diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index b0d5f29af3294..24af10be0be64 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -9572,16 +9572,61 @@ paths: operationId: EndpointGetActionsList parameters: - in: query - name: query - required: true + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + - in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + - in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + - in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + - in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + - in: query + name: agentTypes + required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListRouteQuery' + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + - in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + - in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' description: OK summary: Get response actions tags: @@ -9620,13 +9665,15 @@ paths: name: action_id required: true schema: + description: The ID of the action to retrieve. + example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionResponse' description: OK summary: Get action details tags: @@ -9699,7 +9746,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse' description: OK summary: Run a command tags: @@ -9720,7 +9767,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse' description: OK summary: Get a file tags: @@ -9733,15 +9780,53 @@ paths: requestBody: content: application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' description: OK summary: Isolate an endpoint tags: @@ -9762,7 +9847,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse' description: OK summary: Terminate a process tags: @@ -9783,7 +9868,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse' description: OK summary: Get running processes tags: @@ -9825,7 +9910,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse' description: OK summary: Scan a file or directory tags: @@ -9861,7 +9946,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse' description: OK summary: Suspend a process tags: @@ -9874,15 +9959,53 @@ paths: requestBody: content: application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' description: OK summary: Release an isolated endpoint tags: @@ -9894,7 +10017,7 @@ paths: operationId: EndpointUploadAction requestBody: content: - application/json: + multipart/form-data: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' required: true @@ -9903,7 +10026,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse' description: OK summary: Upload a file tags: @@ -51747,6 +51870,10 @@ components: description: Agent ID type: string Security_Endpoint_Management_API_AgentIds: + description: A list of agent IDs. Max of 50. + example: + - agent-id-1 + - agent-id-2 minLength: 1 oneOf: - items: @@ -51758,12 +51885,13 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_AgentTypes: - description: The host agent type (optional). Defaults to endpoint. + description: List of agent types to retrieve. Defaults to `endpoint`. enum: - endpoint - sentinel_one - crowdstrike - microsoft_defender_endpoint + example: endpoint type: string Security_Endpoint_Management_API_AlertIds: description: A list of alerts `id`s. @@ -51775,6 +51903,9 @@ components: type: array Security_Endpoint_Management_API_CaseIds: description: Case IDs to be updated (cannot contain empty strings) + example: + - case-id-1 + - case-id-2 items: minLength: 1 type: string @@ -51812,17 +51943,26 @@ components: minLength: 1 type: string Security_Endpoint_Management_API_Commands: + description: A list of response action command names. + example: + - isolate + - unisolate items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' type: array Security_Endpoint_Management_API_Comment: description: Optional comment + example: This is a comment type: string Security_Endpoint_Management_API_EndDate: - description: End date + description: An end date in ISO format or Date Math format. + example: '2023-10-31T23:59:59.999Z' type: string Security_Endpoint_Management_API_EndpointIds: description: List of endpoint IDs (cannot contain empty strings) + example: + - endpoint-id-1 + - endpoint-id-2 items: minLength: 1 type: string @@ -51914,12 +52054,6 @@ components: revision: 2 type: object properties: {} - Security_Endpoint_Management_API_EntityId: - type: object - properties: - entity_id: - minLength: 1 - type: string Security_Endpoint_Management_API_ExecuteRouteRequestBody: allOf: - type: object @@ -51951,33 +52085,128 @@ components: - command required: - parameters - Security_Endpoint_Management_API_GetEndpointActionListRouteQuery: + example: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + Security_Endpoint_Management_API_ExecuteRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + comment: Get list of all files + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false type: object - properties: - agentIds: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - agentTypes: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - commands: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - endDate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - page: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - pageSize: - default: 10 - description: Number of items per page - maximum: 10000 - minimum: 1 - type: integer - startDate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - types: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' - userIds: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - withOutputs: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + properties: {} + Security_Endpoint_Management_API_GetEndpointActionListResponse: + example: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: kill-process + comment: bad process - taking up too much cpu + completedAt: '2022-08-08T09:44:50.952Z' + createdBy: elastic + id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:44.125Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: unisolate + comment: Not a threat to the network + completedAt: '2022-08-08T09:40:47.398Z' + createdBy: elastic + id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:15.391Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 4 + type: object + properties: {} + Security_Endpoint_Management_API_GetEndpointActionResponse: + example: + data: + agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + outputs: + afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0: + content: + entries: + - command: /opt/cmd1 + entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt + pid: '822' + user: Dexter + - command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3 + entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt + pid: '984' + user: Jada + type: json + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_GetFileRouteRequestBody: allOf: - type: object @@ -52007,7 +52236,42 @@ components: - path required: - parameters + example: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + Security_Endpoint_Management_API_GetFileRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} Security_Endpoint_Management_API_GetProcessesRouteRequestBody: + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 type: object properties: agent_type: @@ -52024,6 +52288,30 @@ components: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids + Security_Endpoint_Management_API_GetProcessesRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: running-processes + comment: '' + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: {} + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_HostPathScriptParameters: type: object properties: @@ -52055,23 +52343,32 @@ components: - unenrolled type: string type: array - Security_Endpoint_Management_API_IsolateRouteRequestBody: + Security_Endpoint_Management_API_IsolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids + properties: {} Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: - type: object @@ -52094,16 +52391,60 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to terminate. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to terminate. + example: abc123 + minLength: 1 + type: string - type: object properties: process_name: - description: Valid for SentinelOne agent type only + description: The name of the process to terminate. Valid for SentinelOne agent type only. + example: Elastic minLength: 1 type: string required: - parameters + example: + comment: terminate the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + Security_Endpoint_Management_API_KillProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: kill-process + comment: terminate the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_Kuery: description: A KQL string. example: 'united.endpoint.host.os.name : ''Windows''' @@ -52324,12 +52665,6 @@ components: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - additionalProperties: true type: object - Security_Endpoint_Management_API_Pid: - type: object - properties: - pid: - minimum: 1 - type: integer Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: type: object properties: @@ -52387,11 +52722,45 @@ components: type: object properties: path: + description: The folder or file’s full path (including the file name). + example: /usr/my-file.txt type: string required: - path required: - parameters + example: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + Security_Endpoint_Management_API_ScanRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} Security_Endpoint_Management_API_SortDirection: description: Determines the sort order. enum: @@ -52414,7 +52783,8 @@ components: example: enrolled_at type: string Security_Endpoint_Management_API_StartDate: - description: Start date + description: A start date in ISO 8601 format or Date Math format. + example: '2023-10-31T00:00:00.000Z' type: string Security_Endpoint_Management_API_SuccessResponse: type: object @@ -52441,10 +52811,53 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to suspend. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to suspend. + example: abc123 + minLength: 1 + type: string required: - parameters + example: + comment: suspend the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + Security_Endpoint_Management_API_SuspendProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_Timeout: description: The maximum timeout value in milliseconds (optional) minimum: 1 @@ -52457,28 +52870,40 @@ components: type: string Security_Endpoint_Management_API_Types: description: List of types of response actions + example: + - automated + - manual items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' maxLength: 2 minLength: 1 type: array - Security_Endpoint_Management_API_UnisolateRouteRequestBody: + Security_Endpoint_Management_API_UnisolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids + properties: {} Security_Endpoint_Management_API_UploadRouteRequestBody: allOf: - type: object @@ -52500,6 +52925,8 @@ components: - type: object properties: file: + description: The binary content of the file. + example: RWxhc3RpYw== format: binary type: string parameters: @@ -52507,12 +52934,51 @@ components: properties: overwrite: default: false + description: Overwrite the file on the host if it already exists. + example: false type: boolean required: - parameters - file + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + file: RWxhc3RpYw== + parameters: {} + Security_Endpoint_Management_API_UploadRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + type: object + properties: {} Security_Endpoint_Management_API_UserIds: - description: User IDs + description: A list of user IDs. + example: + - user-id-1 + - user-id-2 oneOf: - items: minLength: 1 @@ -52522,7 +52988,10 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: - description: Shows detailed outputs for an action response + description: A list of action IDs that should include the complete output of the action. + example: + - action-id-1 + - action-id-2 oneOf: - items: minLength: 1 diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 53140ba997244..445efda44d4f9 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -11757,16 +11757,61 @@ paths: operationId: EndpointGetActionsList parameters: - in: query - name: query - required: true + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + - in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + - in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + - in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + - in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + - in: query + name: agentTypes + required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListRouteQuery' + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + - in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + - in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' description: OK summary: Get response actions tags: @@ -11803,13 +11848,15 @@ paths: name: action_id required: true schema: + description: The ID of the action to retrieve. + example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionResponse' description: OK summary: Get action details tags: @@ -11879,7 +11926,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse' description: OK summary: Run a command tags: @@ -11899,7 +11946,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse' description: OK summary: Get a file tags: @@ -11911,15 +11958,53 @@ paths: requestBody: content: application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' description: OK summary: Isolate an endpoint tags: @@ -11939,7 +12024,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse' description: OK summary: Terminate a process tags: @@ -11959,7 +12044,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse' description: OK summary: Get running processes tags: @@ -11999,7 +12084,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse' description: OK summary: Scan a file or directory tags: @@ -12033,7 +12118,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse' description: OK summary: Suspend a process tags: @@ -12045,15 +12130,53 @@ paths: requestBody: content: application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' description: OK summary: Release an isolated endpoint tags: @@ -12064,7 +12187,7 @@ paths: operationId: EndpointUploadAction requestBody: content: - application/json: + multipart/form-data: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' required: true @@ -12073,7 +12196,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse' description: OK summary: Upload a file tags: @@ -58514,6 +58637,10 @@ components: description: Agent ID type: string Security_Endpoint_Management_API_AgentIds: + description: A list of agent IDs. Max of 50. + example: + - agent-id-1 + - agent-id-2 minLength: 1 oneOf: - items: @@ -58525,12 +58652,13 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_AgentTypes: - description: The host agent type (optional). Defaults to endpoint. + description: List of agent types to retrieve. Defaults to `endpoint`. enum: - endpoint - sentinel_one - crowdstrike - microsoft_defender_endpoint + example: endpoint type: string Security_Endpoint_Management_API_AlertIds: description: A list of alerts `id`s. @@ -58542,6 +58670,9 @@ components: type: array Security_Endpoint_Management_API_CaseIds: description: Case IDs to be updated (cannot contain empty strings) + example: + - case-id-1 + - case-id-2 items: minLength: 1 type: string @@ -58579,17 +58710,26 @@ components: minLength: 1 type: string Security_Endpoint_Management_API_Commands: + description: A list of response action command names. + example: + - isolate + - unisolate items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' type: array Security_Endpoint_Management_API_Comment: description: Optional comment + example: This is a comment type: string Security_Endpoint_Management_API_EndDate: - description: End date + description: An end date in ISO format or Date Math format. + example: '2023-10-31T23:59:59.999Z' type: string Security_Endpoint_Management_API_EndpointIds: description: List of endpoint IDs (cannot contain empty strings) + example: + - endpoint-id-1 + - endpoint-id-2 items: minLength: 1 type: string @@ -58681,12 +58821,6 @@ components: revision: 2 type: object properties: {} - Security_Endpoint_Management_API_EntityId: - type: object - properties: - entity_id: - minLength: 1 - type: string Security_Endpoint_Management_API_ExecuteRouteRequestBody: allOf: - type: object @@ -58718,33 +58852,128 @@ components: - command required: - parameters - Security_Endpoint_Management_API_GetEndpointActionListRouteQuery: + example: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + Security_Endpoint_Management_API_ExecuteRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + comment: Get list of all files + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false type: object - properties: - agentIds: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - agentTypes: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - commands: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - endDate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - page: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - pageSize: - default: 10 - description: Number of items per page - maximum: 10000 - minimum: 1 - type: integer - startDate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - types: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' - userIds: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - withOutputs: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + properties: {} + Security_Endpoint_Management_API_GetEndpointActionListResponse: + example: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: kill-process + comment: bad process - taking up too much cpu + completedAt: '2022-08-08T09:44:50.952Z' + createdBy: elastic + id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:44.125Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: unisolate + comment: Not a threat to the network + completedAt: '2022-08-08T09:40:47.398Z' + createdBy: elastic + id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:15.391Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 4 + type: object + properties: {} + Security_Endpoint_Management_API_GetEndpointActionResponse: + example: + data: + agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + outputs: + afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0: + content: + entries: + - command: /opt/cmd1 + entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt + pid: '822' + user: Dexter + - command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3 + entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt + pid: '984' + user: Jada + type: json + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_GetFileRouteRequestBody: allOf: - type: object @@ -58774,7 +59003,42 @@ components: - path required: - parameters + example: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + Security_Endpoint_Management_API_GetFileRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} Security_Endpoint_Management_API_GetProcessesRouteRequestBody: + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 type: object properties: agent_type: @@ -58791,6 +59055,30 @@ components: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids + Security_Endpoint_Management_API_GetProcessesRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: running-processes + comment: '' + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: {} + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_HostPathScriptParameters: type: object properties: @@ -58822,23 +59110,32 @@ components: - unenrolled type: string type: array - Security_Endpoint_Management_API_IsolateRouteRequestBody: + Security_Endpoint_Management_API_IsolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids + properties: {} Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: - type: object @@ -58861,16 +59158,60 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to terminate. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to terminate. + example: abc123 + minLength: 1 + type: string - type: object properties: process_name: - description: Valid for SentinelOne agent type only + description: The name of the process to terminate. Valid for SentinelOne agent type only. + example: Elastic minLength: 1 type: string required: - parameters + example: + comment: terminate the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + Security_Endpoint_Management_API_KillProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: kill-process + comment: terminate the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_Kuery: description: A KQL string. example: 'united.endpoint.host.os.name : ''Windows''' @@ -59091,12 +59432,6 @@ components: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - additionalProperties: true type: object - Security_Endpoint_Management_API_Pid: - type: object - properties: - pid: - minimum: 1 - type: integer Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: type: object properties: @@ -59154,11 +59489,45 @@ components: type: object properties: path: + description: The folder or file’s full path (including the file name). + example: /usr/my-file.txt type: string required: - path required: - parameters + example: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + Security_Endpoint_Management_API_ScanRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} Security_Endpoint_Management_API_SortDirection: description: Determines the sort order. enum: @@ -59181,7 +59550,8 @@ components: example: enrolled_at type: string Security_Endpoint_Management_API_StartDate: - description: Start date + description: A start date in ISO 8601 format or Date Math format. + example: '2023-10-31T00:00:00.000Z' type: string Security_Endpoint_Management_API_SuccessResponse: type: object @@ -59208,10 +59578,53 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to suspend. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to suspend. + example: abc123 + minLength: 1 + type: string required: - parameters + example: + comment: suspend the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + Security_Endpoint_Management_API_SuspendProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_Timeout: description: The maximum timeout value in milliseconds (optional) minimum: 1 @@ -59224,28 +59637,40 @@ components: type: string Security_Endpoint_Management_API_Types: description: List of types of response actions + example: + - automated + - manual items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' maxLength: 2 minLength: 1 type: array - Security_Endpoint_Management_API_UnisolateRouteRequestBody: + Security_Endpoint_Management_API_UnisolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids + properties: {} Security_Endpoint_Management_API_UploadRouteRequestBody: allOf: - type: object @@ -59267,6 +59692,8 @@ components: - type: object properties: file: + description: The binary content of the file. + example: RWxhc3RpYw== format: binary type: string parameters: @@ -59274,12 +59701,51 @@ components: properties: overwrite: default: false + description: Overwrite the file on the host if it already exists. + example: false type: boolean required: - parameters - file + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + file: RWxhc3RpYw== + parameters: {} + Security_Endpoint_Management_API_UploadRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + type: object + properties: {} Security_Endpoint_Management_API_UserIds: - description: User IDs + description: A list of user IDs. + example: + - user-id-1 + - user-id-2 oneOf: - items: minLength: 1 @@ -59289,7 +59755,10 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: - description: Shows detailed outputs for an action response + description: A list of action IDs that should include the complete output of the action. + example: + - action-id-1 + - action-id-2 oneOf: - items: minLength: 1 diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.gen.ts index 1fa7d79e97feb..e8e3cdaefa3fb 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.gen.ts @@ -16,7 +16,8 @@ import { z } from '@kbn/zod'; -import { SuccessResponse } from '../../model/schema/common.gen'; +export type GetEndpointActionResponse = z.infer; +export const GetEndpointActionResponse = z.object({}); export type EndpointGetActionsDetailsRequestParams = z.infer< typeof EndpointGetActionsDetailsRequestParams @@ -29,4 +30,4 @@ export type EndpointGetActionsDetailsRequestParamsInput = z.input< >; export type EndpointGetActionsDetailsResponse = z.infer; -export const EndpointGetActionsDetailsResponse = SuccessResponse; +export const EndpointGetActionsDetailsResponse = GetEndpointActionResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.schema.yaml index 7cf2f808e06f8..36228bfe9bc81 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.schema.yaml @@ -16,12 +16,46 @@ paths: required: true schema: type: string + description: The ID of the action to retrieve. + example: 'fr518850-681a-4y60-aa98-e22640cae2b8' responses: '200': description: OK content: application/json: schema: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetEndpointActionResponse' +components: + schemas: + GetEndpointActionResponse: + type: object + properties: { } + example: + data: + id: "b3d6de74-36b0-4fa8-be46-c375bf1771bf" + agents: + - "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0" + agentType: "endpoint" + command: "running-processes" + startedAt: "2022-08-08T15:24:57.402Z" + completedAt: "2022-08-08T09:50:47.672Z" + createdBy: "elastic" + isCompleted: true + wasSuccessful: true + isExpired: false + outputs: + afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0: + type: "json" + content: + entries: + - pid: "822" + entity_id: "fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt" + user: "Dexter" + command: "/opt/cmd1" + - pid: "984" + entity_id: "pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt" + user: "Jada" + command: "/opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3" + diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.gen.ts index 4eec6a2cb6479..8e2ffea437d71 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.gen.ts @@ -17,42 +17,37 @@ import { z } from '@kbn/zod'; import { - SuccessResponse, - AgentIds, - AgentTypes, - Commands, Page, + PageSize, + Commands, + AgentIds, + UserIds, StartDate, EndDate, - UserIds, - Types, + AgentTypes, WithOutputs, + Types, } from '../../model/schema/common.gen'; -export type GetEndpointActionListRouteQuery = z.infer; -export const GetEndpointActionListRouteQuery = z.object({ - agentIds: AgentIds.optional(), - agentTypes: AgentTypes.optional(), - commands: Commands.optional(), +export type GetEndpointActionListResponse = z.infer; +export const GetEndpointActionListResponse = z.object({}); + +export type EndpointGetActionsListRequestQuery = z.infer; +export const EndpointGetActionsListRequestQuery = z.object({ page: Page.optional(), - /** - * Number of items per page - */ - pageSize: z.number().int().min(1).max(10000).optional().default(10), + pageSize: PageSize.optional(), + commands: Commands.optional(), + agentIds: AgentIds.optional(), + userIds: UserIds.optional(), startDate: StartDate.optional(), endDate: EndDate.optional(), - userIds: UserIds.optional(), - types: Types.optional(), + agentTypes: AgentTypes.optional(), withOutputs: WithOutputs.optional(), -}); - -export type EndpointGetActionsListRequestQuery = z.infer; -export const EndpointGetActionsListRequestQuery = z.object({ - query: GetEndpointActionListRouteQuery, + types: Types.optional(), }); export type EndpointGetActionsListRequestQueryInput = z.input< typeof EndpointGetActionsListRequestQuery >; export type EndpointGetActionsListResponse = z.infer; -export const EndpointGetActionsListResponse = SuccessResponse; +export const EndpointGetActionsListResponse = GetEndpointActionListResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.schema.yaml index 8e7dcfd5412f4..ecd0445750a05 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.schema.yaml @@ -11,44 +11,121 @@ paths: x-codegen-enabled: true x-labels: [ess, serverless] parameters: - - name: query + - name: page in: query - required: true + required: false schema: - $ref: '#/components/schemas/GetEndpointActionListRouteQuery' + $ref: '../../model/schema/common.schema.yaml#/components/schemas/Page' + - name: pageSize + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/PageSize' + - name: commands + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/Commands' + - name: agentIds + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentIds' + - name: userIds + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/UserIds' + - name: startDate + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/StartDate' + - name: endDate + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/EndDate' + - name: agentTypes + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentTypes' + - name: withOutputs + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/WithOutputs' + - name: types + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/Types' responses: '200': description: OK content: application/json: schema: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetEndpointActionListResponse' components: schemas: - GetEndpointActionListRouteQuery: + GetEndpointActionListResponse: type: object - properties: - agentIds: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentIds' - agentTypes: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentTypes' - commands: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/Commands' - page: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/Page' - pageSize: - type: integer - default: 10 - minimum: 1 - maximum: 10000 - description: Number of items per page - startDate: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/StartDate' - endDate: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/EndDate' - userIds: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/UserIds' - types: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/Types' - withOutputs: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/WithOutputs' + properties: { } + example: + page: 1 + pageSize: 10 + total: 4 + startDate: "now-24h/h" + endDate: "now" + elasticAgentIds: + - "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0" + data: + - id: "b3d6de74-36b0-4fa8-be46-c375bf1771bf" + agents: + - "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0" + command: "running-processes" + agentType: "endpoint" + startedAt: "2022-08-08T15:24:57.402Z" + isCompleted: true + completedAt: "2022-08-08T09:50:47.672Z" + wasSuccessful: true + isExpired: false + createdBy: "elastic" + - id: "43b4098b-8752-4fbb-a7a7-6df7c74d0ee3" + agents: + - "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0" + command: "isolate" + agentType: "endpoint" + startedAt: "2022-08-08T15:23:37.359Z" + isCompleted: true + completedAt: "2022-08-08T10:41:57.352Z" + wasSuccessful: true + isExpired: false + createdBy: "elastic" + - id: "5bc92c86-b8e6-42dd-837f-12ad29e09caa" + agents: + - "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0" + command: "kill-process" + agentType: "endpoint" + startedAt: "2022-08-08T14:38:44.125Z" + isCompleted: true + completedAt: "2022-08-08T09:44:50.952Z" + wasSuccessful: true + isExpired: false + createdBy: "elastic" + comment: "bad process - taking up too much cpu" + - id: "790d54e0-3aa3-4e5b-8255-3ce9d851246a" + agents: + - "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0" + command: "unisolate" + agentType: "endpoint" + startedAt: "2022-08-08T14:38:15.391Z" + isCompleted: true + completedAt: "2022-08-08T09:40:47.398Z" + wasSuccessful: true + isExpired: false + createdBy: "elastic" + comment: "Not a threat to the network" + diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.gen.ts index 531236ea248bf..b9cf0db2b4ce9 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.gen.ts @@ -16,12 +16,7 @@ import { z } from '@kbn/zod'; -import { - SuccessResponse, - BaseActionSchema, - Command, - Timeout, -} from '../../../model/schema/common.gen'; +import { BaseActionSchema, Command, Timeout } from '../../../model/schema/common.gen'; export type ExecuteRouteRequestBody = z.infer; export const ExecuteRouteRequestBody = BaseActionSchema.merge( @@ -33,6 +28,9 @@ export const ExecuteRouteRequestBody = BaseActionSchema.merge( }) ); +export type ExecuteRouteResponse = z.infer; +export const ExecuteRouteResponse = z.object({}); + export type EndpointExecuteActionRequestBody = z.infer; export const EndpointExecuteActionRequestBody = ExecuteRouteRequestBody; export type EndpointExecuteActionRequestBodyInput = z.input< @@ -40,4 +38,4 @@ export type EndpointExecuteActionRequestBodyInput = z.input< >; export type EndpointExecuteActionResponse = z.infer; -export const EndpointExecuteActionResponse = SuccessResponse; +export const EndpointExecuteActionResponse = ExecuteRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.schema.yaml index f2496687b8fb0..84e6fa32d1389 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.schema.yaml @@ -22,11 +22,18 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/ExecuteRouteResponse' components: schemas: ExecuteRouteRequestBody: + example: + parameters: + command: "ls -al" + timeout: 600 + endpoint_ids: + - "b3d6de74-36b0-4fa8-be46-c375bf1771bf" + comment: "Get list of all files" allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' - type: object @@ -42,3 +49,31 @@ components: $ref: '../../../model/schema/common.schema.yaml#/components/schemas/Command' timeout: $ref: '../../../model/schema/common.schema.yaml#/components/schemas/Timeout' + ExecuteRouteResponse: + type: object + properties: { } + example: + data: + id: "9f934028-2300-4927-b531-b26376793dc4" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r" + agentType: "endpoint" + command: "execute" + startedAt: "2023-07-28T18:43:27.362Z" + isCompleted: false + wasSuccessful: false + isExpired: false + status: "pending" + outputs: { } + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + createdBy: "myuser" + comment: "Get list of all files" + parameters: + command: "ls -al" + timeout: 600 diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.gen.ts index e094bde8649d2..920b0a46f5f5f 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.gen.ts @@ -16,7 +16,7 @@ import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; export type GetFileRouteRequestBody = z.infer; export const GetFileRouteRequestBody = BaseActionSchema.merge( @@ -27,6 +27,9 @@ export const GetFileRouteRequestBody = BaseActionSchema.merge( }) ); +export type GetFileRouteResponse = z.infer; +export const GetFileRouteResponse = z.object({}); + export type EndpointGetFileActionRequestBody = z.infer; export const EndpointGetFileActionRequestBody = GetFileRouteRequestBody; export type EndpointGetFileActionRequestBodyInput = z.input< @@ -34,4 +37,4 @@ export type EndpointGetFileActionRequestBodyInput = z.input< >; export type EndpointGetFileActionResponse = z.infer; -export const EndpointGetFileActionResponse = SuccessResponse; +export const EndpointGetFileActionResponse = GetFileRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.schema.yaml index cc36b843110b8..5ed449e492aac 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.schema.yaml @@ -23,11 +23,17 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetFileRouteResponse' components: schemas: GetFileRouteRequestBody: + example: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + parameters: + path: "/usr/my-file.txt" + comment: "Get my file" allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' - type: object @@ -41,4 +47,31 @@ components: properties: path: type: string + GetFileRouteResponse: + type: object + properties: { } + example: + data: + id: "27ba1b42-7cc6-4e53-86ce-675c876092b2" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r" + agentType: "endpoint" + command: "get-file" + startedAt: "2023-07-28T19:00:03.911Z" + isCompleted: false + wasSuccessful: false + isExpired: false + status: "pending" + outputs: { } + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + createdBy: "myuser" + parameters: + path: "/usr/my-file.txt" + diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.gen.ts index 030ba1433fb7b..f14b103f84bd7 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.gen.ts @@ -14,18 +14,18 @@ * version: 2023-10-31 */ -import type { z } from '@kbn/zod'; +import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; -export type IsolateRouteRequestBody = z.infer; -export const IsolateRouteRequestBody = BaseActionSchema; +export type IsolateRouteResponse = z.infer; +export const IsolateRouteResponse = z.object({}); export type EndpointIsolateActionRequestBody = z.infer; -export const EndpointIsolateActionRequestBody = IsolateRouteRequestBody; +export const EndpointIsolateActionRequestBody = BaseActionSchema; export type EndpointIsolateActionRequestBodyInput = z.input< typeof EndpointIsolateActionRequestBody >; export type EndpointIsolateActionResponse = z.infer; -export const EndpointIsolateActionResponse = SuccessResponse; +export const EndpointIsolateActionResponse = IsolateRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.schema.yaml index 396d8e3d54b1e..1dbbea5b5c430 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.schema.yaml @@ -15,16 +15,62 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/IsolateRouteRequestBody' + $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' + examples: + single_endpoint: + summary: "Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8" + value: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + multiple_endpoints: + summary: "Isolates several hosts; includes a comment" + value: + endpoint_ids: + - "9972d10e-4b9e-41aa-a534-a85e2a28ea42" + - "bc0e4f0c-3bca-4633-9fee-156c0b505d16" + - "fa89271b-b9d4-43f2-a684-307cffddeb5a" + comment: "Locked down, pending further investigation" + with_case_id: + summary: "Isolates a single host with a case_id value of 1234" + value: + endpoint_ids: + - "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0" + - "b30a11bf-1395-4707-b508-fbb45ef9793e" + case_ids: + - "4976be38-c134-4554-bd5e-0fd89ce63667" + comment: "Isolating as initial response" responses: '200': description: OK content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' - + $ref: '#/components/schemas/IsolateRouteResponse' components: schemas: - IsolateRouteRequestBody: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' + IsolateRouteResponse: + type: object + properties: { } + example: + action: "233db9ea-6733-4849-9226-5a7039c7161d" + data: + id: "233db9ea-6733-4849-9226-5a7039c7161d" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + command: "suspend-process" + agentType: "endpoint" + isExpired: false + isCompleted: true + wasSuccessful: true + errors: [ ] + startedAt: "2022-07-29T19:08:49.126Z" + completedAt: "2022-07-29T19:09:44.961Z" + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + type: "json" + content: + key: "value" + createdBy: "myuser" + comment: "suspend the process" + parameters: + entity_id: "abc123" diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.gen.ts index 0f75653323bd2..cda61249e3f66 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.gen.ts @@ -16,17 +16,27 @@ import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema, Pid, EntityId } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; export type KillProcessRouteRequestBody = z.infer; export const KillProcessRouteRequestBody = BaseActionSchema.merge( z.object({ parameters: z.union([ - Pid, - EntityId, z.object({ /** - * Valid for SentinelOne agent type only + * The process ID (PID) of the process to terminate. + */ + pid: z.number().int().min(1).optional(), + }), + z.object({ + /** + * The entity ID of the process to terminate. + */ + entity_id: z.string().min(1).optional(), + }), + z.object({ + /** + * The name of the process to terminate. Valid for SentinelOne agent type only. */ process_name: z.string().min(1).optional(), }), @@ -34,6 +44,9 @@ export const KillProcessRouteRequestBody = BaseActionSchema.merge( }) ); +export type KillProcessRouteResponse = z.infer; +export const KillProcessRouteResponse = z.object({}); + export type EndpointKillProcessActionRequestBody = z.infer< typeof EndpointKillProcessActionRequestBody >; @@ -43,4 +56,4 @@ export type EndpointKillProcessActionRequestBodyInput = z.input< >; export type EndpointKillProcessActionResponse = z.infer; -export const EndpointKillProcessActionResponse = SuccessResponse; +export const EndpointKillProcessActionResponse = KillProcessRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.schema.yaml index fc0f68ef72bc6..ba314589cc4e7 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.schema.yaml @@ -22,11 +22,17 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/KillProcessRouteResponse' components: schemas: KillProcessRouteRequestBody: + example: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + parameters: + entity_id: "abc123" + comment: "terminate the process" allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' - type: object @@ -35,11 +41,49 @@ components: properties: parameters: oneOf: - - $ref: "../../../model/schema/common.schema.yaml#/components/schemas/Pid" - - $ref: "../../../model/schema/common.schema.yaml#/components/schemas/EntityId" + - type: object + properties: + pid: + type: integer + description: "The process ID (PID) of the process to terminate." + example: 123 + minimum: 1 + - type: object + properties: + entity_id: + type: string + description: "The entity ID of the process to terminate." + example: "abc123" + minLength: 1 - type: object properties: process_name: type: string + description: "The name of the process to terminate. Valid for SentinelOne agent type only." + example: "Elastic" minLength: 1 - description: Valid for SentinelOne agent type only + KillProcessRouteResponse: + type: object + properties: { } + example: + data: + id: "233db9ea-6733-4849-9226-5a7039c7161d" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + command: "kill-process" + agentType: "endpoint" + isExpired: false + isCompleted: true + wasSuccessful: true + errors: [ ] + startedAt: "2022-07-29T19:08:49.126Z" + completedAt: "2022-07-29T19:09:44.961Z" + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + type: "json" + content: + key: "value" + createdBy: "myuser" + comment: "terminate the process" + parameters: + entity_id: "abc123" diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.gen.ts index 63e31a863e58e..1b590d73f0bec 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.gen.ts @@ -14,13 +14,16 @@ * version: 2023-10-31 */ -import type { z } from '@kbn/zod'; +import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; export type GetProcessesRouteRequestBody = z.infer; export const GetProcessesRouteRequestBody = BaseActionSchema; +export type GetProcessesRouteResponse = z.infer; +export const GetProcessesRouteResponse = z.object({}); + export type EndpointGetProcessesActionRequestBody = z.infer< typeof EndpointGetProcessesActionRequestBody >; @@ -30,4 +33,4 @@ export type EndpointGetProcessesActionRequestBodyInput = z.input< >; export type EndpointGetProcessesActionResponse = z.infer; -export const EndpointGetProcessesActionResponse = SuccessResponse; +export const EndpointGetProcessesActionResponse = GetProcessesRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.schema.yaml index dc2735e04b50f..1eb69fc04018d 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.schema.yaml @@ -22,10 +22,37 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetProcessesRouteResponse' components: schemas: GetProcessesRouteRequestBody: + example: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' + GetProcessesRouteResponse: + type: object + properties: { } + example: + data: + id: "233db9ea-6733-4849-9226-5a7039c7161d" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + command: "running-processes" + agentType: "endpoint" + isExpired: false + isCompleted: true + wasSuccessful: true + errors: [ ] + startedAt: "2022-07-29T19:08:49.126Z" + completedAt: "2022-07-29T19:09:44.961Z" + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + type: "json" + content: + key: "value" + createdBy: "myuser" + comment: "" + parameters: { } diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.gen.ts index 2d6f458e79994..0bb78c35fc1f1 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.gen.ts @@ -16,20 +16,26 @@ import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; export type ScanRouteRequestBody = z.infer; export const ScanRouteRequestBody = BaseActionSchema.merge( z.object({ parameters: z.object({ + /** + * The folder or file’s full path (including the file name). + */ path: z.string(), }), }) ); +export type ScanRouteResponse = z.infer; +export const ScanRouteResponse = z.object({}); + export type EndpointScanActionRequestBody = z.infer; export const EndpointScanActionRequestBody = ScanRouteRequestBody; export type EndpointScanActionRequestBodyInput = z.input; export type EndpointScanActionResponse = z.infer; -export const EndpointScanActionResponse = SuccessResponse; +export const EndpointScanActionResponse = ScanRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.schema.yaml index 7ebf23a51ad7a..dc11a463319cd 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.schema.yaml @@ -22,11 +22,16 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' - + $ref: '#/components/schemas/ScanRouteResponse' components: schemas: ScanRouteRequestBody: + example: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + parameters: + path: "/usr/my-file.txt" + comment: "Scan the file for malware" allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' - type: object @@ -40,4 +45,34 @@ components: properties: path: type: string + description: "The folder or file’s full path (including the file name)." + example: "/usr/my-file.txt" + ScanRouteResponse: + type: object + properties: { } + example: + data: + id: "27ba1b42-7cc6-4e53-86ce-675c876092b2" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r" + agentType: "endpoint" + command: "scan" + startedAt: "2023-07-28T19:00:03.911Z" + isCompleted: false + wasSuccessful: false + isExpired: false + status: "pending" + outputs: { } + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + createdBy: "myuser" + parameters: + path: "/usr/my-file.txt" + + diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen.ts index ae737755e9880..12216e46bdf72 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen.ts @@ -16,15 +16,31 @@ import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema, Pid, EntityId } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; export type SuspendProcessRouteRequestBody = z.infer; export const SuspendProcessRouteRequestBody = BaseActionSchema.merge( z.object({ - parameters: z.union([Pid, EntityId]), + parameters: z.union([ + z.object({ + /** + * The process ID (PID) of the process to suspend. + */ + pid: z.number().int().min(1).optional(), + }), + z.object({ + /** + * The entity ID of the process to suspend. + */ + entity_id: z.string().min(1).optional(), + }), + ]), }) ); +export type SuspendProcessRouteResponse = z.infer; +export const SuspendProcessRouteResponse = z.object({}); + export type EndpointSuspendProcessActionRequestBody = z.infer< typeof EndpointSuspendProcessActionRequestBody >; @@ -36,4 +52,4 @@ export type EndpointSuspendProcessActionRequestBodyInput = z.input< export type EndpointSuspendProcessActionResponse = z.infer< typeof EndpointSuspendProcessActionResponse >; -export const EndpointSuspendProcessActionResponse = SuccessResponse; +export const EndpointSuspendProcessActionResponse = SuspendProcessRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.schema.yaml index bc1a38351df44..505b8424b6c2c 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.schema.yaml @@ -22,11 +22,17 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/SuspendProcessRouteResponse' components: schemas: SuspendProcessRouteRequestBody: + example: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + parameters: + entity_id: "abc123" + comment: "suspend the process" allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' - type: object @@ -35,5 +41,42 @@ components: properties: parameters: oneOf: - - $ref: "../../../model/schema/common.schema.yaml#/components/schemas/Pid" - - $ref: "../../../model/schema/common.schema.yaml#/components/schemas/EntityId" + - type: object + properties: + pid: + type: integer + description: "The process ID (PID) of the process to suspend." + example: 123 + minimum: 1 + - type: object + properties: + entity_id: + type: string + description: "The entity ID of the process to suspend." + example: "abc123" + minLength: 1 + SuspendProcessRouteResponse: + type: object + properties: { } + example: + data: + id: "233db9ea-6733-4849-9226-5a7039c7161d" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + command: "suspend-process" + agentType: "endpoint" + isExpired: false + isCompleted: true + wasSuccessful: true + errors: [ ] + startedAt: "2022-07-29T19:08:49.126Z" + completedAt: "2022-07-29T19:09:44.961Z" + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + type: "json" + content: + key: "value" + createdBy: "myuser" + comment: "suspend the process" + parameters: + entity_id: "abc123" diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen.ts index 115ff4162e206..be1bc891a6680 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen.ts @@ -14,18 +14,18 @@ * version: 2023-10-31 */ -import type { z } from '@kbn/zod'; +import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; -export type UnisolateRouteRequestBody = z.infer; -export const UnisolateRouteRequestBody = BaseActionSchema; +export type UnisolateRouteResponse = z.infer; +export const UnisolateRouteResponse = z.object({}); export type EndpointUnisolateActionRequestBody = z.infer; -export const EndpointUnisolateActionRequestBody = UnisolateRouteRequestBody; +export const EndpointUnisolateActionRequestBody = BaseActionSchema; export type EndpointUnisolateActionRequestBodyInput = z.input< typeof EndpointUnisolateActionRequestBody >; export type EndpointUnisolateActionResponse = z.infer; -export const EndpointUnisolateActionResponse = SuccessResponse; +export const EndpointUnisolateActionResponse = UnisolateRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.schema.yaml index 6f5d2087c556e..11662d00ce331 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.schema.yaml @@ -14,17 +14,63 @@ paths: required: true content: application/json: + examples: + singleHost: + summary: "Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8" + value: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + multipleHosts: + summary: "Releases several hosts; includes a comment:" + value: + endpoint_ids: + - "9972d10e-4b9e-41aa-a534-a85e2a28ea42" + - "bc0e4f0c-3bca-4633-9fee-156c0b505d16" + - "fa89271b-b9d4-43f2-a684-307cffddeb5a" + comment: "Benign process identified, releasing group" + withCaseId: + summary: "Releases hosts with an associated case; includes a comment." + value: + endpoint_ids: + - "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0" + - "b30a11bf-1395-4707-b508-fbb45ef9793e" + case_ids: + - "4976be38-c134-4554-bd5e-0fd89ce63667" + comment: "Remediation complete, restoring network" schema: - $ref: '#/components/schemas/UnisolateRouteRequestBody' + $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' responses: '200': description: OK content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' - + $ref: '#/components/schemas/UnisolateRouteResponse' components: schemas: - UnisolateRouteRequestBody: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' + UnisolateRouteResponse: + type: object + properties: {} + example: + action: "233db9ea-6733-4849-9226-5a7039c7161d" + data: + id: "233db9ea-6733-4849-9226-5a7039c7161d" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + command: "suspend-process" + agentType: "endpoint" + isExpired: false + isCompleted: true + wasSuccessful: true + errors: [ ] + startedAt: "2022-07-29T19:08:49.126Z" + completedAt: "2022-07-29T19:09:44.961Z" + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + type: "json" + content: + key: "value" + createdBy: "myuser" + comment: "suspend the process" + parameters: + entity_id: "abc123" diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.gen.ts index fbce5717a6a22..adadf042652a0 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.gen.ts @@ -16,21 +16,26 @@ import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; export type UploadRouteRequestBody = z.infer; export const UploadRouteRequestBody = BaseActionSchema.merge( z.object({ parameters: z.object({ + /** + * Overwrite the file on the host if it already exists. + */ overwrite: z.boolean().optional().default(false), }), + /** + * The binary content of the file. + */ file: z.string(), }) ); -export type EndpointUploadActionRequestBody = z.infer; -export const EndpointUploadActionRequestBody = UploadRouteRequestBody; -export type EndpointUploadActionRequestBodyInput = z.input; +export type UploadRouteResponse = z.infer; +export const UploadRouteResponse = z.object({}); export type EndpointUploadActionResponse = z.infer; -export const EndpointUploadActionResponse = SuccessResponse; +export const EndpointUploadActionResponse = UploadRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.schema.yaml index 512fc6c4d4613..900eeec3fbd4d 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.schema.yaml @@ -13,7 +13,7 @@ paths: requestBody: required: true content: - application/json: + multipart/form-data: schema: $ref: '#/components/schemas/UploadRouteRequestBody' responses: @@ -22,11 +22,16 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/UploadRouteResponse' components: schemas: UploadRouteRequestBody: + example: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + file: "RWxhc3RpYw==" + parameters: { } allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' - type: object @@ -39,8 +44,41 @@ components: properties: overwrite: type: boolean + description: "Overwrite the file on the host if it already exists." + example: false default: false # File extends Blob - any binary data will be base-64 encoded file: type: string + description: "The binary content of the file." + example: "RWxhc3RpYw==" format: binary + UploadRouteResponse: + type: object + properties: { } + example: + data: + id: "9ff6aebc-2cb6-481e-8869-9b30036c9731" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: "Host-5i6cuc8kdv" + command: "upload" + agentType: "endpoint" + startedAt: "2023-07-03T15:07:22.837Z" + isCompleted: false + wasSuccessful: false + isExpired: false + status: "pending" + outputs: { } + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + createdBy: "elastic" + parameters: + file_name: "fix-malware.sh" + file_id: "10e4ce3d-4abb-4f93-a0cd-eaf63a489280" + file_sha256: "a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a" + file_size: 69 diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.gen.ts index a30695af76bf4..c8df058537fc2 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.gen.ts @@ -37,13 +37,13 @@ export type PageSize = z.infer; export const PageSize = z.number().int().min(1).max(100).default(10); /** - * Start date + * A start date in ISO 8601 format or Date Math format. */ export type StartDate = z.infer; export const StartDate = z.string(); /** - * End date + * An end date in ISO format or Date Math format. */ export type EndDate = z.infer; export const EndDate = z.string(); @@ -94,6 +94,9 @@ export const SortField = z.enum([ export type SortFieldEnum = typeof SortField.enum; export const SortFieldEnum = SortField.enum; +/** + * A list of agent IDs. Max of 50. + */ export type AgentIds = z.infer; export const AgentIds = z.union([z.array(z.string().min(1)).min(1).max(50), z.string().min(1)]); @@ -115,6 +118,9 @@ export const Command = z.enum([ export type CommandEnum = typeof Command.enum; export const CommandEnum = Command.enum; +/** + * A list of response action command names. + */ export type Commands = z.infer; export const Commands = z.array(Command); @@ -133,13 +139,13 @@ export type Statuses = z.infer; export const Statuses = z.array(Status); /** - * User IDs + * A list of user IDs. */ export type UserIds = z.infer; export const UserIds = z.union([z.array(z.string().min(1)).min(1), z.string().min(1)]); /** - * Shows detailed outputs for an action response + * A list of action IDs that should include the complete output of the action. */ export type WithOutputs = z.infer; export const WithOutputs = z.union([z.array(z.string().min(1)).min(1), z.string().min(1)]); @@ -183,7 +189,7 @@ export type Parameters = z.infer; export const Parameters = z.object({}); /** - * The host agent type (optional). Defaults to endpoint. + * List of agent types to retrieve. Defaults to `endpoint`. */ export type AgentTypes = z.infer; export const AgentTypes = z.enum([ @@ -210,16 +216,6 @@ export const NoParametersRequestSchema = z.object({ body: BaseActionSchema, }); -export type Pid = z.infer; -export const Pid = z.object({ - pid: z.number().int().min(1).optional(), -}); - -export type EntityId = z.infer; -export const EntityId = z.object({ - entity_id: z.string().min(1).optional(), -}); - export type ProtectionUpdatesNoteResponse = z.infer; export const ProtectionUpdatesNoteResponse = z.object({ note: z.string().optional(), diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.schema.yaml index 457fa19f26478..324efce4960db 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.schema.yaml @@ -25,10 +25,12 @@ components: example: 10 StartDate: type: string - description: Start date + description: A start date in ISO 8601 format or Date Math format. + example: "2023-10-31T00:00:00.000Z" EndDate: type: string - description: End date + description: An end date in ISO format or Date Math format. + example: "2023-10-31T23:59:59.999Z" AgentId: type: string description: Agent ID @@ -80,6 +82,8 @@ components: maxItems: 50 - type: string minLength: 1 + description: A list of agent IDs. Max of 50. + example: [ "agent-id-1", "agent-id-2" ] minLength: 1 Command: @@ -99,6 +103,8 @@ components: Commands: type: array + description: A list of response action command names. + example: [ "isolate", "unisolate" ] items: $ref: '#/components/schemas/Command' @@ -130,7 +136,8 @@ components: minItems: 1 - type: string minLength: 1 - description: User IDs + description: A list of user IDs. + example: [ "user-id-1", "user-id-2" ] WithOutputs: oneOf: @@ -141,7 +148,8 @@ components: minItems: 1 - type: string minLength: 1 - description: Shows detailed outputs for an action response + description: A list of action IDs that should include the complete output of the action. + example: [ "action-id-1", "action-id-2" ] Type: type: string @@ -153,6 +161,7 @@ components: Types: type: array description: List of types of response actions + example: [ "automated", "manual" ] items: $ref: '#/components/schemas/Type' minLength: 1 @@ -160,27 +169,35 @@ components: EndpointIds: type: array + description: List of endpoint IDs (cannot contain empty strings) + example: [ "endpoint-id-1", "endpoint-id-2" ] items: type: string minLength: 1 minItems: 1 - description: List of endpoint IDs (cannot contain empty strings) + CaseIds: type: array + description: Case IDs to be updated (cannot contain empty strings) + example: [ "case-id-1", "case-id-2" ] items: type: string minLength: 1 minItems: 1 - description: Case IDs to be updated (cannot contain empty strings) + Comment: type: string description: Optional comment + example: "This is a comment" + Parameters: type: object description: Optional parameters object + AgentTypes: type: string - description: The host agent type (optional). Defaults to endpoint. + description: List of agent types to retrieve. Defaults to `endpoint`. + example: endpoint enum: - endpoint - sentinel_one @@ -214,20 +231,6 @@ components: body: $ref: '#/components/schemas/BaseActionSchema' - Pid: - type: object - properties: - pid: - type: integer - minimum: 1 - - EntityId: - type: object - properties: - entity_id: - type: string - minLength: 1 - ProtectionUpdatesNoteResponse: type: object properties: diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts index 67e4ca160e32d..647175f45e5c5 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts @@ -180,10 +180,7 @@ import type { EndpointUnisolateActionRequestBodyInput, EndpointUnisolateActionResponse, } from './endpoint/actions/response_actions/unisolate/unisolate.gen'; -import type { - EndpointUploadActionRequestBodyInput, - EndpointUploadActionResponse, -} from './endpoint/actions/response_actions/upload/upload.gen'; +import type { EndpointUploadActionResponse } from './endpoint/actions/response_actions/upload/upload.gen'; import type { EndpointGetActionsStateResponse } from './endpoint/actions/state/state.gen'; import type { EndpointGetActionsStatusRequestQueryInput, @@ -1126,7 +1123,7 @@ If a record already exists for the specified entity, that record is overwritten [ELASTIC_HTTP_VERSION_HEADER]: '2023-10-31', }, method: 'POST', - body: props.body, + body: props.attachment, }) .catch(catchAxiosErrorFormatAndThrow); } @@ -2433,7 +2430,7 @@ export interface EndpointUnisolateActionProps { body: EndpointUnisolateActionRequestBodyInput; } export interface EndpointUploadActionProps { - body: EndpointUploadActionRequestBodyInput; + attachment: FormData; } export interface ExportRulesProps { query: ExportRulesRequestQueryInput; diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml index ddf92f9b0dec3..a69547c512a83 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml @@ -17,16 +17,61 @@ paths: operationId: EndpointGetActionsList parameters: - in: query - name: query - required: true + name: page + required: false + schema: + $ref: '#/components/schemas/Page' + - in: query + name: pageSize + required: false schema: - $ref: '#/components/schemas/GetEndpointActionListRouteQuery' + $ref: '#/components/schemas/PageSize' + - in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Commands' + - in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/AgentIds' + - in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/UserIds' + - in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/StartDate' + - in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/EndDate' + - in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/AgentTypes' + - in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/WithOutputs' + - in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Types' responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetEndpointActionListResponse' description: OK summary: Get response actions tags: @@ -63,13 +108,15 @@ paths: name: action_id required: true schema: + description: The ID of the action to retrieve. + example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetEndpointActionResponse' description: OK summary: Get action details tags: @@ -139,7 +186,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/ExecuteRouteResponse' description: OK summary: Run a command tags: @@ -159,7 +206,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetFileRouteResponse' description: OK summary: Get a file tags: @@ -173,15 +220,55 @@ paths: requestBody: content: application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: >- + Isolates a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/IsolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/AgentTypes' + alert_ids: + $ref: '#/components/schemas/AlertIds' + case_ids: + $ref: '#/components/schemas/CaseIds' + comment: + $ref: '#/components/schemas/Comment' + endpoint_ids: + $ref: '#/components/schemas/EndpointIds' + parameters: + $ref: '#/components/schemas/Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/IsolateRouteResponse' description: OK summary: Isolate an endpoint tags: @@ -201,7 +288,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/KillProcessRouteResponse' description: OK summary: Terminate a process tags: @@ -221,7 +308,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetProcessesRouteResponse' description: OK summary: Get running processes tags: @@ -261,7 +348,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/ScanRouteResponse' description: OK summary: Scan a file or directory tags: @@ -297,7 +384,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/SuspendProcessRouteResponse' description: OK summary: Suspend a process tags: @@ -309,15 +396,55 @@ paths: requestBody: content: application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: >- + Releases a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/UnisolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/AgentTypes' + alert_ids: + $ref: '#/components/schemas/AlertIds' + case_ids: + $ref: '#/components/schemas/CaseIds' + comment: + $ref: '#/components/schemas/Comment' + endpoint_ids: + $ref: '#/components/schemas/EndpointIds' + parameters: + $ref: '#/components/schemas/Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/UnisolateRouteResponse' description: OK summary: Release an isolated endpoint tags: @@ -328,7 +455,7 @@ paths: operationId: EndpointUploadAction requestBody: content: - application/json: + multipart/form-data: schema: $ref: '#/components/schemas/UploadRouteRequestBody' required: true @@ -337,7 +464,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/UploadRouteResponse' description: OK summary: Upload a file tags: @@ -515,6 +642,10 @@ components: description: Agent ID type: string AgentIds: + description: A list of agent IDs. Max of 50. + example: + - agent-id-1 + - agent-id-2 minLength: 1 oneOf: - items: @@ -526,12 +657,13 @@ components: - minLength: 1 type: string AgentTypes: - description: The host agent type (optional). Defaults to endpoint. + description: List of agent types to retrieve. Defaults to `endpoint`. enum: - endpoint - sentinel_one - crowdstrike - microsoft_defender_endpoint + example: endpoint type: string AlertIds: description: A list of alerts `id`s. @@ -543,6 +675,9 @@ components: type: array CaseIds: description: Case IDs to be updated (cannot contain empty strings) + example: + - case-id-1 + - case-id-2 items: minLength: 1 type: string @@ -580,17 +715,26 @@ components: minLength: 1 type: string Commands: + description: A list of response action command names. + example: + - isolate + - unisolate items: $ref: '#/components/schemas/Command' type: array Comment: description: Optional comment + example: This is a comment type: string EndDate: - description: End date + description: An end date in ISO format or Date Math format. + example: '2023-10-31T23:59:59.999Z' type: string EndpointIds: description: List of endpoint IDs (cannot contain empty strings) + example: + - endpoint-id-1 + - endpoint-id-2 items: minLength: 1 type: string @@ -684,12 +828,6 @@ components: revision: 2 type: object properties: {} - EntityId: - type: object - properties: - entity_id: - minLength: 1 - type: string ExecuteRouteRequestBody: allOf: - type: object @@ -721,33 +859,128 @@ components: - command required: - parameters - GetEndpointActionListRouteQuery: + example: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + ExecuteRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + comment: Get list of all files + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false type: object - properties: - agentIds: - $ref: '#/components/schemas/AgentIds' - agentTypes: - $ref: '#/components/schemas/AgentTypes' - commands: - $ref: '#/components/schemas/Commands' - endDate: - $ref: '#/components/schemas/EndDate' - page: - $ref: '#/components/schemas/Page' - pageSize: - default: 10 - description: Number of items per page - maximum: 10000 - minimum: 1 - type: integer - startDate: - $ref: '#/components/schemas/StartDate' - types: - $ref: '#/components/schemas/Types' - userIds: - $ref: '#/components/schemas/UserIds' - withOutputs: - $ref: '#/components/schemas/WithOutputs' + properties: {} + GetEndpointActionListResponse: + example: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: kill-process + comment: bad process - taking up too much cpu + completedAt: '2022-08-08T09:44:50.952Z' + createdBy: elastic + id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:44.125Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: unisolate + comment: Not a threat to the network + completedAt: '2022-08-08T09:40:47.398Z' + createdBy: elastic + id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:15.391Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 4 + type: object + properties: {} + GetEndpointActionResponse: + example: + data: + agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + outputs: + afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0: + content: + entries: + - command: /opt/cmd1 + entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt + pid: '822' + user: Dexter + - command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3 + entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt + pid: '984' + user: Jada + type: json + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + type: object + properties: {} GetFileRouteRequestBody: allOf: - type: object @@ -777,7 +1010,42 @@ components: - path required: - parameters + example: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + GetFileRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} GetProcessesRouteRequestBody: + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 type: object properties: agent_type: @@ -794,6 +1062,30 @@ components: $ref: '#/components/schemas/Parameters' required: - endpoint_ids + GetProcessesRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: running-processes + comment: '' + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: {} + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} HostPathScriptParameters: type: object properties: @@ -825,23 +1117,32 @@ components: - unenrolled type: string type: array - IsolateRouteRequestBody: + IsolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/AgentTypes' - alert_ids: - $ref: '#/components/schemas/AlertIds' - case_ids: - $ref: '#/components/schemas/CaseIds' - comment: - $ref: '#/components/schemas/Comment' - endpoint_ids: - $ref: '#/components/schemas/EndpointIds' - parameters: - $ref: '#/components/schemas/Parameters' - required: - - endpoint_ids + properties: {} KillProcessRouteRequestBody: allOf: - type: object @@ -864,16 +1165,62 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Pid' - - $ref: '#/components/schemas/EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to terminate. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to terminate. + example: abc123 + minLength: 1 + type: string - type: object properties: process_name: - description: Valid for SentinelOne agent type only + description: >- + The name of the process to terminate. Valid for + SentinelOne agent type only. + example: Elastic minLength: 1 type: string required: - parameters + example: + comment: terminate the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + KillProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: kill-process + comment: terminate the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Kuery: description: A KQL string. example: 'united.endpoint.host.os.name : ''Windows''' @@ -1100,12 +1447,6 @@ components: $ref: '#/components/schemas/PendingActionDataType' - additionalProperties: true type: object - Pid: - type: object - properties: - pid: - minimum: 1 - type: integer ProtectionUpdatesNoteResponse: type: object properties: @@ -1165,11 +1506,45 @@ components: type: object properties: path: + description: The folder or file’s full path (including the file name). + example: /usr/my-file.txt type: string required: - path required: - parameters + example: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + ScanRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} SortDirection: description: Determines the sort order. enum: @@ -1192,7 +1567,8 @@ components: example: enrolled_at type: string StartDate: - description: Start date + description: A start date in ISO 8601 format or Date Math format. + example: '2023-10-31T00:00:00.000Z' type: string SuccessResponse: type: object @@ -1219,10 +1595,53 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Pid' - - $ref: '#/components/schemas/EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to suspend. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to suspend. + example: abc123 + minLength: 1 + type: string required: - parameters + example: + comment: suspend the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + SuspendProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Timeout: description: The maximum timeout value in milliseconds (optional) minimum: 1 @@ -1235,28 +1654,40 @@ components: type: string Types: description: List of types of response actions + example: + - automated + - manual items: $ref: '#/components/schemas/Type' maxLength: 2 minLength: 1 type: array - UnisolateRouteRequestBody: + UnisolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/AgentTypes' - alert_ids: - $ref: '#/components/schemas/AlertIds' - case_ids: - $ref: '#/components/schemas/CaseIds' - comment: - $ref: '#/components/schemas/Comment' - endpoint_ids: - $ref: '#/components/schemas/EndpointIds' - parameters: - $ref: '#/components/schemas/Parameters' - required: - - endpoint_ids + properties: {} UploadRouteRequestBody: allOf: - type: object @@ -1278,6 +1709,8 @@ components: - type: object properties: file: + description: The binary content of the file. + example: RWxhc3RpYw== format: binary type: string parameters: @@ -1285,12 +1718,51 @@ components: properties: overwrite: default: false + description: Overwrite the file on the host if it already exists. + example: false type: boolean required: - parameters - file + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + file: RWxhc3RpYw== + parameters: {} + UploadRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + type: object + properties: {} UserIds: - description: User IDs + description: A list of user IDs. + example: + - user-id-1 + - user-id-2 oneOf: - items: minLength: 1 @@ -1300,7 +1772,12 @@ components: - minLength: 1 type: string WithOutputs: - description: Shows detailed outputs for an action response + description: >- + A list of action IDs that should include the complete output of the + action. + example: + - action-id-1 + - action-id-2 oneOf: - items: minLength: 1 diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml index da3bc79dd1ecd..615f61f86970a 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml @@ -17,16 +17,61 @@ paths: operationId: EndpointGetActionsList parameters: - in: query - name: query - required: true + name: page + required: false + schema: + $ref: '#/components/schemas/Page' + - in: query + name: pageSize + required: false schema: - $ref: '#/components/schemas/GetEndpointActionListRouteQuery' + $ref: '#/components/schemas/PageSize' + - in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Commands' + - in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/AgentIds' + - in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/UserIds' + - in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/StartDate' + - in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/EndDate' + - in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/AgentTypes' + - in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/WithOutputs' + - in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Types' responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetEndpointActionListResponse' description: OK summary: Get response actions tags: @@ -63,13 +108,15 @@ paths: name: action_id required: true schema: + description: The ID of the action to retrieve. + example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetEndpointActionResponse' description: OK summary: Get action details tags: @@ -139,7 +186,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/ExecuteRouteResponse' description: OK summary: Run a command tags: @@ -159,7 +206,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetFileRouteResponse' description: OK summary: Get a file tags: @@ -173,15 +220,55 @@ paths: requestBody: content: application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: >- + Isolates a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/IsolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/AgentTypes' + alert_ids: + $ref: '#/components/schemas/AlertIds' + case_ids: + $ref: '#/components/schemas/CaseIds' + comment: + $ref: '#/components/schemas/Comment' + endpoint_ids: + $ref: '#/components/schemas/EndpointIds' + parameters: + $ref: '#/components/schemas/Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/IsolateRouteResponse' description: OK summary: Isolate an endpoint tags: @@ -201,7 +288,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/KillProcessRouteResponse' description: OK summary: Terminate a process tags: @@ -221,7 +308,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetProcessesRouteResponse' description: OK summary: Get running processes tags: @@ -261,7 +348,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/ScanRouteResponse' description: OK summary: Scan a file or directory tags: @@ -297,7 +384,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/SuspendProcessRouteResponse' description: OK summary: Suspend a process tags: @@ -309,15 +396,55 @@ paths: requestBody: content: application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: >- + Releases a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/UnisolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/AgentTypes' + alert_ids: + $ref: '#/components/schemas/AlertIds' + case_ids: + $ref: '#/components/schemas/CaseIds' + comment: + $ref: '#/components/schemas/Comment' + endpoint_ids: + $ref: '#/components/schemas/EndpointIds' + parameters: + $ref: '#/components/schemas/Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/UnisolateRouteResponse' description: OK summary: Release an isolated endpoint tags: @@ -328,7 +455,7 @@ paths: operationId: EndpointUploadAction requestBody: content: - application/json: + multipart/form-data: schema: $ref: '#/components/schemas/UploadRouteRequestBody' required: true @@ -337,7 +464,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/UploadRouteResponse' description: OK summary: Upload a file tags: @@ -515,6 +642,10 @@ components: description: Agent ID type: string AgentIds: + description: A list of agent IDs. Max of 50. + example: + - agent-id-1 + - agent-id-2 minLength: 1 oneOf: - items: @@ -526,12 +657,13 @@ components: - minLength: 1 type: string AgentTypes: - description: The host agent type (optional). Defaults to endpoint. + description: List of agent types to retrieve. Defaults to `endpoint`. enum: - endpoint - sentinel_one - crowdstrike - microsoft_defender_endpoint + example: endpoint type: string AlertIds: description: A list of alerts `id`s. @@ -543,6 +675,9 @@ components: type: array CaseIds: description: Case IDs to be updated (cannot contain empty strings) + example: + - case-id-1 + - case-id-2 items: minLength: 1 type: string @@ -580,17 +715,26 @@ components: minLength: 1 type: string Commands: + description: A list of response action command names. + example: + - isolate + - unisolate items: $ref: '#/components/schemas/Command' type: array Comment: description: Optional comment + example: This is a comment type: string EndDate: - description: End date + description: An end date in ISO format or Date Math format. + example: '2023-10-31T23:59:59.999Z' type: string EndpointIds: description: List of endpoint IDs (cannot contain empty strings) + example: + - endpoint-id-1 + - endpoint-id-2 items: minLength: 1 type: string @@ -684,12 +828,6 @@ components: revision: 2 type: object properties: {} - EntityId: - type: object - properties: - entity_id: - minLength: 1 - type: string ExecuteRouteRequestBody: allOf: - type: object @@ -721,33 +859,128 @@ components: - command required: - parameters - GetEndpointActionListRouteQuery: + example: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + ExecuteRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + comment: Get list of all files + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false type: object - properties: - agentIds: - $ref: '#/components/schemas/AgentIds' - agentTypes: - $ref: '#/components/schemas/AgentTypes' - commands: - $ref: '#/components/schemas/Commands' - endDate: - $ref: '#/components/schemas/EndDate' - page: - $ref: '#/components/schemas/Page' - pageSize: - default: 10 - description: Number of items per page - maximum: 10000 - minimum: 1 - type: integer - startDate: - $ref: '#/components/schemas/StartDate' - types: - $ref: '#/components/schemas/Types' - userIds: - $ref: '#/components/schemas/UserIds' - withOutputs: - $ref: '#/components/schemas/WithOutputs' + properties: {} + GetEndpointActionListResponse: + example: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: kill-process + comment: bad process - taking up too much cpu + completedAt: '2022-08-08T09:44:50.952Z' + createdBy: elastic + id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:44.125Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: unisolate + comment: Not a threat to the network + completedAt: '2022-08-08T09:40:47.398Z' + createdBy: elastic + id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:15.391Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 4 + type: object + properties: {} + GetEndpointActionResponse: + example: + data: + agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + outputs: + afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0: + content: + entries: + - command: /opt/cmd1 + entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt + pid: '822' + user: Dexter + - command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3 + entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt + pid: '984' + user: Jada + type: json + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + type: object + properties: {} GetFileRouteRequestBody: allOf: - type: object @@ -777,7 +1010,42 @@ components: - path required: - parameters + example: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + GetFileRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} GetProcessesRouteRequestBody: + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 type: object properties: agent_type: @@ -794,6 +1062,30 @@ components: $ref: '#/components/schemas/Parameters' required: - endpoint_ids + GetProcessesRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: running-processes + comment: '' + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: {} + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} HostPathScriptParameters: type: object properties: @@ -825,23 +1117,32 @@ components: - unenrolled type: string type: array - IsolateRouteRequestBody: + IsolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/AgentTypes' - alert_ids: - $ref: '#/components/schemas/AlertIds' - case_ids: - $ref: '#/components/schemas/CaseIds' - comment: - $ref: '#/components/schemas/Comment' - endpoint_ids: - $ref: '#/components/schemas/EndpointIds' - parameters: - $ref: '#/components/schemas/Parameters' - required: - - endpoint_ids + properties: {} KillProcessRouteRequestBody: allOf: - type: object @@ -864,16 +1165,62 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Pid' - - $ref: '#/components/schemas/EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to terminate. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to terminate. + example: abc123 + minLength: 1 + type: string - type: object properties: process_name: - description: Valid for SentinelOne agent type only + description: >- + The name of the process to terminate. Valid for + SentinelOne agent type only. + example: Elastic minLength: 1 type: string required: - parameters + example: + comment: terminate the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + KillProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: kill-process + comment: terminate the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Kuery: description: A KQL string. example: 'united.endpoint.host.os.name : ''Windows''' @@ -1100,12 +1447,6 @@ components: $ref: '#/components/schemas/PendingActionDataType' - additionalProperties: true type: object - Pid: - type: object - properties: - pid: - minimum: 1 - type: integer ProtectionUpdatesNoteResponse: type: object properties: @@ -1165,11 +1506,45 @@ components: type: object properties: path: + description: The folder or file’s full path (including the file name). + example: /usr/my-file.txt type: string required: - path required: - parameters + example: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + ScanRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} SortDirection: description: Determines the sort order. enum: @@ -1192,7 +1567,8 @@ components: example: enrolled_at type: string StartDate: - description: Start date + description: A start date in ISO 8601 format or Date Math format. + example: '2023-10-31T00:00:00.000Z' type: string SuccessResponse: type: object @@ -1219,10 +1595,53 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Pid' - - $ref: '#/components/schemas/EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to suspend. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to suspend. + example: abc123 + minLength: 1 + type: string required: - parameters + example: + comment: suspend the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + SuspendProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Timeout: description: The maximum timeout value in milliseconds (optional) minimum: 1 @@ -1235,28 +1654,40 @@ components: type: string Types: description: List of types of response actions + example: + - automated + - manual items: $ref: '#/components/schemas/Type' maxLength: 2 minLength: 1 type: array - UnisolateRouteRequestBody: + UnisolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/AgentTypes' - alert_ids: - $ref: '#/components/schemas/AlertIds' - case_ids: - $ref: '#/components/schemas/CaseIds' - comment: - $ref: '#/components/schemas/Comment' - endpoint_ids: - $ref: '#/components/schemas/EndpointIds' - parameters: - $ref: '#/components/schemas/Parameters' - required: - - endpoint_ids + properties: {} UploadRouteRequestBody: allOf: - type: object @@ -1278,6 +1709,8 @@ components: - type: object properties: file: + description: The binary content of the file. + example: RWxhc3RpYw== format: binary type: string parameters: @@ -1285,12 +1718,51 @@ components: properties: overwrite: default: false + description: Overwrite the file on the host if it already exists. + example: false type: boolean required: - parameters - file + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + file: RWxhc3RpYw== + parameters: {} + UploadRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + type: object + properties: {} UserIds: - description: User IDs + description: A list of user IDs. + example: + - user-id-1 + - user-id-2 oneOf: - items: minLength: 1 @@ -1300,7 +1772,12 @@ components: - minLength: 1 type: string WithOutputs: - description: Shows detailed outputs for an action response + description: >- + A list of action IDs that should include the complete output of the + action. + example: + - action-id-1 + - action-id-2 oneOf: - items: minLength: 1 diff --git a/x-pack/test/api_integration/services/security_solution_api.gen.ts b/x-pack/test/api_integration/services/security_solution_api.gen.ts index 6cdf64afab48f..5cf1dd8c5bc93 100644 --- a/x-pack/test/api_integration/services/security_solution_api.gen.ts +++ b/x-pack/test/api_integration/services/security_solution_api.gen.ts @@ -64,7 +64,6 @@ import { EndpointKillProcessActionRequestBodyInput } from '@kbn/security-solutio import { EndpointScanActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/scan/scan.gen'; import { EndpointSuspendProcessActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen'; import { EndpointUnisolateActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen'; -import { EndpointUploadActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/upload/upload.gen'; import { ExportRulesRequestQueryInput, ExportRulesRequestBodyInput, @@ -716,13 +715,12 @@ If a record already exists for the specified entity, that record is overwritten /** * Upload a file to an endpoint. */ - endpointUploadAction(props: EndpointUploadActionProps, kibanaSpace: string = 'default') { + endpointUploadAction(kibanaSpace: string = 'default') { return supertest .post(routeWithNamespace('/api/endpoint/action/upload', kibanaSpace)) .set('kbn-xsrf', 'true') .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') - .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana') - .send(props.body as object); + .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana'); }, entityStoreGetPrivileges(kibanaSpace: string = 'default') { return supertest @@ -1751,9 +1749,6 @@ export interface EndpointSuspendProcessActionProps { export interface EndpointUnisolateActionProps { body: EndpointUnisolateActionRequestBodyInput; } -export interface EndpointUploadActionProps { - body: EndpointUploadActionRequestBodyInput; -} export interface ExportRulesProps { query: ExportRulesRequestQueryInput; body: ExportRulesRequestBodyInput;