Kibana 连接器使用指南：集成第三方系统与告警通知配置

kibana-connectors by elastic/agent-skills

247 周安装量

306 GitHub Stars

GitHub

安装命令

npx skills add https://github.com/elastic/agent-skills --skill kibana-connectors

自动化监控 API

🇨🇳中文介绍

Kibana 连接器

核心概念

连接器存储 Elastic 服务和第三方系统的连接信息。当规则条件满足时，告警规则使用连接器来路由操作（通知）。连接器按Kibana 空间进行管理，并且可以在该空间内的所有规则之间共享。

连接器类别

类别	连接器类型
LLM 提供商	OpenAI, Google Gemini, Amazon Bedrock, Elastic Managed LLMs, AI Connector, MCP (预览版, 9.3+)
事件管理	PagerDuty, Opsgenie, ServiceNow (ITSM, SecOps, ITOM), Jira, Jira Service Management (9.2+), IBM Resilient, Swimlane, Torq, Tines, D3 Security, XSOAR (9.1+), TheHive
终端安全	CrowdStrike, SentinelOne, Microsoft Defender for Endpoint
消息传递	Slack (API / Webhook), Microsoft Teams, Email
日志与可观测性	Server log, Index, Observability AI Assistant
Webhook	Webhook, Webhook - Case Management, xMatters
Elastic

广告位招租

在这里展示您的产品或服务

触达数万 AI 开发者，精准高效

联系我们

操作	方法	端点
创建连接器	POST	`/api/actions/connector/{id}`
更新连接器	PUT	`/api/actions/connector/{id}`
获取连接器	GET	`/api/actions/connector/{id}`
删除连接器	DELETE	`/api/actions/connector/{id}`
获取所有连接器	GET	`/api/actions/connectors`
获取连接器类型	GET	`/api/actions/connector_types`
运行连接器	POST	`/api/actions/connector/{id}/_execute`

字段	类型	描述
`name`	string	连接器的显示名称
`connector_type_id`	string	连接器类型（例如，`.slack`, `.email`, `.webhook`, `.pagerduty`, `.jira`）
`config`	object	类型特定的配置（非机密设置）
`secrets`	object	类型特定的机密信息（API 密钥、密码、令牌）

示例：创建 Slack 连接器（Webhook）

curl -X POST "https://my-kibana:5601/api/actions/connector/my-slack-connector" \
  -H "kbn-xsrf: true" \
  -H "Content-Type: application/json" \
  -H "Authorization: ApiKey <your-api-key>" \
  -d '{
    "name": "Production Slack Alerts",
    "connector_type_id": ".slack",
    "config": {},
    "secrets": {
      "webhookUrl": "https://hooks.slack.com/services/T00/B00/XXXX"
    }
  }'

所有连接器类型共享相同的请求结构——只有 connector_type_id、config 和 secrets 不同。有关可用类型及其必填字段，请参阅通用连接器类型 ID 表。

示例：创建 PagerDuty 连接器

curl -X POST "https://my-kibana:5601/api/actions/connector/my-pagerduty" \
  -H "kbn-xsrf: true" \
  -H "Content-Type: application/json" \
  -H "Authorization: ApiKey <your-api-key>" \
  -d '{
    "name": "PagerDuty Incidents",
    "connector_type_id": ".pagerduty",
    "config": {
      "apiUrl": "https://events.pagerduty.com/v2/enqueue"
    },
    "secrets": {
      "routingKey": "your-pagerduty-integration-key"
    }
  }'

PUT /api/actions/connector/{id} 会替换完整的配置。connector_type_id 是不可变的——要更改它，需要删除并重新创建。

列出和发现连接器

# 获取当前空间中的所有连接器
curl -X GET "https://my-kibana:5601/api/actions/connectors" \
  -H "Authorization: ApiKey <your-api-key>"

# 获取可用的连接器类型
curl -X GET "https://my-kibana:5601/api/actions/connector_types" \
  -H "Authorization: ApiKey <your-api-key>"

# 按特性过滤连接器类型（例如，仅支持告警的类型）
curl -X GET "https://my-kibana:5601/api/actions/connector_types?feature_id=alerting" \
  -H "Authorization: ApiKey <your-api-key>"

GET /api/actions/connectors 的响应包含 referenced_by_count，显示有多少规则使用了每个连接器。在删除之前，请务必检查此项。

运行连接器（测试）

直接执行连接器操作，用于测试连接性。

curl -X POST "https://my-kibana:5601/api/actions/connector/my-slack-connector/_execute" \
  -H "kbn-xsrf: true" \
  -H "Content-Type: application/json" \
  -H "Authorization: ApiKey <your-api-key>" \
  -d '{
    "params": {
      "message": "Test alert from API"
    }
  }'

curl -X DELETE "https://my-kibana:5601/api/actions/connector/my-slack-connector" \
  -H "kbn-xsrf: true" \
  -H "Authorization: ApiKey <your-api-key>"

警告： 删除被规则引用的连接器将导致这些规则操作静默失败。请先检查 referenced_by_count。

Terraform 提供程序

使用 elasticstack 提供程序资源 elasticstack_kibana_action_connector。

terraform {
  required_providers {
    elasticstack = {
      source  = "elastic/elasticstack"
    }
  }
}

provider "elasticstack" {
  kibana {
    endpoints = ["https://my-kibana:5601"]
    api_key   = var.kibana_api_key
  }
}

resource "elasticstack_kibana_action_connector" "slack" {
  name              = "Production Slack Alerts"
  connector_type_id = ".slack"

  config = jsonencode({})

  secrets = jsonencode({
    webhookUrl = "https://hooks.slack.com/services/T00/B00/XXXX"
  })
}

resource "elasticstack_kibana_action_connector" "index" {
  name              = "Alert Index Writer"
  connector_type_id = ".index"

  config = jsonencode({
    index              = "alert-history"
    executionTimeField = "@timestamp"
  })

  secrets = jsonencode({})
}

Terraform 关键注意事项：

config 和 secrets 必须是通过 jsonencode() 编码的 JSON 字符串
机密信息存储在 Terraform 状态中；请使用带有加密功能的远程后端，并限制对状态文件的访问
导入现有连接器：terraform import elasticstack_kibana_action_connector.my_connector <space_id>/<connector_id>（对于默认空间，使用 default）
导入后，机密信息不会填充到状态中；您必须在配置中提供它们

预配置连接器（本地部署）

对于自管理的 Kibana，可以在 kibana.yml 中预配置连接器，以便它们在启动时可用，无需手动创建：

xpack.actions.preconfigured:
  my-slack-connector:
    name: "Production Slack"
    actionTypeId: .slack
    secrets:
      webhookUrl: "https://hooks.slack.com/services/T00/B00/XXXX"
  my-webhook:
    name: "Custom Webhook"
    actionTypeId: .webhook
    config:
      url: "https://api.example.com/alerts"
      method: post
      hasAuth: true
    secrets:
      user: "alert-user"
      password: "secret-password"

预配置的连接器无法通过 API 或 UI 编辑或删除。它们在 API 响应中显示 is_preconfigured: true，并且省略 config 和 is_missing_secrets。

通过 kibana.yml 自定义连接器网络（代理、TLS、证书）：

# 所有连接器的全局代理
xpack.actions.proxyUrl: "https://proxy.example.com:8443"

# 每个主机的 TLS 设置
xpack.actions.customHostSettings:
  - url: "https://api.example.com"
    ssl:
      verificationMode: full
      certificateAuthoritiesFiles: ["/path/to/ca.pem"]

Kibana 工作流中的连接器

连接器作为跨多个 Kibana 工作流的集成层，而不仅仅是告警通知：

工作流	连接器类型	关键模式
ITSM 工单系统	ServiceNow, Jira, IBM Resilient	在活动时创建工单，在 `Recovered` 时关闭
值班升级	PagerDuty, Opsgenie	在活动时 `trigger`，在 `Recovered` 时 `resolve`；始终设置去重键
案例管理	Cases (系统操作)	仅限 UI；将告警分组到调查案例中；可以自动推送到 ITSM
消息传递 / 通知	Slack, Teams, Email	`onActionGroupChange` 用于事件频道；摘要用于监控频道
审计日志记录	Index	`onActiveAlert` 将完整的告警时间序列写入 Elasticsearch
AI 工作流	OpenAI, Bedrock, Gemini, AI Connector	为 Elastic AI Assistant 和 Attack Discovery 提供支持；系统管理
自定义集成	Webhook	通用的 HTTP 出站连接，带有 Mustache 模板化的 JSON 主体

有关每个工作流的详细模式、示例和决策指导，请参阅 workflows.md。

在生产本地部署中使用预配置连接器。 它们消除了机密信息的分散存储，在导入 Saved Object 后仍然存在，并且不会被意外删除。将 API 创建的连接器保留用于动态或用户管理的场景。
在将连接器附加到规则之前进行测试。 使用 _execute 端点验证连接性。配置错误的连接器会导致静默的操作失败，这些失败只会在规则的执行历史记录中出现。
在删除之前检查 referenced_by_count。 删除被活动规则使用的连接器会导致这些操作失败。列出连接器并验证引用为零，或者先将规则重新分配给新的连接器。
使用电子邮件域允许列表。 xpack.actions.email.domain_allowlist 设置限制了连接器可以发送到的电子邮件域。如果您更新此列表，收件人不在新列表中的现有电子邮件连接器将开始失败。
在 Terraform 中保护机密信息。 连接器机密信息（API 密钥、密码、webhook URL）存储在 Terraform 状态中。使用加密的远程后端（S3+KMS、Azure Blob+encryption、GCS+CMEK）并限制对状态文件的访问。在变量上使用 sensitive = true。
每个服务使用一个连接器，而不是每个规则。 创建一个 Slack 连接器，并从多个规则中引用它。这样可以集中管理密钥轮换并减少重复。
使用空间进行多租户隔离。 连接器作用域限定在 Kibana 空间内。为不同的团队或环境创建单独的空间，并按空间配置连接器。
监控连接器健康状况。 失败的连接器执行记录在事件日志索引（.kibana-event-log-*）中。连接器失败会向 Task Manager 报告为成功，但对于告警传递则静默失败。请检查事件日志索引以了解真实的失败率。
始终在活动操作旁边配置恢复操作。 用于 ITSM 和值班工具（ServiceNow、Jira、PagerDuty、Opsgenie）的连接器支持关闭/解决操作。如果没有恢复操作，事件将永远保持打开状态。
为值班连接器使用去重键。 将 dedupKey (PagerDuty) 或 alias (Opsgenie) 设置为 {{rule.id}}-{{alert.id}}，以确保解决事件能准确关闭正确的事件。如果没有这个设置，每次告警重新触发时都会创建一个新的事件。
对于调查工作流，优先使用 Cases 连接器。 当告警需要进行带有评论、附件和分配人的调查时，请使用 Cases 而不是直接的 Jira/ServiceNow 连接器。Cases 为您提供了一个原生的调查 UI，并且仍然可以通过 Case 的外部连接推送到 ITSM。
使用 Index 连接器进行持久的审计跟踪。 Index 连接器写入 Elasticsearch，使告警历史可搜索和可仪表板化。将其与目标索引上的 ILM 策略配对以控制保留期。
通过操作设置限制连接器访问。 使用 xpack.actions.enabledActionTypes 仅允许您的组织需要的连接器类型，并使用 xpack.actions.allowedHosts 将出站连接限制在已知端点。

缺少 kbn-xsrf 头。 所有 POST、PUT、DELETE 请求都需要 kbn-xsrf: true。省略它会导致 400 错误。
错误的 connector_type_id。 使用包含前导点的确切字符串（例如，.slack，而不是 slack）。通过 GET /api/actions/connector_types 发现有效类型。
需要空的 secrets 对象。 即使对于没有机密信息的连接器（例如，.index、.server-log），您也必须在创建请求中提供 "secrets": {}。
连接器类型不可变。 创建后无法更改 connector_type_id。请删除并重新创建。
导出/导入时丢失机密信息。 通过 Saved Objects 导出连接器会剥离机密信息。导入后，连接器显示 is_missing_secrets: true，并且 UI 中会出现“修复”按钮。您必须手动或通过 API 重新输入机密信息。
无法通过 API 修改预配置的连接器。 尝试更新或删除预配置的连接器会返回 400。请仅在 kibana.yml 中管理它们。
来自第三方服务的速率限制。 发送大量通知的连接器（例如，每分钟每个告警一次）可能会达到 Slack、PagerDuty 或电子邮件提供商的速率限制。在规则端使用告警摘要和操作频率控制来减少数量。
连接器网络故障。 Kibana 必须能够访问连接器的目标 URL。验证防火墙规则、代理设置和 DNS 解析。对于 TLS 问题，请使用 xpack.actions.customHostSettings。
许可证要求。 某些连接器类型需要 Gold、Platinum 或 Enterprise 许可证。检查 GET /api/actions/connector_types 返回的 minimum_license_required 字段。一个 enabled_in_config: true 但 enabled_in_license: false 的连接器无法使用。
Terraform 导入不会恢复机密信息。 将现有连接器导入到 Terraform 时，不会从 Kibana 读回机密信息。您必须在 Terraform 配置中提供它们，否则下一次 terraform apply 将用空值覆盖它们。

通用连接器类型 ID

类型 ID	名称	许可证
`.email`	Email	Gold
`.slack`	Slack (Webhook)	Gold
`.slack_api`	Slack (API)	Gold
`.pagerduty`	PagerDuty	Gold
`.jira`	Jira	Gold
`.servicenow`	ServiceNow ITSM	Platinum
`.servicenow-sir`	ServiceNow SecOps	Platinum
`.servicenow-itom`	ServiceNow ITOM	Platinum
`.webhook`	Webhook	Gold
`.index`	Index	Basic
`.server-log`	Server log	Basic
`.opsgenie`	Opsgenie	Gold
`.teams`	Microsoft Teams	Gold
`.gen-ai`	OpenAI	Enterprise
`.bedrock`	Amazon Bedrock	Enterprise
`.gemini`	Google Gemini	Enterprise
`.cases`	Cases	Platinum
`.crowdstrike`	CrowdStrike	Enterprise
`.sentinelone`	SentinelOne	Enterprise
`.microsoft_defender_endpoint`	Microsoft Defender for Endpoint	Enterprise
`.thehive`	TheHive	Gold

注意： 使用 GET /api/actions/connector_types 来发现您的部署中所有可用的类型及其确切的 minimum_license_required 值。XSOAR、Jira Service Management 和 MCP 的连接器类型可用，但可能不会出现在较旧的 API 规范版本中。

创建 Slack 连接器： “为我们的告警设置 Slack 通知。” 使用 connector_type_id: ".slack" 和 secrets.webhookUrl 进行 POST /api/actions/connector。在规则操作中使用返回的连接器 id。

在将连接器附加到规则之前进行测试： “验证 PagerDuty 连接器是否正常工作。” 使用最小的 params 对象进行 POST /api/actions/connector/{id}/_execute，在添加到任何规则之前确认连接性。

在删除之前审计连接器使用情况： “删除旧的电子邮件连接器。” GET /api/actions/connectors，检查 referenced_by_count——如果非零，请先重新分配引用的规则，然后进行 DELETE /api/actions/connector/{id}。

在每个 POST、PUT 和 DELETE 上包含 kbn-xsrf: true；省略它会导致 400。
connector_type_id 是不可变的——要更改连接器类型，请删除并重新创建。
即使对于没有机密信息的连接器（例如，.index、.server-log），也始终传递 "secrets": {}。
在删除之前检查 referenced_by_count；删除的连接器会静默破坏所有引用规则的操作。
连接器是空间作用域的；对于非默认的 Kibana 空间，请在路径前加上 /s/<space_id>/api/actions/。
机密信息是只写的：GET 不返回，并且在 Saved Object 导出/导入时被剥离；导入后始终重新提供。
在将新连接器附加到规则之前，使用 _execute 进行测试；生产环境中的连接器失败是静默的。

🇺🇸English

Kibana Connectors

Core Concepts

Connectors store connection information for Elastic services and third-party systems. Alerting rules use connectors to route actions (notifications) when rule conditions are met. Connectors are managed per Kibana Space and can be shared across all rules within that space.

Connector Categories

Category	Connector Types
LLM Providers	OpenAI, Google Gemini, Amazon Bedrock, Elastic Managed LLMs, AI Connector, MCP (Preview, 9.3+)
Incident Management	PagerDuty, Opsgenie, ServiceNow (ITSM, SecOps, ITOM), Jira, Jira Service Management (9.2+), IBM Resilient, Swimlane, Torq, Tines, D3 Security, XSOAR (9.1+), TheHive
Endpoint Security	CrowdStrike, SentinelOne, Microsoft Defender for Endpoint
Messaging	Slack (API / Webhook), Microsoft Teams, Email
Logging & Observability	Server log, Index, Observability AI Assistant
Webhook	Webhook, Webhook - Case Management, xMatters
Elastic	Cases

Authentication

All connector API calls require API key auth or Basic auth. Every mutating request must include the kbn-xsrf header.

kbn-xsrf: true

Required Privileges

Access to connectors is granted based on your privileges to alerting-enabled features. You need all privileges for Actions and Connectors in Stack Management.

API Reference

Base path: <kibana_url>/api/actions (or /s/<space_id>/api/actions for non-default spaces).

Operation	Method	Endpoint
Create connector	POST	`/api/actions/connector/{id}`
Update connector	PUT	`/api/actions/connector/{id}`
Get connector	GET	`/api/actions/connector/{id}`
Delete connector	DELETE	`/api/actions/connector/{id}`
Get all connectors	GET	`/api/actions/connectors`

Creating a Connector

Required Fields

Field	Type	Description
`name`	string	Display name for the connector
`connector_type_id`	string	The connector type (e.g., `.slack`, `.email`, `.webhook`, `.pagerduty`, `.jira`)
`config`

Example: Create a Slack Connector (Webhook)

curl -X POST "https://my-kibana:5601/api/actions/connector/my-slack-connector" \
  -H "kbn-xsrf: true" \
  -H "Content-Type: application/json" \
  -H "Authorization: ApiKey <your-api-key>" \
  -d '{
    "name": "Production Slack Alerts",
    "connector_type_id": ".slack",
    "config": {},
    "secrets": {
      "webhookUrl": "https://hooks.slack.com/services/T00/B00/XXXX"
    }
  }'

All connector types share the same request structure — only connector_type_id, config, and secrets differ. See the Common Connector Type IDs table for available types and their required fields.

Example: Create a PagerDuty Connector

curl -X POST "https://my-kibana:5601/api/actions/connector/my-pagerduty" \
  -H "kbn-xsrf: true" \
  -H "Content-Type: application/json" \
  -H "Authorization: ApiKey <your-api-key>" \
  -d '{
    "name": "PagerDuty Incidents",
    "connector_type_id": ".pagerduty",
    "config": {
      "apiUrl": "https://events.pagerduty.com/v2/enqueue"
    },
    "secrets": {
      "routingKey": "your-pagerduty-integration-key"
    }
  }'

Updating a Connector

PUT /api/actions/connector/{id} replaces the full configuration. connector_type_id is immutable — delete and recreate to change it.

Listing and Discovering Connectors

# Get all connectors in the current space
curl -X GET "https://my-kibana:5601/api/actions/connectors" \
  -H "Authorization: ApiKey <your-api-key>"

# Get available connector types
curl -X GET "https://my-kibana:5601/api/actions/connector_types" \
  -H "Authorization: ApiKey <your-api-key>"

# Filter connector types by feature (e.g., only those supporting alerting)
curl -X GET "https://my-kibana:5601/api/actions/connector_types?feature_id=alerting" \
  -H "Authorization: ApiKey <your-api-key>"

The GET /api/actions/connectors response includes referenced_by_count showing how many rules use each connector. Always check this before deleting.

Running a Connector (Test)

Execute a connector action directly, useful for testing connectivity.

curl -X POST "https://my-kibana:5601/api/actions/connector/my-slack-connector/_execute" \
  -H "kbn-xsrf: true" \
  -H "Content-Type: application/json" \
  -H "Authorization: ApiKey <your-api-key>" \
  -d '{
    "params": {
      "message": "Test alert from API"
    }
  }'

Deleting a Connector

curl -X DELETE "https://my-kibana:5601/api/actions/connector/my-slack-connector" \
  -H "kbn-xsrf: true" \
  -H "Authorization: ApiKey <your-api-key>"

Warning: Deleting a connector that is referenced by rules will cause those rule actions to fail silently. Check referenced_by_count first.

Terraform Provider

Use the elasticstack provider resource elasticstack_kibana_action_connector.

terraform {
  required_providers {
    elasticstack = {
      source  = "elastic/elasticstack"
    }
  }
}

provider "elasticstack" {
  kibana {
    endpoints = ["https://my-kibana:5601"]
    api_key   = var.kibana_api_key
  }
}

resource "elasticstack_kibana_action_connector" "slack" {
  name              = "Production Slack Alerts"
  connector_type_id = ".slack"

  config = jsonencode({})

  secrets = jsonencode({
    webhookUrl = "https://hooks.slack.com/services/T00/B00/XXXX"
  })
}

resource "elasticstack_kibana_action_connector" "index" {
  name              = "Alert Index Writer"
  connector_type_id = ".index"

  config = jsonencode({
    index              = "alert-history"
    executionTimeField = "@timestamp"
  })

  secrets = jsonencode({})
}

Key Terraform notes:

config and secrets must be JSON-encoded strings via jsonencode()
Secrets are stored in Terraform state; use a remote backend with encryption and restrict state file access
Import existing connectors: terraform import elasticstack_kibana_action_connector.my_connector <space_id>/<connector_id> (use default for the default space)
After import, secrets are not populated in state; you must supply them in config

Preconfigured Connectors (On-Prem)

For self-managed Kibana, connectors can be preconfigured in kibana.yml so they are available at startup without manual creation:

xpack.actions.preconfigured:
  my-slack-connector:
    name: "Production Slack"
    actionTypeId: .slack
    secrets:
      webhookUrl: "https://hooks.slack.com/services/T00/B00/XXXX"
  my-webhook:
    name: "Custom Webhook"
    actionTypeId: .webhook
    config:
      url: "https://api.example.com/alerts"
      method: post
      hasAuth: true
    secrets:
      user: "alert-user"
      password: "secret-password"

Preconfigured connectors cannot be edited or deleted via the API or UI. They show is_preconfigured: true and omit config and is_missing_secrets from API responses.

Networking Configuration

Customize connector networking (proxies, TLS, certificates) via kibana.yml:

# Global proxy for all connectors
xpack.actions.proxyUrl: "https://proxy.example.com:8443"

# Per-host TLS settings
xpack.actions.customHostSettings:
  - url: "https://api.example.com"
    ssl:
      verificationMode: full
      certificateAuthoritiesFiles: ["/path/to/ca.pem"]

Connectors in Kibana Workflows

Connectors serve as the integration layer across multiple Kibana workflows, not just alerting notifications:

Workflow	Connector Types	Key Pattern
ITSM ticketing	ServiceNow, Jira, IBM Resilient	Create ticket on active, close on `Recovered`
On-call escalation	PagerDuty, Opsgenie	`trigger` on active, `resolve` on `Recovered`; always set a deduplication key
Case management	Cases (system action)	UI-only; groups alerts into investigation Cases; can auto-push to ITSM
Messaging / awareness	Slack, Teams, Email	`onActionGroupChange` for incident channels; summaries for monitoring channels

For detailed patterns, examples, and decision guidance for each workflow, see workflows.md.

Best Practices

Use preconfigured connectors for production on-prem. They eliminate secret sprawl, survive Saved Object imports, and cannot be accidentally deleted. Reserve API-created connectors for dynamic or user-managed scenarios.
Test connectors before attaching to rules. Use the _execute endpoint to verify connectivity. A misconfigured connector causes silent action failures that only appear in the rule's execution history.
Checkreferenced_by_count before deleting. Deleting a connector used by active rules causes those actions to fail. List connectors and verify zero references, or reassign rules to a new connector first.
Use the Email domain allowlist. The xpack.actions.email.domain_allowlist setting restricts which email domains connectors can send to. If you update this list, existing email connectors with recipients outside the new list will start failing.
Secure secrets in Terraform. Connector secrets (API keys, passwords, webhook URLs) are stored in Terraform state. Use encrypted remote backends (S3+KMS, Azure Blob+encryption, GCS+CMEK) and restrict access to state files. Use sensitive = true on variables.
One connector per service, not per rule. Create a single Slack connector and reference it from multiple rules. This centralizes secret rotation and reduces duplication.

Common Pitfalls

Missingkbn-xsrf header. All POST, PUT, DELETE requests require kbn-xsrf: true. Omitting it returns a 400 error.
Wrongconnector_type_id. Use the exact string including the leading dot (e.g., .slack, not slack). Discover valid types via GET /api/actions/connector_types.
Emptysecrets object required. Even for connectors without secrets (e.g., .index, .server-log), you must provide in the create request.

Common Connector Type IDs

Type ID	Name	License
`.email`	Email	Gold
`.slack`	Slack (Webhook)	Gold
`.slack_api`	Slack (API)	Gold
`.pagerduty`	PagerDuty	Gold
`.jira`	Jira	Gold

Note: Use GET /api/actions/connector_types to discover all available types on your deployment along with their exact minimum_license_required values. Connector types for XSOAR, Jira Service Management, and MCP are available but may not appear in older API spec versions.

Examples

Create a Slack connector: "Set up Slack notifications for our alerts." POST /api/actions/connector with connector_type_id: ".slack" and secrets.webhookUrl. Use the returned connector id in rule actions.

Test a connector before attaching to rules: "Verify the PagerDuty connector works." POST /api/actions/connector/{id}/_execute with a minimal params object to confirm connectivity before adding to any rule.

Audit connector usage before deletion: "Remove the old email connector." GET /api/actions/connectors, inspect referenced_by_count — if non-zero, reassign the referencing rules first, then DELETE /api/actions/connector/{id}.

Guidelines

Include kbn-xsrf: true on every POST, PUT, and DELETE; omitting it returns 400.
connector_type_id is immutable — delete and recreate to change connector type.
Always pass "secrets": {} even for connectors with no secrets (e.g., .index, .server-log).
Check referenced_by_count before deleting; a deleted connector silently breaks all referencing rule actions.
Connectors are space-scoped; prefix paths with /s/<space_id>/api/actions/ for non-default Kibana Spaces.
Secrets are write-only: not returned by GET and stripped on Saved Object export/import; always re-supply after import.
Test every new connector with _execute before attaching to rules; connector failures in production are silent.

Additional Resources

Weekly Installs

143

Repository

elastic/agent-skills

GitHub Stars

First Seen

10 days ago

Security Audits

Gen Agent Trust HubPass SocketPass SnykFail

Installed on

cursor128

github-copilot120

opencode119

gemini-cli119

codex119

amp118

Skills CLI 使用指南：AI Agent 技能包管理器安装与管理教程

46,600 周安装

Use Spaces for multi-tenant isolation. Connectors are scoped to a Kibana Space. Create separate spaces for different teams or environments and configure connectors per space.

Monitor connector health. Failed connector executions are logged in the event log index (.kibana-event-log-*). Connector failures report as successful to Task Manager but fail silently for alert delivery. Check the Event Log Index for true failure rates.

Always configure a recovery action alongside the active action. Connectors for ITSM and on-call tools (ServiceNow, Jira, PagerDuty, Opsgenie) support a close/resolve operation. Without a recovery action, incidents remain open forever.

Use deduplication keys for on-call connectors. Set dedupKey (PagerDuty) or alias (Opsgenie) to {{rule.id}}-{{alert.id}} to ensure the resolve event closes exactly the right incident. Without this, a new incident is created every time the alert re-fires.

Prefer the Cases connector for investigation workflows. When an alert requires investigation with comments, attachments, and assignees, use Cases rather than a direct Jira/ServiceNow connector. Cases gives you a native investigation UI and can still push to ITSM via the Case's external connection.

Use the Index connector for durable audit trails. The Index connector writes to Elasticsearch, making alert history searchable and dashboardable. Pair it with an ILM policy on the target index to control retention.

Restrict connector access via Action settings. Use xpack.actions.enabledActionTypes to allowlist only the connector types your organization needs, and xpack.actions.allowedHosts to restrict outbound connections to known endpoints.

Connector type is immutable. You cannot change the connector_type_id after creation. Delete and recreate instead.

Secrets lost on export/import. Exporting connectors via Saved Objects strips secrets. After import, connectors show is_missing_secrets: true and a "Fix" button appears in the UI. You must re-enter secrets manually or via API.

Preconfigured connectors cannot be modified via API. Attempting to update or delete a preconfigured connector returns 400. Manage them exclusively in kibana.yml.

Rate limits from third-party services. Connectors that send high volumes of notifications (e.g., one per alert every minute) can hit Slack, PagerDuty, or email provider rate limits. Use alert summaries and action frequency controls on the rule side to reduce volume.

Connector networking failures. Kibana must be able to reach the connector's target URL. Verify firewall rules, proxy settings, and DNS resolution. Use xpack.actions.customHostSettings for TLS issues.

License requirements. Some connector types require a Gold, Platinum, or Enterprise license. Check the minimum_license_required field from GET /api/actions/connector_types. A connector that is enabled_in_config: true but enabled_in_license: false cannot be used.

Terraform import does not restore secrets. When importing an existing connector into Terraform, the secrets are not read back from Kibana. You must provide them in your Terraform configuration, or the next terraform apply will overwrite them with empty values.