You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: deploy-manage/cloud-organization/billing/elastic-observability-billing-dimensions.md
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -34,8 +34,8 @@ sub:
34
34
35
35
Your monthly bill is based on the capabilities you use. When you use {{obs-serverless}}, your bill is calculated based on data volume, which has these components:
36
36
37
-
***Ingest** — Measured by the number of GB of log/event/info data that you send to your Observability project over the course of a month.
38
-
***Retention** — Measured by the total amount of ingested data stored in your Observability project.
37
+
***Ingest** — Measured by the number of GB of data that you send to your Observability project over the course of a month. Metrics data ingested in [time series index mode](/manage-data/data-store/data-streams/time-series-data-stream-tsds.md) is priced at 25% of the standard per-GB ingest rate. All other data, including logs and traces, are priced at the standard rate.
38
+
***Retention** — Measured by the total amount of ingested data stored in your Observability project. Metrics data stored in time series index mode is priced at 25% of the standard per-GB retention rate. All other data, including logs and traces, are priced at the standard rate.
|[**Scripted metric aggregations**](elasticsearch://reference/aggregations/search-aggregations-metrics-scripted-metric-aggregation.md)| ✅ | ❌ | Not available in Serverless<br>The alternative for this in Serverless is [ES|QL](elasticsearch://reference/query-languages/esql.md)|
102
103
|[**`join` fields**](elasticsearch://reference/elasticsearch/mapping-reference/parent-join.md)| ✅ | ❌ | Not available in Serverless<br>The alternative for this in Serverless is the ES\|QL [`LOOKUP JOIN`](elasticsearch://reference/query-languages/esql/commands/lookup-join.md) command |
Project settings are configurations that apply to your entire project, managed from the {{ecloud}} console. While Elastic [manages many things for you](/deploy-manage/deploy/elastic-cloud/differences-from-other-elasticsearch-offerings.md), you can customize the following aspects of your project:
14
15
@@ -66,6 +67,10 @@ Project features and add-ons control which capabilities are available in your se
66
67
67
68
There are no additional project features or add-ons for {{es-serverless}} projects.
68
69
70
+
:::{note}
71
+
In {{serverless-full}}, your organization's {{ecloud}} subscription level controls only the support level you receive, and is not related to the features that you use or have access to. [Learn more about subscriptions](/deploy-manage/license.md).
72
+
:::
73
+
69
74
### {{sec-serverless}} project features [elastic-sec-project-features]
70
75
71
76
For {{sec-serverless}} projects, edit the **Project features** to select a feature tier and enable add-on options for specific use cases.
@@ -76,39 +81,8 @@ For {{sec-serverless}} projects, edit the **Project features** to select a featu
76
81
|**Security Analytics Essentials**| A suite of security analytics, detections, investigations, and collaboration tools. Does not include AI-powered tools. Allows these add-ons:<br>• **Endpoint Protection Essentials**: endpoint protections with {{elastic-defend}}.<br>• **Cloud Protection Essentials**: Cloud native security features.|
77
82
|**Security Analytics Complete**| Everything in **Security Analytics Essentials** and **EASE**, plus advanced features such as entity analytics, threat intelligence, and more. Allows these add-ons:<br><br>• **Endpoint Protection Complete**: Everything in **Endpoint Protection Essentials** plus advanced endpoint detection and response features.<br>• **Cloud Protection Complete**: Everything in **Cloud Protection Essentials** plus advanced cloud security features.|
78
83
79
-
#### Downgrading the feature tier [elasticsearch-manage-project-downgrading-the-feature-tier]
80
-
81
-
:::{note}
82
-
You cannot downgrade to EASE from any other feature tier. You can upgrade from EASE to other tiers.
83
-
:::
84
-
85
-
When you downgrade your Security project features selection from **Security Analytics Complete** to **Security Analytics Essentials**, the following features become unavailable:
86
-
87
-
* All Entity Analytics features
88
-
* The ability to use certain entity analytics-related integration packages, such as:
89
-
* Data Exfiltration detection
90
-
* Lateral Movement detection
91
-
* Living off the Land Attack detection
92
-
* Intelligence Indicators page
93
-
* External rule action connectors
94
-
* Case connectors
95
-
* Endpoint response actions history
96
-
* Endpoint host isolation exceptions
97
-
* Trusted devices
98
-
* AI Assistant
99
-
* Attack discovery
100
-
101
-
And, the following data may be permanently deleted:
102
-
103
-
* AI Assistant conversation history
104
-
* AI Assistant settings
105
-
* Entity Analytics user and host risk scores
106
-
* Entity Analytics asset criticality information
107
-
* Detection rule external connector settings
108
-
* Detection rule response action settings
109
-
110
84
:::{tip}
111
-
For a full feature comparison, upgrading instructions, and more, refer to [{{product.serverless-security}} feature tiers](/solutions/security/security-serverless-feature-tiers.md).
85
+
For a full feature comparison, upgrading instructions, downgrading information, and more, refer to [{{product.serverless-security}} feature tiers](/solutions/security/security-serverless-feature-tiers.md).
Copy file name to clipboardExpand all lines: deploy-manage/license.md
+4Lines changed: 4 additions & 0 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -24,6 +24,10 @@ Depending on your deployment type, licenses and subscriptions are applied at dif
24
24
***{{ecloud}}, {{ece}}, and {{eck}}:** Licenses and subscriptions are controlled at the orchestrator or organization level, and apply to all related deployments.
25
25
***Self-managed {{es}}:** Licenses are controlled at the cluster level, and apply only to a single cluster.
26
26
27
+
:::{note}
28
+
In {{serverless-full}}, your organization's {{ecloud}} subscription level controls only the support level you receive. Project features are controlled by each project's [feature tier and add-ons](/deploy-manage/deploy/elastic-cloud/project-settings.md#project-features-add-ons).
29
+
:::
30
+
27
31
For a comprehensive comparison of the available subscription levels, see [Elastic subscriptions](https://www.elastic.co/subscriptions).
28
32
29
33
Use the topics in this section to manage your license or start a trial:
**How to activate:** This skill is attachment-driven and activates when a rule attachment is present in the conversation. You can start a rule attachment from the rule creation form, the rule details page, or by asking the agent to "create a detection rule" in chat — the skill creates the attachment and renders an **Apply to creation** or **Update rule** button so you can save the change to the rule form.
: Diagnoses [Elastic Defend](/solutions/security/configure-elastic-defend.md) endpoint configuration issues such as endpoints not reporting, policy response failures, agent enrollment problems, or incompatible antivirus. Queries endpoint data, inspects package configuration, and produces structured findings with specific endpoint IDs and remediation steps. Registered only when the `automaticTroubleshootingSkill` experimental feature flag is enabled.
122
-
120
+
$$$agent-builder-automatic-troubleshooting-skill$$$`automatic_troubleshooting` {applies_to}`stack: ga 9.5+, preview =9.4` {applies_to}`serverless: ga`
121
+
: Diagnoses [{{elastic-defend}}](/solutions/security/configure-elastic-defend.md) endpoint configuration issues such as endpoints not reporting, policy response failures, agent enrollment problems, or incompatible antivirus software. Queries endpoint data, inspects package configuration, and produces structured findings with specific endpoint IDs and remediation steps.
**Prerequisites:** [Elastic Defend](/solutions/security/configure-elastic-defend.md) deployed and reporting. The `automaticTroubleshootingSkill` experimental feature flag must be enabled for the skill to appear.
124
+
**Prerequisites:** [{{elastic-defend}}](/solutions/security/configure-elastic-defend.md) deployed and reporting.
125
+
126
+
{applies_to}`stack: preview =9.4` In this version, the `automaticTroubleshootingSkill` [experimental feature flag](kibana://reference/configuration-reference/security-solution-settings.md#experimental-features) must be enabled for the skill to appear.
description: Send Fleet API requests with the Kibana Console or cURL. Reference examples cover agent policies, integration policies, enrollment tokens, agent listing, KQL filters, and manual rollback.
4
5
applies_to:
5
6
stack: ga
6
7
serverless: ga
@@ -11,34 +12,39 @@ products:
11
12
12
13
# Kibana Fleet APIs [fleet-api-docs]
13
14
14
-
You can find details for all available {{fleet}} API endpoints in the [Kibana API docs]({{kib-apis}}). For {{serverless-full}} projects, check the [Kibana Serverless API docs]({{kib-serverless-apis}}).
15
+
This page provides cURL and {{kib}} Console examples for commonly used {{fleet}} APIs, including agent policies, integration policies, enrollment tokens, agent listing, KQL filtering, and agent rollback.
15
16
16
-
In this section, we provide examples of some commonly used {{fleet}} APIs.
17
+
For full endpoint specifications, parameters, and response schemas, refer to the [Kibana API docs]({{kib-apis}}). For {{serverless-full}} projects, use the [Kibana Serverless API docs]({{kib-serverless-apis}}).
18
+
19
+
20
+
## Before you begin [fleet-api-before-you-begin]
21
+
22
+
You'll need:
23
+
24
+
* A running {{kib}} deployment or {{serverless-full}} project with {{fleet}} available
25
+
* The {{kib}} host URL for your deployment (for example, `https://my-kibana-host:9243`)
26
+
* Authentication credentials for {{kib}} API requests. API key authentication is recommended. For details, refer to [Authentication]({{kib-apis}}authentication).
27
+
* A {{kib}} user with the required {{fleet}} and {{integrations}} privileges. For details, refer to [Roles and privileges](/reference/fleet/fleet-roles-privileges.md).
17
28
18
29
19
30
## Using the Console [using-the-console]
20
31
21
32
You can run {{fleet}} API requests through the {{kib}} Console.
22
33
23
-
1.Open the {{kib}} menu and go to **Management → Dev Tools**.
34
+
1.To open **Console**, find **Dev Tools** in the main menu or use the [global search field](/explore-analyze/find-and-organize/find-apps-and-objects.md).
24
35
2. In your request, prepend your {{fleet}} API endpoint with `kbn:`, for example:
25
36
26
37
```sh
27
38
GET kbn:/api/fleet/agent_policies
28
39
```
29
40
30
41
31
-
For more detail about using the {{kib}} Console refer to [Run API requests](/explore-analyze/query-filter/tools/console.md).
32
-
33
-
34
-
## Authentication [authentication]
35
-
36
-
Authentication is required to send {{fleet}} API requests. For more information, refer to [Authentication]({{kib-apis}}authentication).
42
+
For more details about using the {{kib}} Console, refer to [Run API requests](/explore-analyze/query-filter/tools/console.md).
37
43
38
44
39
45
## Create agent policy [create-agent-policy-api]
40
46
41
-
To create a new agent policy in {{fleet}}, call `POST /api/fleet/agent_policies`.
47
+
To create an agent policy in {{fleet}}, call `POST /api/fleet/agent_policies`.
42
48
43
49
This cURL example creates an agent policy called `Agent policy 1`in the default namespace.
44
50
@@ -96,7 +102,7 @@ Example response:
96
102
}
97
103
```
98
104
99
-
1. Make a note of the policy ID. You’ll need the policy ID to add integration policies.
105
+
1. Note the policy ID. You need it to add integration policies.
100
106
101
107
102
108
@@ -109,7 +115,7 @@ You can use the {{fleet}} API to [Create and customize an {{elastic-defend}} pol
109
115
::::
110
116
111
117
112
-
This cURL example creates an integration policy forNginx and adds it to the agent policy createdinthe previous example:
118
+
This cURL example creates an integration policy forNginx and adds it to the agent policy you createdin[Create agent policy](#create-agent-policy-api):
113
119
114
120
```shell
115
121
curl --request POST \
@@ -414,10 +420,10 @@ Example response (formatted for readability):
414
420
415
421
## List all {{agents}} [list-agents-api]
416
422
417
-
Use the [Get agents API]({{kib-apis}}operation/operation-get-fleet-agents) to retrieve a list of currently enrolled {{agents}}:
423
+
Use the [Get agents API]({{kib-apis}}operation/operation-get-fleet-agents) to retrieve a list of enrolled {{agents}}:
418
424
419
425
```shell
420
-
curl -X GET 'http://<user>:<pass>@<kibana url>/api/fleet/agents
426
+
curl -X GET 'http://<user>:<pass>@<kibana url>/api/fleet/agents'
421
427
```
422
428
423
429
By default, a maximum of 10,000 agents are returned, with 20 agents listed per page.
@@ -461,24 +467,51 @@ curl -X GET 'http://<user>:<pass>@<kibana url>/api/fleet/agents?perPage=10000&se
461
467
```
462
468
463
469
470
+
## Filter results with KQL [filter-results-with-kql]
471
+
472
+
The following {{fleet}} list endpoints accept a `kuery` query parameter that takes a [{{kib}} Query Language (KQL)](elasticsearch://reference/query-languages/kql.md) string to filter results: agents (`GET /api/fleet/agents`), agent policies (`GET /api/fleet/agent_policies`), package policies (`GET /api/fleet/package_policies`), and enrollment tokens (`GET /api/fleet/enrollment_api_keys`). To check whether another endpoint accepts `kuery`, refer to its parameters in the [Kibana API docs]({{kib-apis}}).
473
+
474
+
**Agents and enrollment tokens** are stored in {{es}} system indices. Reference fields directly, with no prefix. This cURL example returns only the online agents:
**Agent policies and package policies** are stored as saved objects. When a field path contains a dot, prefix it with the saved object type so the query parser reads it as a field name and not as a type. This cURL example returns only the package policies for the `nginx` integration:
If a query returns a `400`, the field needs a saved object type prefix. When the error is a `KQLSyntaxError` about a missing key, it names the saved object index pattern to use as the prefix (for example `ingest-agent-policies.name`). When the error is `This type<x> is not allowed`, no pattern is named, so prefix the field with the endpoint's saved object type (for example `ingest-package-policies.package.name`).
494
+
::::
495
+
496
+
For the full query syntax, including wildcards, ranges, and boolean operators, refer to [{{kib}} Query Language (KQL)](elasticsearch://reference/query-languages/kql.md).
497
+
498
+
464
499
## Manually roll back an {{agent}} upgrade [agent-rollback-api]
465
500
```{applies_to}
466
501
stack: ga 9.3+
467
502
```
468
503
469
-
The manual rollback feature for {{agent}} gives you the ability to roll back to the previously installed version if the install artifacts are still available on disk--typically seven days after the upgrade.
504
+
The manual rollback feature for {{agent}} lets you roll back to the previously installed version if the install artifacts are still available on disk (typically seven days after the upgrade).
To roll back a single agent, call `POST /api/fleet/agents/{agentID}/rollback`.
473
507
474
-
To roll back multiple agents:
475
-
:Call `POST /api/fleet/agents/bulk_rollback`.
508
+
To roll back multiple agents, call `POST /api/fleet/agents/bulk_rollback`.
476
509
477
510
### Limitations for manual rollback [rollback-limitations-api]
478
511
479
-
These limitations apply for the manual rollback feature:
512
+
These limitations apply for the manual rollback feature:
480
513
481
-
* Rollback is limited to the version running _before_ the upgrade. Both the previously and currently running versions must be 9.3.0 or later for this functionality to be available.
514
+
* Rollback is limited to the version running _before_ the upgrade. Both the pre-upgrade and post-upgrade versions must be 9.3.0 or later for this functionality to be available.
482
515
* Data required for the rollback is stored on disk for seven days, which can impact available disk space.
483
516
* Rollback must be performed within seven days of the upgrade. Rollback data is automatically cleaned up after seven days and becomes unavailable.
484
517
* Manual rollback is not available for system-managed packages such as DEB and RPM.
@@ -489,6 +522,24 @@ These limitations apply for the manual rollback feature:
489
522
If no version is available on disk to rollback to, you get an error.
490
523
This situation can happen if:
491
524
492
-
- the version you upgraded from is earlier than 9.3.0, as the feature is not supported for earlier versions.
525
+
- The version you upgraded from is earlier than 9.3.0, as the feature is not supported for earlier versions.
526
+
527
+
- The rollback window has ended (typically more than seven days). When the rollback window ends, the files from the previous version are removed to free up disk space.
528
+
529
+
530
+
## Next steps [fleet-api-next-steps]
531
+
532
+
After you create agent and integration policies with the API:
533
+
534
+
* [Enroll {{agents}}](/reference/fleet/fleet-enrollment-tokens.md) using enrollment tokens from your agent policy
535
+
* [Manage {{agents}} in {{fleet}}](/reference/fleet/manage-elastic-agents-in-fleet.md) to monitor status and policy assignments
536
+
* [Create an agent policy without using the UI](/reference/fleet/create-policy-no-ui.md) for automation use cases
537
+
538
+
539
+
## Related pages [fleet-api-related-pages]
493
540
494
-
- the rollback window has ended (typically more than seven days). When the rollback window ends, the files from the previous version are removed to free up disk space.
541
+
* [Kibana API docs]({{kib-apis}})
542
+
* [Run API requests](/explore-analyze/query-filter/tools/console.md)
543
+
* [Roles and privileges](/reference/fleet/fleet-roles-privileges.md)
544
+
* [Grant standalone {{agents}} access to {{es}}](/reference/fleet/grant-access-to-elasticsearch.md)
545
+
* [{{kib}} Query Language (KQL)](elasticsearch://reference/query-languages/kql.md)
0 commit comments