@@ -306,10 +306,102 @@ IMPORTANT: Dry run mode is not supported for the `export` bulk action. A `400` e
306306| `delete_index_patterns` | String[] | Delete rules' index patterns
307307| `set_index_patterns` | String[] | Overwrite rules' index patterns
308308| `set_timeline` | { `timeline_id`: String; `timeline_title`: String } | Overwrite rules' Timeline template
309+ | `set_schedule`
310+
311+ | { `interval`: String; `lookback`: String }
312+ | Overwrite rules' schedule
313+
314+ `interval`: Frequency of rule execution. For example, `"1h"` means the rule runs every hour.
315+
316+ `lookback`: Additional look-back time that the rule analyzes. For example, `"10m"` means the rule analyzes the last 10 minutes of data in addition to the frequency interval.
317+
318+ If `interval` is set to `"10m"` and `lookback` to `"1m"`, then the rule runs every 5 minutes but analyzes the documents added to indices during the last 11 minutes.
319+
320+ Both `interval` and `lookback` have a format of `"{integer}{time_unit}"`, where accepted time units are `s` for seconds, `m` for minutes, and `h` for hours. The integer must be positive and larger than 0. Examples: `"45s"`, `"30m"`, `"6h"`
321+
322+ | `add_rule_actions` | {
323+ `actions`: <<actions-object-schema-bulk, actions[]>> ,
324+ `throttle`: <<throttle-schema-bulk, throttle>>
325+ } | Add actions to rules
326+ | `set_rule_actions` | {
327+ `actions`: <<actions-object-schema-bulk, actions[]>> ,
328+ `throttle`: <<throttle-schema-bulk, throttle>>
329+ } | Overwrite rules' existing actions
330+
331+
309332|==============================================
310333
311334<<bulk-edit-object-schema, Actions>> are shown in order of oldest to newest in the `edit` array payload's property.
312335
336+
337+ [discrete]
338+ [[actions-object-schema-bulk]]
339+ ===== `actions` schema
340+
341+ These fields are required when calling `PUT` to modify the `actions` object:
342+
343+ [width="100%",options="header"]
344+ |==============================================
345+ |Name |Type |Description
346+
347+ |action_type_id |String a|The action type used for sending notifications, can
348+ be:
349+
350+ * `.slack`
351+ * `.email`
352+ * `.pagerduty`
353+ * `.webhook`
354+
355+ |group |String |Optionally groups actions by use cases. Use `default` for alert
356+ notifications.
357+
358+ |id |String |The connector ID.
359+
360+ |params |Object a|Object containing the allowed connector fields, which varies according to the connector type:
361+
362+ * For Slack:
363+ ** `message` (string, required): The notification message.
364+ * For email:
365+ ** `to`, `cc`, `bcc` (string): Email addresses to which the notifications are
366+ sent. At least one field must have a value.
367+ ** `subject` (string, optional): Email subject line.
368+ ** `message` (string, required): Email body text.
369+ * For Webhook:
370+ ** `body` (string, required): JSON payload.
371+ * For PagerDuty:
372+ ** `severity` (string, required): Severity of on the alert notification, can
373+ be: `Critical`, `Error`, `Warning` or `Info`.
374+ ** `eventAction` (string, required): Event https://v2.developer.pagerduty.com/docs/events-api-v2#event-action[action type], which can be `trigger`,
375+ `resolve`, or `acknowledge`.
376+ ** `dedupKey` (string, optional): Groups alert notifications with the same
377+ PagerDuty alert.
378+ ** `timestamp` (DateTime, optional): https://v2.developer.pagerduty.com/v2/docs/types#datetime[ISO-8601 format timestamp].
379+ ** `component` (string, optional): Source machine component responsible for the
380+ event, for example `security-solution`.
381+ ** `group` (string, optional): Enables logical grouping of service components.
382+ ** `source` (string, optional): The affected system. Defaults to the {kib}
383+ saved object ID of the action.
384+ ** `summary` (string, options): Summary of the event. Defaults to
385+ `No summary provided`. Maximum length is 1024 characters.
386+ ** `class` (string, optional): Value indicating the class/type of the event.
387+
388+ |==============================================
389+
390+ [discrete]
391+ [[throttle-schema-bulk]]
392+ ===== `throttle` schema
393+
394+
395+ `throttle` defines the maximum interval in which a rule's actions are executed. It accepts the following values:
396+
397+ - `"rule"`: Execute actions on each rule execution
398+
399+ - `"1h"`: Execute actions once per hour
400+
401+ - `"1d"`: Execute actions once per day
402+
403+ - `"7d"`: Execute actions once per week
404+
313405[discrete]
314406===== Example requests
315407
0 commit comments