Kibana · Capability
Kibana APIs — Security Attack discovery API
Kibana APIs — Security Attack discovery API. 13 operations. Lead operation: Bulk update Attack discoveries. Self-contained Naftiko capability covering one Kibana business surface.
What You Can Do
POST
Postattackdiscoverybulk
— Bulk update Attack discoveries
/v1/api/attack-discovery/bulk
GET
Attackdiscoveryfind
— Find Attack discoveries that match the search criteria
/v1/api/attack-discovery/find
POST
Postattackdiscoverygenerate
— Generate attack discoveries from alerts
/v1/api/attack-discovery/generate
GET
Getattackdiscoverygenerations
— Get the latest Attack Discovery generations metadata for the current user
/v1/api/attack-discovery/generations
GET
Getattackdiscoverygeneration
— Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata
/v1/api/attack-discovery/generations/{execution-uuid}
POST
Postattackdiscoverygenerationsdismiss
— Dismiss an Attack Discovery generation
/v1/api/attack-discovery/generations/{execution-uuid}/dismiss
POST
Createattackdiscoveryschedules
— Create Attack Discovery schedule
/v1/api/attack-discovery/schedules
GET
Findattackdiscoveryschedules
— Find Attack Discovery schedules that match the search criteria
/v1/api/attack-discovery/schedules/find
DELETE
Deleteattackdiscoveryschedules
— Delete Attack Discovery schedule
/v1/api/attack-discovery/schedules/{id}
GET
Getattackdiscoveryschedules
— Get Attack Discovery schedule by ID
/v1/api/attack-discovery/schedules/{id}
PUT
Updateattackdiscoveryschedules
— Update Attack Discovery schedule
/v1/api/attack-discovery/schedules/{id}
POST
Disableattackdiscoveryschedules
— Disable Attack Discovery schedule
/v1/api/attack-discovery/schedules/{id}/disable
POST
Enableattackdiscoveryschedules
— Enable Attack Discovery schedule
/v1/api/attack-discovery/schedules/{id}/enable
MCP Tools
bulk-update-attack-discoveries
Bulk update Attack discoveries
find-attack-discoveries-that-match
Find Attack discoveries that match the search criteria
read-only
idempotent
generate-attack-discoveries-alerts
Generate attack discoveries from alerts
get-latest-attack-discovery-generations
Get the latest Attack Discovery generations metadata for the current user
read-only
idempotent
get-single-attack-discovery-generation
Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata
read-only
idempotent
dismiss-attack-discovery-generation
Dismiss an Attack Discovery generation
create-attack-discovery-schedule
Create Attack Discovery schedule
find-attack-discovery-schedules-that
Find Attack Discovery schedules that match the search criteria
read-only
idempotent
delete-attack-discovery-schedule
Delete Attack Discovery schedule
idempotent
get-attack-discovery-schedule-id
Get Attack Discovery schedule by ID
read-only
idempotent
update-attack-discovery-schedule
Update Attack Discovery schedule
idempotent
disable-attack-discovery-schedule
Disable Attack Discovery schedule
enable-attack-discovery-schedule
Enable Attack Discovery schedule
Capability Spec
naftiko: 1.0.0-alpha2
info:
label: Kibana APIs — Security Attack discovery API
description: 'Kibana APIs — Security Attack discovery API. 13 operations. Lead operation: Bulk update Attack discoveries.
Self-contained Naftiko capability covering one Kibana business surface.'
tags:
- Kibana
- Security Attack discovery API
created: '2026-05-19'
modified: '2026-05-19'
binds:
- namespace: env
keys:
KIBANA_API_KEY: KIBANA_API_KEY
capability:
consumes:
- type: http
namespace: kibana-security-attack-discovery-api
baseUri: https://{kibana_url}
description: Kibana APIs — Security Attack discovery API business capability. Self-contained, no shared references.
resources:
- name: api-attack_discovery-_bulk
path: /api/attack_discovery/_bulk
operations:
- name: postattackdiscoverybulk
method: POST
description: Bulk update Attack discoveries
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: body
in: body
type: object
description: Request body (JSON).
required: true
- name: api-attack_discovery-_find
path: /api/attack_discovery/_find
operations:
- name: attackdiscoveryfind
method: GET
description: Find Attack discoveries that match the search criteria
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: alert_ids
in: query
type: array
description: Filter results to Attack discoveries that include any of the provided alert IDs
- name: connector_names
in: query
type: array
description: Filter results to Attack discoveries created by any of the provided human readable connector names.
Note that values must match the human readable `connector_na
- name: enable_field_rendering
in: query
type: boolean
description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled,
the same example would be rendered as `james`. This i
- name: end
in: query
type: string
description: End of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math
(e.g. "now", "now-24h").
- name: ids
in: query
type: array
description: Filter results to the Attack discoveries with the specified IDs
- name: include_unique_alert_ids
in: query
type: boolean
description: If `true`, the response will include `unique_alert_ids` and `unique_alert_ids_count` aggregated across
the matched Attack discoveries
- name: page
in: query
type: integer
description: Page number to return (used for pagination). Defaults to 1.
- name: per_page
in: query
type: integer
description: Number of Attack discoveries to return per page (used for pagination). Defaults to 10.
- name: search
in: query
type: string
description: Free-text search query applied to relevant text fields of Attack discoveries (title, description, tags,
etc.)
- name: shared
in: query
type: boolean
description: Whether to filter by shared visibility. If omitted, both shared and privately visible Attack discoveries
are returned. Use `true` to return only shared discover
- name: scheduled
in: query
type: boolean
description: Whether to filter by scheduled or ad-hoc attack discoveries. If omitted, both types of attack discoveries
are returned. Use `true` to return only scheduled disc
- name: sort_field
in: query
type: string
description: Field used to sort results. See `AttackDiscoveryFindSortField` for allowed values.
- name: sort_order
in: query
type: string
description: Sort order direction `asc` for ascending or `desc` for descending. Defaults to `desc`.
- name: start
in: query
type: string
description: Start of the time range for the search. Accepts absolute timestamps (ISO 8601) or relative date math
(e.g. "now-7d").
- name: status
in: query
type: array
description: Filter by alert workflow status. Provide one or more of the allowed workflow states.
- name: with_replacements
in: query
type: boolean
description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown,
entitySummaryMarkdown, summaryMarkdown, and title fields
- name: api-attack_discovery-_generate
path: /api/attack_discovery/_generate
operations:
- name: postattackdiscoverygenerate
method: POST
description: Generate attack discoveries from alerts
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: body
in: body
type: object
description: Request body (JSON).
required: true
- name: api-attack_discovery-generations
path: /api/attack_discovery/generations
operations:
- name: getattackdiscoverygenerations
method: GET
description: Get the latest Attack Discovery generations metadata for the current user
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: end
in: query
type: string
description: End of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative
date math (e.g. "now", "now-24h").
- name: size
in: query
type: number
description: The maximum number of generations to retrieve
- name: start
in: query
type: string
description: Start of the time range for filtering generations. Accepts absolute timestamps (ISO 8601) or relative
date math (e.g. "now-7d").
- name: api-attack_discovery-generations-execution_uuid
path: /api/attack_discovery/generations/{execution_uuid}
operations:
- name: getattackdiscoverygeneration
method: GET
description: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: execution_uuid
in: path
type: string
description: The unique identifier for the Attack Discovery generation execution. This UUID is returned at the start
of an Attack Discovery generation.
required: true
- name: enable_field_rendering
in: query
type: boolean
description: Enables a markdown syntax used to render pivot fields, for example `{{ user.name james }}`. When disabled,
the same example would be rendered as `james`. This i
- name: with_replacements
in: query
type: boolean
description: When true, return the created Attack discoveries with text replacements applied to the detailsMarkdown,
entitySummaryMarkdown, summaryMarkdown, and title fields
- name: api-attack_discovery-generations-execution_uuid-_dismiss
path: /api/attack_discovery/generations/{execution_uuid}/_dismiss
operations:
- name: postattackdiscoverygenerationsdismiss
method: POST
description: Dismiss an Attack Discovery generation
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: execution_uuid
in: path
type: string
description: The unique identifier for the Attack Discovery generation execution. This UUID is returned when an
Attack Discovery generation is created and can be found in ge
required: true
- name: api-attack_discovery-schedules
path: /api/attack_discovery/schedules
operations:
- name: createattackdiscoveryschedules
method: POST
description: Create Attack Discovery schedule
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: body
in: body
type: object
description: Request body (JSON).
required: true
- name: api-attack_discovery-schedules-_find
path: /api/attack_discovery/schedules/_find
operations:
- name: findattackdiscoveryschedules
method: GET
description: Find Attack Discovery schedules that match the search criteria
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: page
in: query
type: number
description: Page number to return (used for pagination). Defaults to 1.
- name: per_page
in: query
type: number
description: Number of Attack Discovery schedules to return per page (used for pagination). Defaults to 10.
- name: sort_field
in: query
type: string
description: Field used to sort results. Common fields include 'name', 'created_at', 'updated_at', and 'enabled'.
- name: sort_direction
in: query
type: string
description: Sort order direction. Use 'asc' for ascending or 'desc' for descending. Defaults to 'asc'.
- name: api-attack_discovery-schedules-id
path: /api/attack_discovery/schedules/{id}
operations:
- name: deleteattackdiscoveryschedules
method: DELETE
description: Delete Attack Discovery schedule
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: id
in: path
type: string
description: The unique identifier (UUID) of the Attack Discovery schedule to delete. This ID is returned when creating
a schedule and can be found in schedule listings.
required: true
- name: getattackdiscoveryschedules
method: GET
description: Get Attack Discovery schedule by ID
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: id
in: path
type: string
description: The unique identifier (UUID) of the Attack Discovery schedule to retrieve. This ID is returned when
creating a schedule and can be found in schedule listings.
required: true
- name: updateattackdiscoveryschedules
method: PUT
description: Update Attack Discovery schedule
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: id
in: path
type: string
description: The unique identifier (UUID) of the Attack Discovery schedule to update. This ID is returned when creating
a schedule and can be found in schedule listings.
required: true
- name: body
in: body
type: object
description: Request body (JSON).
required: true
- name: api-attack_discovery-schedules-id-_disable
path: /api/attack_discovery/schedules/{id}/_disable
operations:
- name: disableattackdiscoveryschedules
method: POST
description: Disable Attack Discovery schedule
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: id
in: path
type: string
description: The unique identifier (UUID) of the Attack Discovery schedule to disable. This ID is returned when
creating a schedule and can be found in schedule listings.
required: true
- name: api-attack_discovery-schedules-id-_enable
path: /api/attack_discovery/schedules/{id}/_enable
operations:
- name: enableattackdiscoveryschedules
method: POST
description: Enable Attack Discovery schedule
outputRawFormat: json
outputParameters:
- name: result
type: object
value: $.
inputParameters:
- name: id
in: path
type: string
description: The unique identifier (UUID) of the Attack Discovery schedule to enable. This ID is returned when creating
a schedule and can be found in schedule listings.
required: true
authentication:
type: apikey
key: Authorization
value: '{{env.KIBANA_API_KEY}}'
placement: header
exposes:
- type: rest
namespace: kibana-security-attack-discovery-api-rest
port: 8080
description: REST adapter for Kibana APIs — Security Attack discovery API. One Spectral-compliant resource per consumed
operation, prefixed with /v1.
resources:
- path: /v1/api/attack-discovery/bulk
name: api-attack-discovery-bulk
description: REST surface for api-attack_discovery-_bulk.
operations:
- method: POST
name: postattackdiscoverybulk
description: Bulk update Attack discoveries
call: kibana-security-attack-discovery-api.postattackdiscoverybulk
with:
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/api/attack-discovery/find
name: api-attack-discovery-find
description: REST surface for api-attack_discovery-_find.
operations:
- method: GET
name: attackdiscoveryfind
description: Find Attack discoveries that match the search criteria
call: kibana-security-attack-discovery-api.attackdiscoveryfind
with:
alert_ids: rest.alert_ids
connector_names: rest.connector_names
enable_field_rendering: rest.enable_field_rendering
end: rest.end
ids: rest.ids
include_unique_alert_ids: rest.include_unique_alert_ids
page: rest.page
per_page: rest.per_page
search: rest.search
shared: rest.shared
scheduled: rest.scheduled
sort_field: rest.sort_field
sort_order: rest.sort_order
start: rest.start
status: rest.status
with_replacements: rest.with_replacements
outputParameters:
- type: object
mapping: $.
- path: /v1/api/attack-discovery/generate
name: api-attack-discovery-generate
description: REST surface for api-attack_discovery-_generate.
operations:
- method: POST
name: postattackdiscoverygenerate
description: Generate attack discoveries from alerts
call: kibana-security-attack-discovery-api.postattackdiscoverygenerate
with:
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/api/attack-discovery/generations
name: api-attack-discovery-generations
description: REST surface for api-attack_discovery-generations.
operations:
- method: GET
name: getattackdiscoverygenerations
description: Get the latest Attack Discovery generations metadata for the current user
call: kibana-security-attack-discovery-api.getattackdiscoverygenerations
with:
end: rest.end
size: rest.size
start: rest.start
outputParameters:
- type: object
mapping: $.
- path: /v1/api/attack-discovery/generations/{execution-uuid}
name: api-attack-discovery-generations-execution-uuid
description: REST surface for api-attack_discovery-generations-execution_uuid.
operations:
- method: GET
name: getattackdiscoverygeneration
description: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata
call: kibana-security-attack-discovery-api.getattackdiscoverygeneration
with:
execution_uuid: rest.execution_uuid
enable_field_rendering: rest.enable_field_rendering
with_replacements: rest.with_replacements
outputParameters:
- type: object
mapping: $.
- path: /v1/api/attack-discovery/generations/{execution-uuid}/dismiss
name: api-attack-discovery-generations-execution-uuid-dismiss
description: REST surface for api-attack_discovery-generations-execution_uuid-_dismiss.
operations:
- method: POST
name: postattackdiscoverygenerationsdismiss
description: Dismiss an Attack Discovery generation
call: kibana-security-attack-discovery-api.postattackdiscoverygenerationsdismiss
with:
execution_uuid: rest.execution_uuid
outputParameters:
- type: object
mapping: $.
- path: /v1/api/attack-discovery/schedules
name: api-attack-discovery-schedules
description: REST surface for api-attack_discovery-schedules.
operations:
- method: POST
name: createattackdiscoveryschedules
description: Create Attack Discovery schedule
call: kibana-security-attack-discovery-api.createattackdiscoveryschedules
with:
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/api/attack-discovery/schedules/find
name: api-attack-discovery-schedules-find
description: REST surface for api-attack_discovery-schedules-_find.
operations:
- method: GET
name: findattackdiscoveryschedules
description: Find Attack Discovery schedules that match the search criteria
call: kibana-security-attack-discovery-api.findattackdiscoveryschedules
with:
page: rest.page
per_page: rest.per_page
sort_field: rest.sort_field
sort_direction: rest.sort_direction
outputParameters:
- type: object
mapping: $.
- path: /v1/api/attack-discovery/schedules/{id}
name: api-attack-discovery-schedules-id
description: REST surface for api-attack_discovery-schedules-id.
operations:
- method: DELETE
name: deleteattackdiscoveryschedules
description: Delete Attack Discovery schedule
call: kibana-security-attack-discovery-api.deleteattackdiscoveryschedules
with:
id: rest.id
outputParameters:
- type: object
mapping: $.
- method: GET
name: getattackdiscoveryschedules
description: Get Attack Discovery schedule by ID
call: kibana-security-attack-discovery-api.getattackdiscoveryschedules
with:
id: rest.id
outputParameters:
- type: object
mapping: $.
- method: PUT
name: updateattackdiscoveryschedules
description: Update Attack Discovery schedule
call: kibana-security-attack-discovery-api.updateattackdiscoveryschedules
with:
id: rest.id
body: rest.body
outputParameters:
- type: object
mapping: $.
- path: /v1/api/attack-discovery/schedules/{id}/disable
name: api-attack-discovery-schedules-id-disable
description: REST surface for api-attack_discovery-schedules-id-_disable.
operations:
- method: POST
name: disableattackdiscoveryschedules
description: Disable Attack Discovery schedule
call: kibana-security-attack-discovery-api.disableattackdiscoveryschedules
with:
id: rest.id
outputParameters:
- type: object
mapping: $.
- path: /v1/api/attack-discovery/schedules/{id}/enable
name: api-attack-discovery-schedules-id-enable
description: REST surface for api-attack_discovery-schedules-id-_enable.
operations:
- method: POST
name: enableattackdiscoveryschedules
description: Enable Attack Discovery schedule
call: kibana-security-attack-discovery-api.enableattackdiscoveryschedules
with:
id: rest.id
outputParameters:
- type: object
mapping: $.
- type: mcp
namespace: kibana-security-attack-discovery-api-mcp
port: 9090
transport: http
description: MCP adapter for Kibana APIs — Security Attack discovery API. One tool per consumed operation, routed inline
through this capability's consumes block.
tools:
- name: bulk-update-attack-discoveries
description: Bulk update Attack discoveries
hints:
readOnly: false
destructive: false
idempotent: false
call: kibana-security-attack-discovery-api.postattackdiscoverybulk
with:
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: find-attack-discoveries-that-match
description: Find Attack discoveries that match the search criteria
hints:
readOnly: true
destructive: false
idempotent: true
call: kibana-security-attack-discovery-api.attackdiscoveryfind
with:
alert_ids: tools.alert_ids
connector_names: tools.connector_names
enable_field_rendering: tools.enable_field_rendering
end: tools.end
ids: tools.ids
include_unique_alert_ids: tools.include_unique_alert_ids
page: tools.page
per_page: tools.per_page
search: tools.search
shared: tools.shared
scheduled: tools.scheduled
sort_field: tools.sort_field
sort_order: tools.sort_order
start: tools.start
status: tools.status
with_replacements: tools.with_replacements
outputParameters:
- type: object
mapping: $.
- name: generate-attack-discoveries-alerts
description: Generate attack discoveries from alerts
hints:
readOnly: false
destructive: false
idempotent: false
call: kibana-security-attack-discovery-api.postattackdiscoverygenerate
with:
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: get-latest-attack-discovery-generations
description: Get the latest Attack Discovery generations metadata for the current user
hints:
readOnly: true
destructive: false
idempotent: true
call: kibana-security-attack-discovery-api.getattackdiscoverygenerations
with:
end: tools.end
size: tools.size
start: tools.start
outputParameters:
- type: object
mapping: $.
- name: get-single-attack-discovery-generation
description: Get a single Attack Discovery generation, including its discoveries and (optional) generation metadata
hints:
readOnly: true
destructive: false
idempotent: true
call: kibana-security-attack-discovery-api.getattackdiscoverygeneration
with:
execution_uuid: tools.execution_uuid
enable_field_rendering: tools.enable_field_rendering
with_replacements: tools.with_replacements
outputParameters:
- type: object
mapping: $.
- name: dismiss-attack-discovery-generation
description: Dismiss an Attack Discovery generation
hints:
readOnly: false
destructive: false
idempotent: false
call: kibana-security-attack-discovery-api.postattackdiscoverygenerationsdismiss
with:
execution_uuid: tools.execution_uuid
outputParameters:
- type: object
mapping: $.
- name: create-attack-discovery-schedule
description: Create Attack Discovery schedule
hints:
readOnly: false
destructive: false
idempotent: false
call: kibana-security-attack-discovery-api.createattackdiscoveryschedules
with:
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: find-attack-discovery-schedules-that
description: Find Attack Discovery schedules that match the search criteria
hints:
readOnly: true
destructive: false
idempotent: true
call: kibana-security-attack-discovery-api.findattackdiscoveryschedules
with:
page: tools.page
per_page: tools.per_page
sort_field: tools.sort_field
sort_direction: tools.sort_direction
outputParameters:
- type: object
mapping: $.
- name: delete-attack-discovery-schedule
description: Delete Attack Discovery schedule
hints:
readOnly: false
destructive: true
idempotent: true
call: kibana-security-attack-discovery-api.deleteattackdiscoveryschedules
with:
id: tools.id
outputParameters:
- type: object
mapping: $.
- name: get-attack-discovery-schedule-id
description: Get Attack Discovery schedule by ID
hints:
readOnly: true
destructive: false
idempotent: true
call: kibana-security-attack-discovery-api.getattackdiscoveryschedules
with:
id: tools.id
outputParameters:
- type: object
mapping: $.
- name: update-attack-discovery-schedule
description: Update Attack Discovery schedule
hints:
readOnly: false
destructive: false
idempotent: true
call: kibana-security-attack-discovery-api.updateattackdiscoveryschedules
with:
id: tools.id
body: tools.body
outputParameters:
- type: object
mapping: $.
- name: disable-attack-discovery-schedule
description: Disable Attack Discovery schedule
hints:
readOnly: false
destructive: false
idempotent: false
call: kibana-security-attack-discovery-api.disableattackdiscoveryschedules
with:
id: tools.id
outputParameters:
- type: object
mapping: $.
- name: enable-attack-discovery-schedule
description: Enable Attack Discovery schedule
hints:
readOnly: false
destructive: false
idempotent: false
call: kibana-security-attack-discovery-api.enableattackdiscoveryschedules
with:
id: tools.id
outputParameters:
- type: object
mapping: $.