Kibana Connectors
Core Concepts
Connectors store connection information for Elastic services and third-party systems. Alerting rules use connectors to
route actions (notifications) when rule conditions are met. Connectors are managed per Kibana Space and can be
shared across all rules within that space.
Connector Categories
| Category | Connector Types |
|---|
| LLM Providers | OpenAI, Google Gemini, Amazon Bedrock, Elastic Managed LLMs, AI Connector, MCP (Preview, 9.3+) |
| Incident Management | PagerDuty, Opsgenie, ServiceNow (ITSM, SecOps, ITOM), Jira, Jira Service Management (9.2+), IBM Resilient, Swimlane, Torq, Tines, D3 Security, XSOAR (9.1+), TheHive |
| Endpoint Security | CrowdStrike, SentinelOne, Microsoft Defender for Endpoint |
| Messaging | Slack (API / Webhook), Microsoft Teams, Email |
| Logging & Observability | Server log, Index, Observability AI Assistant |
| Webhook | Webhook, Webhook - Case Management, xMatters |
| Elastic | Cases |
Authentication
All connector API calls require API key auth or Basic auth. Every mutating request must include the
header.
Required Privileges
Access to connectors is granted based on your privileges to alerting-enabled features. You need
privileges for
Actions and Connectors in Stack Management.
API Reference
Base path:
(or
/s/<space_id>/api/actions
for non-default spaces).
| Operation | Method | Endpoint |
|---|
| Create connector | POST | /api/actions/connector/{id}
|
| Update connector | PUT | /api/actions/connector/{id}
|
| Get connector | GET | /api/actions/connector/{id}
|
| Delete connector | DELETE | /api/actions/connector/{id}
|
| Get all connectors | GET | |
| Get connector types | GET | /api/actions/connector_types
|
| Run connector | POST | /api/actions/connector/{id}/_execute
|
Creating a Connector
Required Fields
| Field | Type | Description |
|---|
| string | Display name for the connector |
| string | The connector type (e.g., , , , , ) |
| object | Type-specific configuration (non-secret settings) |
| object | Type-specific secrets (API keys, passwords, tokens) |
Example: Create a Slack Connector (Webhook)
bash
curl -X POST "https://my-kibana:5601/api/actions/connector/my-slack-connector" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-H "Authorization: ApiKey <your-api-key>" \
-d '{
"name": "Production Slack Alerts",
"connector_type_id": ".slack",
"config": {},
"secrets": {
"webhookUrl": "https://hooks.slack.com/services/T00/B00/XXXX"
}
}'
All connector types share the same request structure — only
,
, and
differ. See the
Common Connector Type IDs table for available types and their required fields.
Example: Create a PagerDuty Connector
bash
curl -X POST "https://my-kibana:5601/api/actions/connector/my-pagerduty" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-H "Authorization: ApiKey <your-api-key>" \
-d '{
"name": "PagerDuty Incidents",
"connector_type_id": ".pagerduty",
"config": {
"apiUrl": "https://events.pagerduty.com/v2/enqueue"
},
"secrets": {
"routingKey": "your-pagerduty-integration-key"
}
}'
Updating a Connector
PUT /api/actions/connector/{id}
replaces the full configuration.
is immutable — delete and
recreate to change it.
Listing and Discovering Connectors
bash
# Get all connectors in the current space
curl -X GET "https://my-kibana:5601/api/actions/connectors" \
-H "Authorization: ApiKey <your-api-key>"
# Get available connector types
curl -X GET "https://my-kibana:5601/api/actions/connector_types" \
-H "Authorization: ApiKey <your-api-key>"
# Filter connector types by feature (e.g., only those supporting alerting)
curl -X GET "https://my-kibana:5601/api/actions/connector_types?feature_id=alerting" \
-H "Authorization: ApiKey <your-api-key>"
The
GET /api/actions/connectors
response includes
showing how many rules use each connector.
Always check this before deleting.
Running a Connector (Test)
Execute a connector action directly, useful for testing connectivity.
bash
curl -X POST "https://my-kibana:5601/api/actions/connector/my-slack-connector/_execute" \
-H "kbn-xsrf: true" \
-H "Content-Type: application/json" \
-H "Authorization: ApiKey <your-api-key>" \
-d '{
"params": {
"message": "Test alert from API"
}
}'
Deleting a Connector
bash
curl -X DELETE "https://my-kibana:5601/api/actions/connector/my-slack-connector" \
-H "kbn-xsrf: true" \
-H "Authorization: ApiKey <your-api-key>"
Warning: Deleting a connector that is referenced by rules will cause those rule actions to fail silently. Check
first.
Terraform Provider
Use the
provider resource
elasticstack_kibana_action_connector
.
hcl
terraform {
required_providers {
elasticstack = {
source = "elastic/elasticstack"
}
}
}
provider "elasticstack" {
kibana {
endpoints = ["https://my-kibana:5601"]
api_key = var.kibana_api_key
}
}
resource "elasticstack_kibana_action_connector" "slack" {
name = "Production Slack Alerts"
connector_type_id = ".slack"
config = jsonencode({})
secrets = jsonencode({
webhookUrl = "https://hooks.slack.com/services/T00/B00/XXXX"
})
}
resource "elasticstack_kibana_action_connector" "index" {
name = "Alert Index Writer"
connector_type_id = ".index"
config = jsonencode({
index = "alert-history"
executionTimeField = "@timestamp"
})
secrets = jsonencode({})
}
Key Terraform notes:
- and must be JSON-encoded strings via
- Secrets are stored in Terraform state; use a remote backend with encryption and restrict state file access
- Import existing connectors:
terraform import elasticstack_kibana_action_connector.my_connector <space_id>/<connector_id>
- After import, secrets are not populated in state; you must supply them in config
Preconfigured Connectors (On-Prem)
For self-managed Kibana, connectors can be preconfigured in
so they are available at startup without manual
creation:
yaml
xpack.actions.preconfigured:
my-slack-connector:
name: "Production Slack"
actionTypeId: .slack
secrets:
webhookUrl: "https://hooks.slack.com/services/T00/B00/XXXX"
my-webhook:
name: "Custom Webhook"
actionTypeId: .webhook
config:
url: "https://api.example.com/alerts"
method: post
hasAuth: true
secrets:
user: "alert-user"
password: "secret-password"
Preconfigured connectors cannot be edited or deleted via the API or UI. They show
and omit
and
from API responses.
Networking Configuration
Customize connector networking (proxies, TLS, certificates) via
:
yaml
# Global proxy for all connectors
xpack.actions.proxyUrl: "https://proxy.example.com:8443"
# Per-host TLS settings
xpack.actions.customHostSettings:
- url: "https://api.example.com"
ssl:
verificationMode: full
certificateAuthoritiesFiles: ["/path/to/ca.pem"]
Connectors in Kibana Workflows
Connectors serve as the integration layer across multiple Kibana workflows, not just alerting notifications:
| Workflow | Connector Types | Key Pattern |
|---|
| ITSM ticketing | ServiceNow, Jira, IBM Resilient | Create ticket on active, close on |
| On-call escalation | PagerDuty, Opsgenie | on active, on ; always set a deduplication key |
| Case management | Cases (system action) | UI-only; groups alerts into investigation Cases; can auto-push to ITSM |
| Messaging / awareness | Slack, Teams, Email | for incident channels; summaries for monitoring channels |
| Audit logging | Index | to write full alert time-series to Elasticsearch |
| AI workflows | OpenAI, Bedrock, Gemini, AI Connector | Powers Elastic AI Assistant and Attack Discovery; system-managed |
| Custom integrations | Webhook | Generic HTTP outbound with Mustache-templated JSON body |
For detailed patterns, examples, and decision guidance for each workflow, see workflows.md.
Best Practices
-
Use preconfigured connectors for production on-prem. They eliminate secret sprawl, survive Saved Object imports,
and cannot be accidentally deleted. Reserve API-created connectors for dynamic or user-managed scenarios.
-
Test connectors before attaching to rules. Use the
endpoint to verify connectivity. A misconfigured
connector causes silent action failures that only appear in the rule's execution history.
-
Check before deleting. Deleting a connector used by active rules causes those actions to
fail. List connectors and verify zero references, or reassign rules to a new connector first.
-
Use the Email domain allowlist. The
xpack.actions.email.domain_allowlist
setting restricts which email domains
connectors can send to. If you update this list, existing email connectors with recipients outside the new list will
start failing.
-
Secure secrets in Terraform. Connector secrets (API keys, passwords, webhook URLs) are stored in Terraform state.
Use encrypted remote backends (S3+KMS, Azure Blob+encryption, GCS+CMEK) and restrict access to state files. Use
on variables.
-
One connector per service, not per rule. Create a single Slack connector and reference it from multiple rules.
This centralizes secret rotation and reduces duplication.
-
Use Spaces for multi-tenant isolation. Connectors are scoped to a Kibana Space. Create separate spaces for
different teams or environments and configure connectors per space.
-
Monitor connector health. Failed connector executions are logged in the event log index (
).
Connector failures report as successful to Task Manager but fail silently for alert delivery. Check the
Event Log Index for true failure
rates.
-
Always configure a recovery action alongside the active action. Connectors for ITSM and on-call tools
(ServiceNow, Jira, PagerDuty, Opsgenie) support a close/resolve operation. Without a recovery action, incidents
remain open forever.
-
Use deduplication keys for on-call connectors. Set
(PagerDuty) or
(Opsgenie) to
to ensure the resolve event closes exactly the right incident. Without this, a new
incident is created every time the alert re-fires.
-
Prefer the Cases connector for investigation workflows. When an alert requires investigation with comments,
attachments, and assignees, use Cases rather than a direct Jira/ServiceNow connector. Cases gives you a native
investigation UI and can still push to ITSM via the Case's external connection.
-
Use the Index connector for durable audit trails. The Index connector writes to Elasticsearch, making alert
history searchable and dashboardable. Pair it with an ILM policy on the target index to control retention.
-
Restrict connector access via Action settings. Use
xpack.actions.enabledActionTypes
to allowlist only the
connector types your organization needs, and
xpack.actions.allowedHosts
to restrict outbound connections to known
endpoints.
Common Pitfalls
-
Missing header. All POST, PUT, DELETE requests require
. Omitting it returns a 400
error.
-
Wrong . Use the exact string including the leading dot (e.g.,
, not
). Discover
valid types via
GET /api/actions/connector_types
.
-
Empty object required. Even for connectors without secrets (e.g.,
,
), you must
provide
in the create request.
-
Connector type is immutable. You cannot change the
after creation. Delete and recreate
instead.
-
Secrets lost on export/import. Exporting connectors via Saved Objects strips secrets. After import, connectors
show
and a "Fix" button appears in the UI. You must re-enter secrets manually or via API.
-
Preconfigured connectors cannot be modified via API. Attempting to update or delete a preconfigured connector
returns 400. Manage them exclusively in
.
-
Rate limits from third-party services. Connectors that send high volumes of notifications (e.g., one per alert
every minute) can hit Slack, PagerDuty, or email provider rate limits. Use alert summaries and action frequency
controls on the rule side to reduce volume.
-
Connector networking failures. Kibana must be able to reach the connector's target URL. Verify firewall rules,
proxy settings, and DNS resolution. Use
xpack.actions.customHostSettings
for TLS issues.
-
License requirements. Some connector types require a Gold, Platinum, or Enterprise license. Check the
field from
GET /api/actions/connector_types
. A connector that is
but
enabled_in_license: false
cannot be used.
-
Terraform import does not restore secrets. When importing an existing connector into Terraform, the secrets are
not read back from Kibana. You must provide them in your Terraform configuration, or the next
will
overwrite them with empty values.
Common Connector Type IDs
| Type ID | Name | License |
|---|
| Email | Gold |
| Slack (Webhook) | Gold |
| Slack (API) | Gold |
| PagerDuty | Gold |
| Jira | Gold |
| ServiceNow ITSM | Platinum |
| ServiceNow SecOps | Platinum |
| ServiceNow ITOM | Platinum |
| Webhook | Gold |
| Index | Basic |
| Server log | Basic |
| Opsgenie | Gold |
| Microsoft Teams | Gold |
| OpenAI | Enterprise |
| Amazon Bedrock | Enterprise |
| Google Gemini | Enterprise |
| Cases | Platinum |
| CrowdStrike | Enterprise |
| SentinelOne | Enterprise |
.microsoft_defender_endpoint
| Microsoft Defender for Endpoint | Enterprise |
| TheHive | Gold |
Note: Use
GET /api/actions/connector_types
to discover all available types on your deployment along with their
exact
values. Connector types for XSOAR, Jira Service Management, and MCP are available but
may not appear in older API spec versions.
Examples
Create a Slack connector: "Set up Slack notifications for our alerts."
POST /api/actions/connector
with
connector_type_id: ".slack"
and
. Use the returned connector
in rule actions.
Test a connector before attaching to rules: "Verify the PagerDuty connector works."
POST /api/actions/connector/{id}/_execute
with a minimal params object to confirm connectivity before adding to any
rule.
Audit connector usage before deletion: "Remove the old email connector."
GET /api/actions/connectors
, inspect
— if non-zero, reassign the referencing rules first, then
DELETE /api/actions/connector/{id}
.
Guidelines
- Include on every POST, PUT, and DELETE; omitting it returns 400.
- is immutable — delete and recreate to change connector type.
- Always pass even for connectors with no secrets (e.g., , ).
- Check before deleting; a deleted connector silently breaks all referencing rule actions.
- Connectors are space-scoped; prefix paths with
/s/<space_id>/api/actions/
- Secrets are write-only: not returned by GET and stripped on Saved Object export/import; always re-supply after import.
- Test every new connector with before attaching to rules; connector failures in production are silent.
Additional Resources