ceven

Kibana

Pulls live observability data and security alerts from your dashboards to trigger automated responses and reports across your stack.

Try Kibana in Ceven

Ask Ceven anything
Standard

Why use Ceven?

  1. AI native Kibana integration

    • Describe the outcome and Ceven picks the right Kibana calls, fills the parameters, and checks the result.
    • Structured, agent friendly tool schemas so each call runs reliably instead of by guesswork.
    • Rich coverage for reading, writing, and querying your Kibana data, across all 47 of its actions.

  2. Managed auth

    • Built in OAuth with automatic token refresh and rotation.
    • One place to manage, scope, and revoke Kibana access.
    • Per user and per environment credentials instead of shared keys.

  3. Agent optimized design

    • Actions are tuned from real success and error rates so reliability climbs over time.
    • Full execution logs so you always know what ran in Kibana, when, and on whose behalf.
    • The agent pauses and asks when Kibana is unclear instead of plowing ahead.

  4. Enterprise grade security

    • Fine grained access so you control which agents and people can reach Kibana.
    • Least privilege by default, read scopes first and only the writes a workflow needs.
    • A full audit trail of every Kibana action to support review and sign off.

Supported tools

Every action Ceven's agents can run on Kibana, and when to use it.

Find Kibana Alerts
Use this to retrieve a list of detection alerts, optionally filtering them with a query and performing aggregations.
Get Alerting Rules
Pull a paginated set of alerting rules based on specified conditions to audit your monitoring coverage.
Find Detection Engine Rules
Retrieve a list of detection engine rules based on specific criteria to verify security coverage.
List Entity Store Entities
Pull entity records like users, hosts, or services with support for paging and filtering.
Get Node Metrics
Retrieve statistics for nodes in an elasticsearch cluster to monitor health and resource usage.
Get Fleet Agent Policies
Fetch a list of agent policies in fleet to verify current configuration deployments.
Get All Connectors
Retrieve a list of all connectors in kibana to see where alerts are being routed.
Get Data Views
Pull a list of available data views, optionally filtering by a name pattern.
Get Cases
Retrieve a list of security or operational cases, filtering by status, assignee, or severity.
Delete Saved Object
Use this when you need to remove a specific saved object like a visualization or dashboard.
Delete Alerting Rule
Remove a specific alerting rule by its id when it is no longer needed.
Get Action Types
Fetch the list of available action types like slack or email to find the id needed for new actions.
Delete Action
Tool to delete an action in kibana. use when you need to remove a specific action by its id, optionally within a specific space.
Delete Connector
Tool to delete a connector in kibana. use when you need to remove an existing connector.
Delete Fleet Output
Tool to delete a specific output configuration in kibana fleet. use when you need to remove an existing output by its id.
Delete Fleet Proxy
Tool to delete a specific fleet proxy configuration by its id. use when you need to remove an existing proxy setup.
Delete List
Deletes a list. use when you want to delete a list by its id.
Delete Osquery Saved Query
Tool to delete a saved osquery query by its id. use when you need to remove a specific osquery saved query.
Get Alert Types
Tool to retrieve available alert types in kibana. use when you need to get a list of all possible alert types and their metadata.
Get Endpoint List Items
Tool to retrieve all items from an endpoint exception list. use when you need to get a list of endpoint exceptions, for example, to check existing exceptions before adding a new one.
Get Entity Store Engines
Retrieves the list of engines from the entity store.
Get Entity Store Status
Tool to retrieve the status of the entity store in kibana. use this to check if the entity store is operational.
Get Fleet Agents Available Versions
Tool to retrieve the available versions for fleet agents. use when you need to get a list of all available elastic agent versions.
Get Fleet Agents Setup Status
Tool to check if the fleet agents are set up. use when you need to verify the fleet agent setup status.
Check Fleet Permissions
Tool to check the permissions for the fleet api. use when you need to verify if the current user has the necessary privileges for fleet operations.
Get Fleet Data Streams
Retrieves the list of data streams in fleet.
Get Fleet Enrollment API Key
Tool to retrieve details of a specific enrollment api key by its id. use when you have the id of an enrollment api key and need its details.
Get Fleet Enrollment API Keys
Tool to fetch a list of enrollment api keys. use when you need to retrieve existing enrollment tokens for kibana fleet.
Get Fleet EPM Categories
Tool to fetch the list of categories in the elastic package manager. use when you need to retrieve available package categories.
Get Fleet EPM Data Streams
Tool to retrieve the list of data streams in the elastic package manager. use when you need to get a list of available data streams, optionally filtering by type, dataset, or categorization.

30 actions · scroll to see them all

Frequently asked questions

Ceven operates using the permissions of the service account or user token provided during the connection process. It follows the Kibana role based access control model strictly. If the connected user does not have permission to view a specific index or manage a fleet policy, the agent will receive a forbidden error from the Kibana API. We recommend creating a dedicated service account with the minimum required privileges for the specific workflows you intend to run. This ensures that the agent cannot accidentally modify critical dashboards or delete essential alerting rules that are managed by other team members in your organization.
Currently, Ceven focuses on reading and managing existing objects. While the agent can delete saved objects or modify alerting rules, it cannot build a complex visual dashboard from scratch. It can, however, pull the data that would go into a dashboard and summarize it in a text format or push it to another tool like Slack. If you need a new visualization, you should create the dashboard in Kibana first, and then use Ceven to monitor the data views associated with that dashboard to trigger automated actions based on the results.
Yes, Ceven has deep integration with Kibana Fleet. The agent can retrieve agent policies, check enrollment API keys, and monitor the setup status of your fleet agents. This allows you to build workflows that automatically notify you when an agent version is out of date or when a policy fails to apply to a subset of your hosts. By connecting fleet data to your communication tools, you can maintain a healthier infrastructure without having to manually check the fleet management console every day to ensure all agents are reporting correctly.
Kibana API performance depends heavily on the underlying Elasticsearch cluster. One common quirk is that large requests to list entities or alerts can timeout if the index is not properly optimized or if the time range is too wide. Kibana also enforces specific rate limits depending on your deployment tier, such as Basic or Platinum. If the agent hits a 429 too many requests error, it will automatically implement an exponential backoff strategy to retry the call. For very large data sets, we recommend using filtered queries to reduce the payload size and avoid hitting these limits.
Absolutely. The agent can integrate with the Kibana detection engine to find security alerts as they happen. Once an alert is found, the agent can pull the related case details, identify the affected entities from the entity store, and gather the last hour of node metrics. It can then package all this information into a security ticket. This replaces the manual process of jumping between the alerts tab, the entity explorer, and the case management screen, allowing your security analysts to start investigating the actual threat instead of gathering the evidence.
The entity store in Kibana acts as a central repository for metadata about your environment. Ceven uses the list entity records tool to map a raw IP address or hostname from an alert to a real world asset. For example, if an alert fires for a specific IP, the agent queries the entity store to find out if that IP belongs to a production database or a staging web server. This context is then added to every notification, so the person receiving the alert knows exactly how critical the issue is without needing to look up the asset in a separate CMDB.
Yes, Ceven can retrieve a list of all existing connectors and delete those that are no longer in use. This is particularly useful for teams that rotate their webhook URLs or update their Slack integration tokens frequently. You can build a workflow that audits your connectors every month and flags any that have not been triggered by an alerting rule in the last thirty days. This keeps your Kibana environment clean and ensures that your alerting pipeline remains reliable and free of stale configurations that could lead to missed notifications.
Ceven acts as a conduit between Kibana and your other tools. We do not store your long term observability data or index your logs. When an agent pulls a list of alerts or node metrics, that data exists in the temporary workflow context to allow the model to process it and take action. Once the workflow completes, the transient data is cleared. Your primary data remains securely within your Elasticsearch cluster, and Ceven only accesses it via the encrypted API connection using the tokens you provided during the initial setup process.

Alternatives to Kibana

Other tools that solve a similar problem. Ceven supports these too, so you can switch or run more than one at once.

Grafana logoGrafanaSplunk logoSplunkDatadog logoDatadogNew Relic logoNew Relic

Try Ceven on your stack

Plug Ceven on top of the tools you already run. Connect Kibana and the rest of your stack, describe the outcome, and its agents handle the work end to end, days of it in minutes.

Get started for free