, parameters, interval, and actions. The update operation replaces the entire schedule configuration with the provided values. Technical preview

Path parameters

  • id string(nonempty) Required

    The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating a schedule and can be found in schedule listings.

    Minimum length is 1.

application/json

Body Required

Updated Attack discovery schedule configuration. All fields are required as this replaces the entire schedule configuration.

  • actions array[object] Required

    The attack discovery schedule actions

    One of:
    Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction object Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction object
  • name string Required

    The name of the schedule

  • params object Required

    An attack discovery schedule params

    Hide params attributes Show params attributes object
    • alerts_index_pattern string Required

      The index pattern to get alerts from

    • api_config object Required

      LLM API configuration.

      Hide api_config attributes Show api_config attributes object
      • actionTypeId string Required

        Action type ID

      • connectorId string Required

        Connector ID

      • defaultSystemPromptId string

        Default system prompt ID

      • model string

        Model

      • provider string

        Provider

        Values are OpenAI, Azure OpenAI, or Other.

      • name string Required

        The name of the connector

    • combined_filter object

      Additional properties are allowed.

    • end string
    • filters array

      The filter array used to define the conditions for when alerts are selected as an attack discovery context. Defaults to an empty array.

    • query object

      An query condition to filter alerts

      Hide query attributes Show query attributes object
    • size number Required
    • start string
  • schedule object Required
    Hide schedule attribute Show schedule attribute object
    • interval string Required

      The schedule interval

Responses

  • 200 application/json

    Successfully updated Attack Discovery schedule with the new configuration and metadata

    Hide response attributes Show response attributes object
    • actions array[object] Required

      The attack discovery schedule actions

      One of:
      Security_Attack_discovery_API_AttackDiscoveryApiScheduleGeneralAction object Security_Attack_discovery_API_AttackDiscoveryApiScheduleSystemAction object
    • created_at string(date-time) Required

      The date the schedule was created

    • created_by string Required

      The name of the user that created the schedule

    • enabled boolean Required

      Indicates whether the schedule is enabled

    • id string Required

      UUID of attack discovery schedule

    • last_execution object

      An attack discovery schedule execution information

      Hide last_execution attributes Show last_execution attributes object
      • date string(date-time) Required

        Date of the execution

      • duration number

        Duration of the execution

      • message string
      • status string Required

        An attack discovery schedule execution status

        Values are ok, active, error, unknown, or warning.

    • name string Required

      The name of the schedule

    • params object Required

      An attack discovery schedule params

      Hide params attributes Show params attributes object
      • alerts_index_pattern string Required

        The index pattern to get alerts from

      • api_config object Required

        LLM API configuration.

        Hide api_config attributes Show api_config attributes object
        • actionTypeId string Required

          Action type ID

        • connectorId string Required

          Connector ID

        • defaultSystemPromptId string

          Default system prompt ID

        • model string

          Model

        • provider string

          Provider

          Values are OpenAI, Azure OpenAI, or Other.

        • name string Required

          The name of the connector

      • combined_filter object

        Additional properties are allowed.

      • end string
      • filters array

        The filter array used to define the conditions for when alerts are selected as an attack discovery context. Defaults to an empty array.

      • query object

        An query condition to filter alerts

        Hide query attributes Show query attributes object
      • size number Required
      • start string
    • schedule object Required
      Hide schedule attribute Show schedule attribute object
      • interval string Required

        The schedule interval

    • updated_at string(date-time) Required

      The date the schedule was updated

    • updated_by string Required

      The name of the user that updated the schedule
  • 400 application/json

    Generic Error

    Hide response attributes Show response attributes object
    • error string

      Error type

    • message string

      Human-readable error message describing what went wrong

    • status_code number

      HTTP status code
PUT /api/attack_discovery/schedules/{id} 
curl \
 --request PUT 'http://localhost:5601/api/attack_discovery/schedules/12345678-1234-1234-1234-123456789012' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{
   "name": "Updated Daily Security Analysis",
   "params": {
     "alerts_index_pattern": ".alerts-security.alerts-default",
     "api_config": {
       "actionTypeId": "bedrock",
       "connectorId": "my-bedrock-connector",
       "name": "Claude 3.5 Sonnet"
     },
     "size": 200,
     "start": "now-48h",
     "end": "now"
   },
   "schedule": {
     "interval": "12h"
   },
   "actions": []
 }'
Request example 
{
  "name": "Updated Daily Security Analysis",
  "params": {
    "end": "now",
    "size": 200,
    "start": "now-48h",
    "api_config": {
      "name": "Claude 3.5 Sonnet",
      "connectorId": "my-bedrock-connector",
      "actionTypeId": "bedrock"
    },
    "alerts_index_pattern": ".alerts-security.alerts-default"
  },
  "actions": [],
  "schedule": {
    "interval": "12h"
  }
}
Response examples (200) 
{
  "id": "12345678-1234-1234-1234-123456789012",
  "name": "Updated Daily Security Analysis",
  "params": {
    "end": "now",
    "size": 200,
    "start": "now-48h",
    "api_config": {
      "name": "Claude 3.5 Sonnet",
      "connectorId": "my-bedrock-connector",
      "actionTypeId": "bedrock"
    },
    "alerts_index_pattern": ".alerts-security.alerts-default"
  },
  "actions": [],
  "enabled": true,
  "schedule": {
    "interval": "12h"
  },
  "created_at": "2023-10-31T10:00:00.000Z",
  "created_by": "elastic",
  "updated_at": "2023-10-31T12:00:00.000Z",
  "updated_by": "elastic"
}
Response examples (400) 
{
  "error": "Bad Request",
  "message": "Invalid request parameters",
  "status_code": 400
}