
Preconfigured connectors

If you are running Kibana on-prem, you can preconfigure a connector to have all the information it needs prior to startup by adding it to the kibana.yml file.


Elasticsearch Service provides a preconfigured email connector but you cannot create additional preconfigured connectors.

Preconfigured connectors offer the following benefits:

  • Require no setup. Configuration and credentials needed to run an action are predefined, including the connector name and ID.
  • Appear in all spaces because they are not saved objects.
  • Cannot be edited or deleted.

Add xpack.actions.preconfigured settings to your kibana.yml file. The settings vary depending on which type of connector you’re adding. Refer to Preconfigured connector settings.

This example shows a valid configuration for a Slack connector and a Webhook connector:

  my-slack1:                  1
    actionTypeId: .slack      2
    name: 'Slack #xyz'        3
      webhookUrl: 'https://hooks.slack.com/services/abcd/efgh/ijklmnopqrstuvwxyz'
    actionTypeId: .webhook
    name: 'Email service'
    config:                   4
      url: 'https://email-alert-service.elastic.co'
      method: post
        header1: value1
        header2: value2
    secrets:                  5
      user: elastic
      password: changeme
    exposeConfig: true        6
  1. The key is the connector identifier, my-slack1 in this example.
  2. actionTypeId is the action type identifier.
  3. name is the name of the preconfigured connector.
  4. config is the configuration specific to the connector type.
  5. secrets is the sensitive configuration, such as username, password, and keys, specific to the connector type.
  6. exposeConfig is the optional boolean flag, which identify if connector config will be exposed in the actions API

Sensitive properties, such as passwords, can also be stored in the Kibana keystore.

go to the Connectors page using the navigation menu or the global search field. Preconfigured connectors appear regardless of which space you are in. They are tagged as “preconfigured”, and you cannot delete them.

Connectors managing tab with pre-configured

Clicking a preconfigured connector shows the description, but not the configuration.

Kibana provides the following built-in preconfigured connectors:


This functionality is in technical preview and may be changed or removed in a future release. Elastic will work to fix any issues, but features in technical preview are not subject to the support SLA of official GA features.

Kibana offers a preconfigured index connector to facilitate indexing active alert data into Elasticsearch. To use this connector, set xpack.actions.preconfiguredAlertHistoryEsIndex to true.

When you subsequently create rules, you can use the Alert history Elasticsearch index (preconfigured) connector.

Creating a rule action that uses the pre-configured alert history connector

Documents are indexed using a preconfigured schema that captures the action variables available for the rule. By default, these documents are indexed into the kibana-alert-history-default index, but you can specify a different index. Index names must start with kibana-alert-history- to take advantage of the preconfigured alert history index template.

  • To write documents to the preconfigured index, you must have all or write privileges to the kibana-alert-history-* indices.
  • The kibana-alert-history-* indices are not configured to use ILM so they must be maintained manually. If the index size grows large, consider using the delete by query API to clean up older documents in the index.

The following example creates an Amazon Bedrock connector:

    name: preconfigured-bedrock-connector-type
    actionTypeId: .bedrock
      apiUrl: https://bedrock-runtime.us-east-1.amazonaws.com 1
      defaultModel: anthropic.claude-3-5-sonnet-20240620-v1:0 2
      accessKey: key-value 3
      secret: secret-value 4
  1. The Amazon Bedrock request URL.
  2. The default model to use for requests. Current support is for the Anthropic Claude models, defaulting to Claude 2.
  3. The AWS access key for authentication.
  4. The AWS secret for authentication.

The following example creates a D3 Security connector:

    name: preconfigured-d3security-connector-type
    actionTypeId: .d3security
      url: https://testurl.com/elasticsearch/VSOC/api/Data/Kibana/Security%20Operations/CreateEvents 1
      token: superlongtoken 2
  1. The D3 Security API request URL.
  2. The D3 Security token.

The following example creates an email connector:

    name: preconfigured-email-connector-type
    actionTypeId: .email
      service: other 1
      from: testsender@test.com 2
      host: validhostname 3
      port: 8080 4
      secure: false 5
      hasAuth: true 6
      user: testuser 7
      password: passwordkeystorevalue 8
  1. The name of the email service. If service is elastic_cloud (for Elastic Cloud notifications) or one of Nodemailer’s well-known email service providers, the host, port, and secure properties are ignored. If service is other, the host and port properties must be defined. For more information on the gmail service value, refer to Nodemailer Gmail documentation. If service is exchange_server, the tenantId, clientId, clientSecret properties are required instead of host and port.
  2. The email address for all emails sent with this connector. It must be specified in user@host-name format.
  3. The host name of the service provider.
  4. The port to connect to on the service provider.
  5. If true, the connection will use TLS when connecting to the service provider.
  6. If true, this connector will require values for user and password inside the secrets configuration. Defaults to true.
  7. A user name for authentication. Required if hasAuth is set to true.
  8. A password for authentication. Should be stored in the Kibana keystore. Required if hasAuth is set to true.

Use the following email connector configuration to send email from the Amazon Simple Email Service (SES) SMTP service:

    service: ses
    // `host`, `port` and `secure` have the following default values and do not need to set:
    // port: 465
    // secure: true
    user: <username>
    password: <password>
  1. config.host varies depending on the region

Use the following email connector configuration to send email from the Gmail SMTP service:

  service: gmail
  // `host`, `port` and `secure` have the following default values and do not need to set:
  // host: smtp.gmail.com
  // port: 465
  // secure: true
  user: <username>
  password: <password>


    service: other
    host: <your exchange server>
    port: 465
    secure: true
    from: <email address of service account> 1
    user: <email address of service account> 2
    password: <password>
  1. Some organizations configure Exchange to validate that the from field is a valid local email account.
  2. Many organizations support use of your email address as your username. Check with your system administrator if you receive authentication-related failures.

Use the following email connector configuration to send email from Microsoft Exchange:

    service: exchange_server
    clientId: <The Application (client) ID> 1
    tenantId: <The directory tenant ID, in GUID format.>
    from: <email address of service account> 2
    clientSecret: <URL-encoded string>
  1. This application information is on the Azure portal – App registrations.
  2. Some organizations configure Exchange to validate that the from field is a valid local email account.

Use the following email connector configuration to send email from the Outlook.com SMTP service:

    service: outlook365
    // `host`, `port` and `secure` have the following default values and do not need to set:
    // host: smtp.office365.com
    // port: 587
    // secure: false
    user: <email.address>
    password: <password>

The following example creates a OpenAI connector:

    name: preconfigured-openai-connector-type
    actionTypeId: .gen-ai
      apiUrl: https://api.openai.com/v1/chat/completions 1
      apiProvider: 'OpenAI' 2
      defaultModel: gpt-4o 3
      apiKey: superlongapikey 4
  1. The OpenAI request URL.
  2. The OpenAI API provider, either OpenAI or Azure OpenAI.
  3. The default model to use for requests. This setting is optional and applicable only when apiProvider is OpenAI.
  4. The OpenAI or Azure OpenAI API key for authentication.

The following example creates a IBM Resilient connector:

    name: preconfigured-resilient-connector-type
    actionTypeId: .resilient
      apiUrl: https://elastic.resilient.net 1
      orgId: ES 2
      apiKeyId: testuser 3
      apiKeySecret: tokenkeystorevalue 4
  1. The IBM Resilient instance URL.
  2. The IBM Resilient organization identifier.
  3. The authentication key ID for HTTP basic authentication.
  4. The authentication key secret for HTTP basic authentication. NOTE: This value should be stored in the Kibana keystore.

The following example creates a index connector:

    name: preconfigured-index-connector-type
    actionTypeId: .index
      index: .kibana 1
      executionTimeField: my-field 2
  1. The Elasticsearch index to be written to.
  2. A field that indicates when the document was indexed.

The following example creates a Jira connector:

    name: preconfigured-jira-connector-type
    actionTypeId: .jira
      apiUrl: https://elastic.atlassian.net 1
      projectKey: ES 2
      email: testuser 3
      apiToken: tokenkeystorevalue 4
  1. The Jira instance URL.
  2. The Jira project key.
  3. The account email for HTTP basic authentication.
  4. The API authentication token for HTTP basic authentication. NOTE: This value should be stored in the Kibana keystore.

The following example creates a Microsoft Teams connector:

    name: preconfigured-teams-connector-type
    actionTypeId: .teams
      webhookUrl: 'https://outlook.office.com/webhook/abcd@0123456/IncomingWebhook/abcdefgh/ijklmnopqrstuvwxyz' 1
  1. The URL of the incoming webhook.

The following example creates an Opsgenie connector:

    name: preconfigured-opsgenie-connector-type
    actionTypeId: .opsgenie
      apiUrl: https://api.opsgenie.com 1
      apiKey: apikey 2
  1. The Opsgenie URL.
  2. The Opsgenie API authentication key for HTTP basic authentication.

The following example creates a PagerDuty connector:

    name: preconfigured-pagerduty-connector-type
    actionTypeId: .pagerduty
      apiUrl: https://test.host 1
      routingKey: testroutingkey 2
  1. The PagerDuty event URL.
  2. A 32 character PagerDuty Integration Key for an integration on a service, also referred to as the routing key.

The following example creates a server log connector:

    name: preconfigured-server-log-connector-type
    actionTypeId: .server-log

The following example creates a ServiceNow ITOM connector with basic authentication:

    name: preconfigured-servicenow-connector-type
    actionTypeId: .servicenow-itom
      apiUrl: https://example.service-now.com/ 1
      username: testuser 2
      password: passwordkeystorevalue 3
  1. The ServiceNow instance URL.
  2. A user name.
  3. A password. NOTE: This value should be stored in the Kibana keystore.

The following example creates a ServiceNow ITOM connector with OAuth authentication:

    name: preconfigured-oauth-servicenow-connector-type
    actionTypeId: .servicenow-itom
      apiUrl: https://example.service-now.com/
      isOAuth: true 1
      userIdentifierValue: testuser@email.com 2
      clientId: abcdefghijklmnopqrstuvwxyzabcdef 3
      jwtKeyId: fedcbazyxwvutsrqponmlkjihgfedcba 4
      clientSecret: secretsecret 5
      privateKey: |  6
        -----BEGIN RSA PRIVATE KEY-----
        ... multiple lines of key data ...
        -----END RSA PRIVATE KEY-----
  1. Specifies whether the connector uses basic or OAuth authentication.
  2. The user identifier.
  3. The client identifier assigned to your OAuth application.
  4. The key identifier assigned to the JWT verifier map of your OAuth application.
  5. The client secret assigned to your OAuth application.
  6. The RSA private key in multiline format. If it has a password, you must also provide privateKeyPassword.

The following example creates a ServiceNow ITSM connector with basic authentication:

    name: preconfigured-servicenow-connector-type
    actionTypeId: .servicenow
      apiUrl: https://example.service-now.com/ 1
      usesTableApi: false 2
      username: testuser 3
      password: passwordkeystorevalue 4
  1. The ServiceNow instance URL.
  2. Specifies whether the connector uses the Table API or the Import Set API. If usesTableApi is false, the Elastic application should be installed in ServiceNow.
  3. The user name.
  4. The password. NOTE: This value should be stored in the Kibana keystore.

The following example creates a ServiceNow ITSM connector with OAuth authentication:

    name: preconfigured-oauth-servicenow-connector-type
    actionTypeId: .servicenow
      apiUrl: https://example.service-now.com/
      usesTableApi: false
      isOAuth: true 1
      userIdentifierValue: testuser@email.com 2
      clientId: abcdefghijklmnopqrstuvwxyzabcdef 3
      jwtKeyId: fedcbazyxwvutsrqponmlkjihgfedcba 4
      clientSecret: secretsecret 5
      privateKey: | 6
        -----BEGIN RSA PRIVATE KEY-----
        ... multiple lines of key data ...
        -----END RSA PRIVATE KEY-----
  1. Specifies whether the connector uses basic or OAuth authentication.
  2. The user identifier.
  3. The client identifier assigned to your OAuth application.
  4. The key ID assigned to the JWT verifier map of your OAuth application.
  5. The client secret assigned to the OAuth application.
  6. The RSA private key in multiline format. If it has a password, you must also provide privateKeyPassword.

The following example creates a ServiceNow SecOps connector with basic authentication:

    name: preconfigured-servicenow-connector-type
    actionTypeId: .servicenow-sir
      apiUrl: https://example.service-now.com/ 1
      usesTableApi: false 2
      username: testuser 3
      password: passwordkeystorevalue 4
  1. The ServiceNow instance URL.
  2. Specifies whether the connector uses the Table API or the Import Set API. If usesTableApi is false, the Elastic application should be installed in ServiceNow.
  3. The user name.
  4. The password. NOTE: This value should be stored in the Kibana keystore.

The following example creates a ServiceNow SecOps connector with OAuth authentication:

    name: preconfigured-oauth-servicenow-connector-type
    actionTypeId: .servicenow-sir
      apiUrl: https://example.service-now.com/
      usesTableApi: false
      isOAuth: true 1
      userIdentifierValue: testuser@email.com 2
      clientId: abcdefghijklmnopqrstuvwxyzabcdef 3
      jwtKeyId: fedcbazyxwvutsrqponmlkjihgfedcba 4
      clientSecret: secretsecret 5
      privateKey: | 6
        -----BEGIN RSA PRIVATE KEY-----
        ... multiple lines of key data ...
        -----END RSA PRIVATE KEY-----
  1. Specifies whether the connector uses basic or OAuth authentication.
  2. The user identifier.
  3. The client identifier assigned to the OAuth application.
  4. The key ID assigned to the JWT verifier map of your OAuth application.
  5. The client secret assigned to the OAuth application.
  6. The RSA private key in multiline format. If it has a password, you must also specify privateKeyPassword.

The following example creates a Slack connector with webhook:

    name: preconfigured-slack-webhook-connector-type
    actionTypeId: .slack
      webhookUrl: 'https://hooks.slack.com/services/xxxx/xxxx/xxxx' 1
  1. The Slack webhook URL.

The following example creates a Slack connector with web API:

    name: preconfigured-slack-api-connector-type
    actionTypeId: .slack_api
      token: 'xoxb-xxxx-xxxx-xxxx' 1
  1. The Slack bot user OAuth token.

The following example creates a Swimlane connector:

    name: preconfigured-swimlane-connector-type
    actionTypeId: .swimlane
      apiUrl: https://elastic.swimlaneurl.us 1
      appId: app-id 2
      mappings: 3
          fieldType: text
          id: agp4s
          key: alert-id
          name: Alert ID
          fieldType: text
          id: ae1mi
          key: case-id
          name: Case ID
          fieldType: text
          id: anxnr
          key: case-name
          name: Case Name
          fieldType: comments
          id: au18d
          key: comments
          name: Comments
          fieldType: text
          id: ae1gd
          key: description
          name: Description
          fieldType: text
          id: avfsl
          key: rule-name
          name: Rule Name
          fieldType: text
          id: a71ik
          key: severity
          name: severity
      apiToken: tokenkeystorevalue 4
  1. The Swimlane instance URL.
  2. The Swimlane application identifier.
  3. Field mappings for properties such as the alert identifer, severity, and rule name.
  4. The API authentication token for HTTP basic authentication. NOTE: This value should be stored in the Kibana keystore.

The following example creates a Tines connector:

    name: preconfigured-tines-connector-type
    actionTypeId: .tines
      url: https://some-tenant-2345.tines.com 1
      email: some.address@test.com 2
      token: ausergeneratedapitoken 3
  1. The Tines tenant URL.
  2. The email used to sign in to Tines.
  3. The Tines API token.

The following example creates a Torq connector:

    name: preconfigured-torq-connector-type
    actionTypeId: .torq
      webhookIntegrationUrl: https://hooks.torq.io/v1/somehook 1
      token: mytorqtoken 2
  1. The endpoint URL of the Elastic Security integration in Torq.
  2. The secret of the webhook authentication header.

The following example creates a webhook connector with basic authentication:

    name: preconfigured-webhook-connector-type
    actionTypeId: .webhook
      url: https://test.host 1
      method: post 2
      headers: 3
        testheader: testvalue
      hasAuth: true 4
      user: testuser 5
      password: passwordkeystorevalue 6
  1. The web service request URL. If you are using the xpack.actions.allowedHosts setting, make sure the hostname is added to the allowed hosts.
  2. The HTTP request method, either post(default) or put.
  3. A set of key-value pairs sent as headers with the request.
  4. If true, this connector will require values for user and password inside the secrets configuration. Defaults to true.
  5. A valid user name. Required if hasAuth is set to true.
  6. A valid password. Required if hasAuth is set to true. NOTE: This value should be stored in the Kibana keystore.

SSL authentication is not supported in preconfigured webhook connectors.

The following example creates a Webhook - Case Management connector:

    name: Case Management Webhook Connector
    actionTypeId: .cases-webhook
      hasAuth: true 1
      headers: 2
        'content-type': 'application/json'
      createIncidentUrl: 'https://example.com/rest/api/2/issue' 3
      createIncidentMethod: 'post' 4
      createIncidentJson: '{"fields":{"summary":{{{case.title}}},"description":{{{case.description}}},"labels":{{{case.tags}}}' 5
      getIncidentUrl: 'https://example.com/rest/api/2/issue/{{{external.system.id}}}' 6
      getIncidentResponseExternalTitleKey: 'key' 7
      viewIncidentUrl: 'https://example.com/browse/{{{external.system.title}}}' 8
      updateIncidentUrl: 'https://example.com/rest/api/2/issue/{{{external.system.id}}}' 9
      updateIncidentMethod: 'put' 10
      updateIncidentJson: '{"fields":{"summary":{{{case.title}}},"description":{{{case.description}}},"labels":{{{case.tags}}}' 11
      createCommentMethod: 'post', 12
      createCommentUrl: 'https://example.com/rest/api/2/issue/{{{external.system.id}}}/comment', 13
      createCommentJson: '{"body": {{{case.comment}}}}', 14
      user: testuser 15
      password: passwordvalue 16
  1. If true, this connector will require values for user and password inside the secrets configuration.
  2. A set of key-value pairs sent as headers with the request.
  3. A REST API URL string to create a case in the third-party system.
  4. The REST API HTTP request method to create a case in the third-party system.
  5. A stringified JSON payload with Mustache variables that is sent to the create case URL to create a case.
  6. A REST API URL string with an external service ID Mustache variable to get the case from the third-party system.
  7. A string from the response body of the get case method that corresponds to the external service title.
  8. A URL string with either the external service ID or external service title Mustache variable to view a case in the external system.
  9. The REST API URL to update the case by ID in the third-party system.
  10. The REST API HTTP request method to update the case in the third-party system.
  11. A stringified JSON payload with Mustache variables that is sent to the update case URL to update a case.
  12. The REST API HTTP request method to create a case comment in the third-party system.
  13. A REST API URL string to create a case comment by ID in the third-party system.
  14. A stringified JSON payload with Mustache variables that is sent to the create comment URL to create a case comment.
  15. A user name, which is required when hasAuth is true.
  16. A password, which is required when hasAuth is true.

The following example creates an xMatters connector with basic authentication:

    name: preconfigured-xmatters-connector-type
    actionTypeId: .xmatters
      configUrl: https://test.host 1
      usesBasic: true 2
      user: testuser 3
      password: passwordkeystorevalue 4
  1. The request URL for the Elastic Alerts trigger in xMatters.
  2. Indicates whether the connector uses HTTP basic authentication. If true, you must provide user and password values. Defaults to true.
  3. A user name for authentication, which is required when usesBasic is true.
  4. A password for authentication, which is required when usesBasic is true. NOTE: This value should be stored in the Kibana keystore.

The following example creates an xMatters connector with URL authentication:

    name: preconfigured-xmatters-connector-type
    actionTypeId: .xmatters
      usesBasic: false 1
      secretsUrl: https://test.host?apiKey=1234-abcd 2
  1. Indicates whether the connector uses HTTP basic authentication. Set to false to use URL authentication. Defaults to true.
  2. The request URL for the Elastic Alerts trigger in xMatters with the API key included in the URL.