Check Fleet Permissions
Tool to check the permissions for the Fleet API. Use when you need to verify if the current user has the necessary privileges for Fleet operations.
ActionTry it
Integrate Kibana
with your AI workspace
Kibana is a visualization and analytics platform for Elasticsearch, offering dashboards, data exploration, and monitoring capabilities for gaining insights from data
Explore Triggers and Actions
Create Alerting Rule
Tool to create a new alerting rule in Kibana. Use when you need to define a new condition that, when met, triggers an alert and potentially executes predefined actions.
ActionTry it
Create Case
Tool to create a new case in Kibana. Use when you need to open and track issues, incidents, or investigations. You can assign users, set severity levels, add tags, and configure external connectors for integration with ITSM systems.
ActionTry it
Create Dashboard
Tool to create a new dashboard in Kibana. Use when you need to create a dashboard to visualize data. Dashboards can contain visualizations, saved searches, and other embeddable objects. Note: When using serverless Kibana, you must provide a dashboard_id. The action will automatically fallback to the import API for serverless environments.
ActionTry it
Create Data View
Tool to create a new data view (index pattern) in Kibana. Use when you need to define which Elasticsearch indices to query and analyze in Kibana. Data views determine which fields are available in Discover, Visualize, and other Kibana apps.
ActionTry it
Create Kibana Connector
Tool to create a new connector in Kibana. Use when you need to integrate Kibana with an external service.
ActionTry it
Create or Update Saved Object
Tool to create or update a saved object in Kibana. Use when you need to programmatically manage Kibana dashboards, visualizations, index patterns, etc.
ActionTry it
Delete Alerting Rule
Tool to delete an alerting rule in Kibana. Use when you need to remove a specific alerting rule by its ID.
ActionTry it
Delete Connector
Tool to delete a connector in Kibana. Use when you need to remove an existing connector.
ActionTry it
Delete Fleet Output
Tool to delete a specific output configuration in Kibana Fleet. Use when you need to remove an existing output by its ID.
ActionTry it
Delete Fleet Proxy
Deletes a Fleet proxy configuration by its unique identifier. Fleet proxies enable agents to communicate through proxy servers. Use this action to remove proxy configurations that are no longer needed. The proxy must not be in use by any agent policies or outputs before deletion. Requires 'fleet-settings-all' privileges in Kibana.
ActionTry it
Delete List
Deletes a list. Use when you want to delete a list by its ID.
ActionTry it
Delete Osquery Saved Query
Delete a saved Osquery query by its saved object ID. Use this to remove a specific Osquery saved query from Kibana. IMPORTANT: This action requires the 'saved_object_id' (UUID format), not the custom 'id' field. You can obtain the saved_object_id by listing queries first or from the response when creating a query.
ActionTry it
Delete Saved Object
Tool to delete a saved object in Kibana. Use when you need to remove a specific saved object like a visualization or dashboard.
ActionTry it
Find Detection Engine Rules
Retrieves a paginated list of Kibana detection engine rules with flexible filtering and sorting options. Use this action to: - List all detection rules in your Kibana security solution - Search for specific rules using KQL filters (by name, tags, severity, enabled status, etc.) - Sort rules by various criteria (name, risk score, creation date, etc.) - Paginate through large rule sets - Select specific fields to return for efficient data retrieval The detection engine rules are used for identifying security threats and generating alerts.
ActionTry it
Find Kibana Alerts
Tool to find and/or aggregate detection alerts in Kibana. Use this to retrieve a list of alerts, optionally filtering them with a query and performing aggregations.
ActionTry it
Get Action Types
Retrieves all available connector types (actions) in Kibana. Connector types (also called action types) are integrations like Slack, Email, Webhook, ServiceNow, etc. that can be used with alerting rules, cases, and workflows. Use this to discover which connector types are available and their requirements (license, features) before creating a new connector instance. Returns detailed information about each connector type including: - ID (e.g., '.slack', '.email', '.webhook') - Display name and enabled status - License requirements (basic, gold, platinum, enterprise) - Supported features (alerting, cases, workflows, etc.) - Configuration and deprecation status
ActionTry it
Get Alerting Rules
Tool to retrieve a list of alerting rules in Kibana. Use when you need to get a paginated set of rules based on specified conditions.
ActionTry it
Get All Connectors
Tool to retrieve a list of all connectors in Kibana. Use this tool when you need to get information about available connectors.
ActionTry it
Get Cases
Tool to retrieve a list of cases in Kibana. Use when you need to find or list existing security or operational cases, potentially filtering by various attributes like status, assignee, or severity.
ActionTry it
Get Data Views
Retrieves all data views (formerly known as index patterns) available in Kibana. Data views define which Elasticsearch indices you want to explore and are used throughout Kibana for features like Discover, Visualize, and Dashboard. This action returns a list of all configured data views with their IDs, names, and index patterns. Use this to discover available data sources before querying specific data views for detailed field information.
ActionTry it
Get Endpoint List Items
Retrieves Elastic Endpoint exception list items with filtering, pagination, and sorting capabilities. Use this action to: - List all endpoint exceptions in the security solution - Filter exceptions by specific field values (e.g., host.name:test-host) - Sort and paginate through exception items - Verify existing exceptions before creating new ones The endpoint exception list contains security exceptions applied to Elastic Endpoint agents.
ActionTry it
Get Entity Store Engines
Retrieves all entity store engines configured in Kibana. Entity store engines aggregate and manage entity data for different entity types (user, host, service). This action returns detailed configuration and status information for all engines, including their current status (installing, started, stopped, error), index patterns, processing parameters, and any error details if applicable. Use this to monitor entity store engines, check their operational status, and review their configuration settings.
ActionTry it
Get Entity Store Status
Retrieves the current status of the Kibana Entity Store and its configured engines. The Entity Store is a security feature that collects and organizes entity data (users, hosts, etc.) from various sources. This action returns the overall status ('not_installed', 'installing', 'running', 'stopped', or 'error') and details about configured entity engines. Use this to check if the entity store is operational and to view which entity engines are configured.
ActionTry it
Get EPM Package Statistics
Retrieves usage statistics for a specific Fleet package in Kibana, including the number of package policies and agent policies using the package. Use this to understand package adoption and usage across your Fleet-managed agents.
ActionTry it
Get Fleet Agent Policies
Retrieves a paginated list of Fleet agent policies with filtering, sorting, and optional detailed information. Use this action to: - List all agent policies in your Fleet deployment - Filter policies using KQL queries (e.g., by name, namespace, or other fields) - Get agent enrollment counts per policy (use withAgentCount=true) - Retrieve full policy details including package policies (use full=true) - Find policies with available upgrades (use showUpgradeable=true) Agent policies define the configuration for groups of Elastic Agents, including which integrations (package policies) are enabled and how agents should collect and send data.
ActionTry it
Get Fleet Agents Available Versions
Tool to retrieve the available versions for Fleet agents. Use when you need to get a list of all available Elastic Agent versions.
ActionTry it
Get Fleet Agents Setup Status
Check Fleet setup readiness and identify missing requirements. Returns whether Fleet is ready (isReady), lists any missing prerequisites (missing_requirements), and shows optional feature availability. Use this to verify Fleet is properly configured before managing agents or policies.
ActionTry it
Get Fleet Enrollment API Key
Tool to retrieve details of a specific enrollment API key by its ID. Use when you have the ID of an enrollment API key and need its details.
ActionTry it
Get Fleet Enrollment API Keys
Tool to fetch a list of enrollment API keys. Use when you need to retrieve existing enrollment tokens for Kibana Fleet.
ActionTry it
Get Fleet EPM Categories
Get all available package categories in the Elastic Package Manager (EPM) with package counts. Returns categories like Security, Observability, Cloud, etc., along with the number of packages in each category. Use this to discover available integration categories before browsing or filtering packages.
ActionTry it
Get Fleet EPM Data Streams
Tool to retrieve the list of data streams in the Elastic Package Manager. Use when you need to get a list of available data streams, optionally filtering by type, dataset, or categorization.
ActionTry it
Get Fleet EPM Package Details
Retrieves comprehensive details for a specific Fleet integration package version from the Elastic Package Manager (EPM). Returns detailed information including: - Package metadata (name, title, description, version, type) - Installation status and requirements - Data streams and their configurations - Assets (dashboards, visualizations, pipelines) - License and compatibility requirements - Icons and documentation paths Use this action when you need detailed information about a specific package version, such as: - Checking package compatibility requirements - Viewing data streams provided by a package - Accessing package assets and configuration - Verifying installation status and details
ActionTry it
Get Fleet EPM Package File
Retrieves a specific file from an Elastic Package Manager (EPM) package. Use this to access package metadata, documentation, changelogs, or configuration files. Common use cases: inspecting manifest.yml for package details, reading README.md for documentation, or reviewing changelog.yml for version history. Requires a valid package name, version, and file path.
ActionTry it
Get Fleet EPM Packages
Tool to fetch the list of available packages in the Elastic Package Manager. Use when you need to find available integrations or their details.
ActionTry it
Get Fleet EPM Packages (Limited)
Retrieves a limited list of package names from the Elastic Package Manager (EPM) registry. Returns only package names (strings) without additional metadata, making it faster than the full packages endpoint. Useful for quickly getting a list of available integration packages (maximum 10,000 items). Use this when you only need package names; use the full packages endpoint if you need detailed package information.
ActionTry it
Get Fleet Package Policies
Retrieves a list of Fleet package policies (integration policies) in Kibana. Package policies define how integrations are configured and which agent policies they're associated with. Use this to list all package policies, filter them by criteria, or get their IDs and configurations. Supports pagination, sorting, and KQL filtering.
ActionTry it
Get Fleet Server Host
Tool to fetch details of a specific Fleet server host by its item ID. Use when you need to get information about a particular Fleet Server host.
ActionTry it
Get Fleet Server Hosts
Tool to retrieve the list of Fleet Server hosts. Use when you need to get information about the available Fleet Server hosts.
ActionTry it
Get Index Management Indices
Tool to fetch information about indices managed by Kibana's Index Management feature. It queries the underlying Elasticsearch /_cat/indices API to retrieve index details. Use when you need to list or get details about one or more indices in the cluster.
ActionTry it
Get Installed EPM Packages
Tool to retrieve the list of installed packages in the Elastic Package Manager. Use this when you need to check which packages are currently installed in Fleet.
ActionTry it
Get Kibana Status
Tool to get the current status of Kibana. Use when you need to check if Kibana is healthy, monitor its state, or get information about the Kibana instance including version, UUID, and metrics.
ActionTry it
Get Node Metrics
Tool to retrieve statistics for nodes in an Elasticsearch cluster, often visualized in Kibana. Use when you need to monitor node health, performance, or resource usage. This action calls the Elasticsearch Nodes Stats API.
ActionTry it
Get Reporting Jobs
Tool to retrieve a list of reporting jobs in Kibana. Use when you need to see pending or completed reports. This uses an internal API endpoint, which might be subject to change without notice.
ActionTry it
Get Rule Types
Retrieves available rule types (alert types) in Kibana. Returns comprehensive metadata about each rule type including: - Available action groups and variables for action templates - License requirements and authorization details - Category (management, observability, securitySolution) - Configuration options like auto-recovery and timeout settings Use this to discover what types of alerting rules can be created in your Kibana instance, such as Elasticsearch query alerts, index threshold alerts, machine learning anomaly detection, and security detection rules.
ActionTry it
Get Saved Objects
Tool to retrieve a list of saved objects in Kibana based on specified criteria. Use when you need to find dashboards, visualizations, index patterns, or other saved entities.
ActionTry it
List Entity Store Entities
Tool to list entity records in the entity store with support for paging, sorting, and filtering. Use when you need to retrieve a list of entities such as users, hosts, or services.
ActionTry it