diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index e400752a0fb3d..a7a8e400453e2 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -7379,16 +7379,61 @@ paths: operationId: EndpointGetActionsList parameters: - in: query - name: query - required: true + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + - in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + - in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + - in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + - in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + - in: query + name: agentTypes + required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListRouteQuery' + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + - in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + - in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' description: OK summary: Get response actions tags: @@ -7427,13 +7472,15 @@ paths: name: action_id required: true schema: + description: The ID of the action to retrieve. + example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionResponse' description: OK summary: Get action details tags: @@ -7506,7 +7553,7 @@ paths: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse' description: OK summary: Run a command tags: @@ -7527,7 +7574,7 @@ paths: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse' description: OK summary: Get a file tags: @@ -7540,15 +7587,53 @@ paths: requestBody: content: application/json; Elastic-Api-Version=2023-10-31: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' description: OK summary: Isolate an endpoint tags: @@ -7569,7 +7654,7 @@ paths: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse' description: OK summary: Terminate a process tags: @@ -7590,7 +7675,7 @@ paths: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse' description: OK summary: Get running processes tags: @@ -7632,7 +7717,7 @@ paths: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse' description: OK summary: Scan a file or directory tags: @@ -7668,7 +7753,7 @@ paths: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse' description: OK summary: Suspend a process tags: @@ -7681,15 +7766,53 @@ paths: requestBody: content: application/json; Elastic-Api-Version=2023-10-31: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' description: OK summary: Release an isolated endpoint tags: @@ -7701,7 +7824,7 @@ paths: operationId: EndpointUploadAction requestBody: content: - application/json; Elastic-Api-Version=2023-10-31: + multipart/form-data; Elastic-Api-Version=2023-10-31: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' required: true @@ -7710,7 +7833,7 @@ paths: content: application/json; Elastic-Api-Version=2023-10-31: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse' description: OK summary: Upload a file tags: @@ -49575,6 +49698,10 @@ components: description: Agent ID type: string Security_Endpoint_Management_API_AgentIds: + description: A list of agent IDs. Max of 50. + example: + - agent-id-1 + - agent-id-2 minLength: 1 oneOf: - items: @@ -49586,12 +49713,13 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_AgentTypes: - description: The host agent type (optional). Defaults to endpoint. + description: List of agent types to retrieve. Defaults to `endpoint`. enum: - endpoint - sentinel_one - crowdstrike - microsoft_defender_endpoint + example: endpoint type: string Security_Endpoint_Management_API_AlertIds: description: A list of alerts `id`s. @@ -49603,6 +49731,9 @@ components: type: array Security_Endpoint_Management_API_CaseIds: description: Case IDs to be updated (cannot contain empty strings) + example: + - case-id-1 + - case-id-2 items: minLength: 1 type: string @@ -49640,17 +49771,26 @@ components: minLength: 1 type: string Security_Endpoint_Management_API_Commands: + description: A list of response action command names. + example: + - isolate + - unisolate items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' type: array Security_Endpoint_Management_API_Comment: description: Optional comment + example: This is a comment type: string Security_Endpoint_Management_API_EndDate: - description: End date + description: An end date in ISO format or Date Math format. + example: '2023-10-31T23:59:59.999Z' type: string Security_Endpoint_Management_API_EndpointIds: description: List of endpoint IDs (cannot contain empty strings) + example: + - endpoint-id-1 + - endpoint-id-2 items: minLength: 1 type: string @@ -49742,12 +49882,6 @@ components: revision: 2 type: object properties: {} - Security_Endpoint_Management_API_EntityId: - type: object - properties: - entity_id: - minLength: 1 - type: string Security_Endpoint_Management_API_ExecuteRouteRequestBody: allOf: - type: object @@ -49779,33 +49913,128 @@ components: - command required: - parameters - Security_Endpoint_Management_API_GetEndpointActionListRouteQuery: + example: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + Security_Endpoint_Management_API_ExecuteRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + comment: Get list of all files + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false type: object - properties: - agentIds: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - agentTypes: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - commands: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - endDate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - page: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - pageSize: - default: 10 - description: Number of items per page - maximum: 10000 - minimum: 1 - type: integer - startDate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - types: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' - userIds: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - withOutputs: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + properties: {} + Security_Endpoint_Management_API_GetEndpointActionListResponse: + example: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: kill-process + comment: bad process - taking up too much cpu + completedAt: '2022-08-08T09:44:50.952Z' + createdBy: elastic + id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:44.125Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: unisolate + comment: Not a threat to the network + completedAt: '2022-08-08T09:40:47.398Z' + createdBy: elastic + id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:15.391Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 4 + type: object + properties: {} + Security_Endpoint_Management_API_GetEndpointActionResponse: + example: + data: + agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + outputs: + afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0: + content: + entries: + - command: /opt/cmd1 + entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt + pid: '822' + user: Dexter + - command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3 + entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt + pid: '984' + user: Jada + type: json + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_GetFileRouteRequestBody: allOf: - type: object @@ -49835,7 +50064,42 @@ components: - path required: - parameters + example: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + Security_Endpoint_Management_API_GetFileRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} Security_Endpoint_Management_API_GetProcessesRouteRequestBody: + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 type: object properties: agent_type: @@ -49852,6 +50116,30 @@ components: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids + Security_Endpoint_Management_API_GetProcessesRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: running-processes + comment: '' + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: {} + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_HostPathScriptParameters: type: object properties: @@ -49883,23 +50171,32 @@ components: - unenrolled type: string type: array - Security_Endpoint_Management_API_IsolateRouteRequestBody: + Security_Endpoint_Management_API_IsolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids + properties: {} Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: - type: object @@ -49922,16 +50219,60 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to terminate. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to terminate. + example: abc123 + minLength: 1 + type: string - type: object properties: process_name: - description: Valid for SentinelOne agent type only + description: The name of the process to terminate. Valid for SentinelOne agent type only. + example: Elastic minLength: 1 type: string required: - parameters + example: + comment: terminate the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + Security_Endpoint_Management_API_KillProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: kill-process + comment: terminate the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_Kuery: description: A KQL string. example: 'united.endpoint.host.os.name : ''Windows''' @@ -50152,12 +50493,6 @@ components: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - additionalProperties: true type: object - Security_Endpoint_Management_API_Pid: - type: object - properties: - pid: - minimum: 1 - type: integer Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: type: object properties: @@ -50215,11 +50550,45 @@ components: type: object properties: path: + description: The folder or file’s full path (including the file name). + example: /usr/my-file.txt type: string required: - path required: - parameters + example: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + Security_Endpoint_Management_API_ScanRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} Security_Endpoint_Management_API_SortDirection: description: Determines the sort order. enum: @@ -50242,7 +50611,8 @@ components: example: enrolled_at type: string Security_Endpoint_Management_API_StartDate: - description: Start date + description: A start date in ISO 8601 format or Date Math format. + example: '2023-10-31T00:00:00.000Z' type: string Security_Endpoint_Management_API_SuccessResponse: type: object @@ -50269,10 +50639,53 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to suspend. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to suspend. + example: abc123 + minLength: 1 + type: string required: - parameters + example: + comment: suspend the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + Security_Endpoint_Management_API_SuspendProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_Timeout: description: The maximum timeout value in milliseconds (optional) minimum: 1 @@ -50285,28 +50698,40 @@ components: type: string Security_Endpoint_Management_API_Types: description: List of types of response actions + example: + - automated + - manual items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' maxLength: 2 minLength: 1 type: array - Security_Endpoint_Management_API_UnisolateRouteRequestBody: + Security_Endpoint_Management_API_UnisolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids + properties: {} Security_Endpoint_Management_API_UploadRouteRequestBody: allOf: - type: object @@ -50328,6 +50753,8 @@ components: - type: object properties: file: + description: The binary content of the file. + example: RWxhc3RpYw== format: binary type: string parameters: @@ -50335,12 +50762,51 @@ components: properties: overwrite: default: false + description: Overwrite the file on the host if it already exists. + example: false type: boolean required: - parameters - file + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + file: RWxhc3RpYw== + parameters: {} + Security_Endpoint_Management_API_UploadRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + type: object + properties: {} Security_Endpoint_Management_API_UserIds: - description: User IDs + description: A list of user IDs. + example: + - user-id-1 + - user-id-2 oneOf: - items: minLength: 1 @@ -50350,7 +50816,10 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: - description: Shows detailed outputs for an action response + description: A list of action IDs that should include the complete output of the action. + example: + - action-id-1 + - action-id-2 oneOf: - items: minLength: 1 diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 299299efc58c5..5075348ffd153 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -12858,16 +12858,61 @@ paths: operationId: EndpointGetActionsList parameters: - in: query - name: query - required: true + name: page + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize' + - in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' + - in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' + - in: query + name: userIds + required: false schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListRouteQuery' + $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' + - in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' + - in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' + - in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + - in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + - in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse' description: OK summary: Get response actions tags: @@ -12930,13 +12975,15 @@ paths: name: action_id required: true schema: + description: The ID of the action to retrieve. + example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionResponse' description: OK summary: Get action details tags: @@ -13006,7 +13053,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse' description: OK summary: Run a command tags: @@ -13026,7 +13073,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse' description: OK summary: Get a file tags: @@ -13038,15 +13085,53 @@ paths: requestBody: content: application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: Locked down, pending further investigation + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse' description: OK summary: Isolate an endpoint tags: @@ -13066,7 +13151,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse' description: OK summary: Terminate a process tags: @@ -13086,7 +13171,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse' description: OK summary: Get running processes tags: @@ -13126,7 +13211,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse' description: OK summary: Scan a file or directory tags: @@ -13160,7 +13245,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse' description: OK summary: Suspend a process tags: @@ -13172,15 +13257,53 @@ paths: requestBody: content: application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: Benign process identified, releasing group + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Remediation complete, restoring network + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' + alert_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' + case_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' + comment: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' + endpoint_ids: + $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' + parameters: + $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse' description: OK summary: Release an isolated endpoint tags: @@ -13191,7 +13314,7 @@ paths: operationId: EndpointUploadAction requestBody: content: - application/json: + multipart/form-data: schema: $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody' required: true @@ -13200,7 +13323,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse' + $ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse' description: OK summary: Upload a file tags: @@ -38036,6 +38159,10 @@ components: description: Agent ID type: string Security_Endpoint_Management_API_AgentIds: + description: A list of agent IDs. Max of 50. + example: + - agent-id-1 + - agent-id-2 minLength: 1 oneOf: - items: @@ -38047,12 +38174,13 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_AgentTypes: - description: The host agent type (optional). Defaults to endpoint. + description: List of agent types to retrieve. Defaults to `endpoint`. enum: - endpoint - sentinel_one - crowdstrike - microsoft_defender_endpoint + example: endpoint type: string Security_Endpoint_Management_API_AlertIds: description: A list of alerts `id`s. @@ -38064,6 +38192,9 @@ components: type: array Security_Endpoint_Management_API_CaseIds: description: Case IDs to be updated (cannot contain empty strings) + example: + - case-id-1 + - case-id-2 items: minLength: 1 type: string @@ -38101,17 +38232,26 @@ components: minLength: 1 type: string Security_Endpoint_Management_API_Commands: + description: A list of response action command names. + example: + - isolate + - unisolate items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Command' type: array Security_Endpoint_Management_API_Comment: description: Optional comment + example: This is a comment type: string Security_Endpoint_Management_API_EndDate: - description: End date + description: An end date in ISO format or Date Math format. + example: '2023-10-31T23:59:59.999Z' type: string Security_Endpoint_Management_API_EndpointIds: description: List of endpoint IDs (cannot contain empty strings) + example: + - endpoint-id-1 + - endpoint-id-2 items: minLength: 1 type: string @@ -38203,12 +38343,6 @@ components: revision: 2 type: object properties: {} - Security_Endpoint_Management_API_EntityId: - type: object - properties: - entity_id: - minLength: 1 - type: string Security_Endpoint_Management_API_ExecuteRouteRequestBody: allOf: - type: object @@ -38240,33 +38374,128 @@ components: - command required: - parameters - Security_Endpoint_Management_API_GetEndpointActionListRouteQuery: + example: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + Security_Endpoint_Management_API_ExecuteRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + comment: Get list of all files + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false type: object - properties: - agentIds: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds' - agentTypes: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - commands: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Commands' - endDate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate' - page: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Page' - pageSize: - default: 10 - description: Number of items per page - maximum: 10000 - minimum: 1 - type: integer - startDate: - $ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate' - types: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Types' - userIds: - $ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds' - withOutputs: - $ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs' + properties: {} + Security_Endpoint_Management_API_GetEndpointActionListResponse: + example: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: kill-process + comment: bad process - taking up too much cpu + completedAt: '2022-08-08T09:44:50.952Z' + createdBy: elastic + id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:44.125Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: unisolate + comment: Not a threat to the network + completedAt: '2022-08-08T09:40:47.398Z' + createdBy: elastic + id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:15.391Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 4 + type: object + properties: {} + Security_Endpoint_Management_API_GetEndpointActionResponse: + example: + data: + agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + outputs: + afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0: + content: + entries: + - command: /opt/cmd1 + entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt + pid: '822' + user: Dexter + - command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3 + entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt + pid: '984' + user: Jada + type: json + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_GetFileRouteRequestBody: allOf: - type: object @@ -38296,7 +38525,42 @@ components: - path required: - parameters + example: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + Security_Endpoint_Management_API_GetFileRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} Security_Endpoint_Management_API_GetProcessesRouteRequestBody: + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 type: object properties: agent_type: @@ -38313,6 +38577,30 @@ components: $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' required: - endpoint_ids + Security_Endpoint_Management_API_GetProcessesRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: running-processes + comment: '' + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: {} + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_HostPathScriptParameters: type: object properties: @@ -38344,23 +38632,32 @@ components: - unenrolled type: string type: array - Security_Endpoint_Management_API_IsolateRouteRequestBody: + Security_Endpoint_Management_API_IsolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids + properties: {} Security_Endpoint_Management_API_KillProcessRouteRequestBody: allOf: - type: object @@ -38383,16 +38680,60 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to terminate. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to terminate. + example: abc123 + minLength: 1 + type: string - type: object properties: process_name: - description: Valid for SentinelOne agent type only + description: The name of the process to terminate. Valid for SentinelOne agent type only. + example: Elastic minLength: 1 type: string required: - parameters + example: + comment: terminate the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + Security_Endpoint_Management_API_KillProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: kill-process + comment: terminate the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_Kuery: description: A KQL string. example: 'united.endpoint.host.os.name : ''Windows''' @@ -38613,12 +38954,6 @@ components: $ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType' - additionalProperties: true type: object - Security_Endpoint_Management_API_Pid: - type: object - properties: - pid: - minimum: 1 - type: integer Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse: type: object properties: @@ -38676,11 +39011,45 @@ components: type: object properties: path: + description: The folder or file’s full path (including the file name). + example: /usr/my-file.txt type: string required: - path required: - parameters + example: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + Security_Endpoint_Management_API_ScanRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} Security_Endpoint_Management_API_SortDirection: description: Determines the sort order. enum: @@ -38703,7 +39072,8 @@ components: example: enrolled_at type: string Security_Endpoint_Management_API_StartDate: - description: Start date + description: A start date in ISO 8601 format or Date Math format. + example: '2023-10-31T00:00:00.000Z' type: string Security_Endpoint_Management_API_SuccessResponse: type: object @@ -38730,10 +39100,53 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid' - - $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to suspend. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to suspend. + example: abc123 + minLength: 1 + type: string required: - parameters + example: + comment: suspend the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + Security_Endpoint_Management_API_SuspendProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Security_Endpoint_Management_API_Timeout: description: The maximum timeout value in milliseconds (optional) minimum: 1 @@ -38746,28 +39159,40 @@ components: type: string Security_Endpoint_Management_API_Types: description: List of types of response actions + example: + - automated + - manual items: $ref: '#/components/schemas/Security_Endpoint_Management_API_Type' maxLength: 2 minLength: 1 type: array - Security_Endpoint_Management_API_UnisolateRouteRequestBody: + Security_Endpoint_Management_API_UnisolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes' - alert_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds' - case_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds' - comment: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Comment' - endpoint_ids: - $ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds' - parameters: - $ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters' - required: - - endpoint_ids + properties: {} Security_Endpoint_Management_API_UploadRouteRequestBody: allOf: - type: object @@ -38789,6 +39214,8 @@ components: - type: object properties: file: + description: The binary content of the file. + example: RWxhc3RpYw== format: binary type: string parameters: @@ -38796,12 +39223,51 @@ components: properties: overwrite: default: false + description: Overwrite the file on the host if it already exists. + example: false type: boolean required: - parameters - file + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + file: RWxhc3RpYw== + parameters: {} + Security_Endpoint_Management_API_UploadRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + type: object + properties: {} Security_Endpoint_Management_API_UserIds: - description: User IDs + description: A list of user IDs. + example: + - user-id-1 + - user-id-2 oneOf: - items: minLength: 1 @@ -38811,7 +39277,10 @@ components: - minLength: 1 type: string Security_Endpoint_Management_API_WithOutputs: - description: Shows detailed outputs for an action response + description: A list of action IDs that should include the complete output of the action. + example: + - action-id-1 + - action-id-2 oneOf: - items: minLength: 1 diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.gen.ts index 1fa7d79e97feb..e8e3cdaefa3fb 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.gen.ts @@ -16,7 +16,8 @@ import { z } from '@kbn/zod'; -import { SuccessResponse } from '../../model/schema/common.gen'; +export type GetEndpointActionResponse = z.infer; +export const GetEndpointActionResponse = z.object({}); export type EndpointGetActionsDetailsRequestParams = z.infer< typeof EndpointGetActionsDetailsRequestParams @@ -29,4 +30,4 @@ export type EndpointGetActionsDetailsRequestParamsInput = z.input< >; export type EndpointGetActionsDetailsResponse = z.infer; -export const EndpointGetActionsDetailsResponse = SuccessResponse; +export const EndpointGetActionsDetailsResponse = GetEndpointActionResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.schema.yaml index 7cf2f808e06f8..36228bfe9bc81 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.schema.yaml @@ -16,12 +16,46 @@ paths: required: true schema: type: string + description: The ID of the action to retrieve. + example: 'fr518850-681a-4y60-aa98-e22640cae2b8' responses: '200': description: OK content: application/json: schema: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetEndpointActionResponse' +components: + schemas: + GetEndpointActionResponse: + type: object + properties: { } + example: + data: + id: "b3d6de74-36b0-4fa8-be46-c375bf1771bf" + agents: + - "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0" + agentType: "endpoint" + command: "running-processes" + startedAt: "2022-08-08T15:24:57.402Z" + completedAt: "2022-08-08T09:50:47.672Z" + createdBy: "elastic" + isCompleted: true + wasSuccessful: true + isExpired: false + outputs: + afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0: + type: "json" + content: + entries: + - pid: "822" + entity_id: "fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt" + user: "Dexter" + command: "/opt/cmd1" + - pid: "984" + entity_id: "pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt" + user: "Jada" + command: "/opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3" + diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.gen.ts index 4eec6a2cb6479..8e2ffea437d71 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.gen.ts @@ -17,42 +17,37 @@ import { z } from '@kbn/zod'; import { - SuccessResponse, - AgentIds, - AgentTypes, - Commands, Page, + PageSize, + Commands, + AgentIds, + UserIds, StartDate, EndDate, - UserIds, - Types, + AgentTypes, WithOutputs, + Types, } from '../../model/schema/common.gen'; -export type GetEndpointActionListRouteQuery = z.infer; -export const GetEndpointActionListRouteQuery = z.object({ - agentIds: AgentIds.optional(), - agentTypes: AgentTypes.optional(), - commands: Commands.optional(), +export type GetEndpointActionListResponse = z.infer; +export const GetEndpointActionListResponse = z.object({}); + +export type EndpointGetActionsListRequestQuery = z.infer; +export const EndpointGetActionsListRequestQuery = z.object({ page: Page.optional(), - /** - * Number of items per page - */ - pageSize: z.number().int().min(1).max(10000).optional().default(10), + pageSize: PageSize.optional(), + commands: Commands.optional(), + agentIds: AgentIds.optional(), + userIds: UserIds.optional(), startDate: StartDate.optional(), endDate: EndDate.optional(), - userIds: UserIds.optional(), - types: Types.optional(), + agentTypes: AgentTypes.optional(), withOutputs: WithOutputs.optional(), -}); - -export type EndpointGetActionsListRequestQuery = z.infer; -export const EndpointGetActionsListRequestQuery = z.object({ - query: GetEndpointActionListRouteQuery, + types: Types.optional(), }); export type EndpointGetActionsListRequestQueryInput = z.input< typeof EndpointGetActionsListRequestQuery >; export type EndpointGetActionsListResponse = z.infer; -export const EndpointGetActionsListResponse = SuccessResponse; +export const EndpointGetActionsListResponse = GetEndpointActionListResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.schema.yaml index 8e7dcfd5412f4..ecd0445750a05 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.schema.yaml @@ -11,44 +11,121 @@ paths: x-codegen-enabled: true x-labels: [ess, serverless] parameters: - - name: query + - name: page in: query - required: true + required: false schema: - $ref: '#/components/schemas/GetEndpointActionListRouteQuery' + $ref: '../../model/schema/common.schema.yaml#/components/schemas/Page' + - name: pageSize + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/PageSize' + - name: commands + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/Commands' + - name: agentIds + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentIds' + - name: userIds + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/UserIds' + - name: startDate + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/StartDate' + - name: endDate + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/EndDate' + - name: agentTypes + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentTypes' + - name: withOutputs + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/WithOutputs' + - name: types + in: query + required: false + schema: + $ref: '../../model/schema/common.schema.yaml#/components/schemas/Types' responses: '200': description: OK content: application/json: schema: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetEndpointActionListResponse' components: schemas: - GetEndpointActionListRouteQuery: + GetEndpointActionListResponse: type: object - properties: - agentIds: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentIds' - agentTypes: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentTypes' - commands: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/Commands' - page: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/Page' - pageSize: - type: integer - default: 10 - minimum: 1 - maximum: 10000 - description: Number of items per page - startDate: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/StartDate' - endDate: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/EndDate' - userIds: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/UserIds' - types: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/Types' - withOutputs: - $ref: '../../model/schema/common.schema.yaml#/components/schemas/WithOutputs' + properties: { } + example: + page: 1 + pageSize: 10 + total: 4 + startDate: "now-24h/h" + endDate: "now" + elasticAgentIds: + - "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0" + data: + - id: "b3d6de74-36b0-4fa8-be46-c375bf1771bf" + agents: + - "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0" + command: "running-processes" + agentType: "endpoint" + startedAt: "2022-08-08T15:24:57.402Z" + isCompleted: true + completedAt: "2022-08-08T09:50:47.672Z" + wasSuccessful: true + isExpired: false + createdBy: "elastic" + - id: "43b4098b-8752-4fbb-a7a7-6df7c74d0ee3" + agents: + - "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0" + command: "isolate" + agentType: "endpoint" + startedAt: "2022-08-08T15:23:37.359Z" + isCompleted: true + completedAt: "2022-08-08T10:41:57.352Z" + wasSuccessful: true + isExpired: false + createdBy: "elastic" + - id: "5bc92c86-b8e6-42dd-837f-12ad29e09caa" + agents: + - "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0" + command: "kill-process" + agentType: "endpoint" + startedAt: "2022-08-08T14:38:44.125Z" + isCompleted: true + completedAt: "2022-08-08T09:44:50.952Z" + wasSuccessful: true + isExpired: false + createdBy: "elastic" + comment: "bad process - taking up too much cpu" + - id: "790d54e0-3aa3-4e5b-8255-3ce9d851246a" + agents: + - "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0" + command: "unisolate" + agentType: "endpoint" + startedAt: "2022-08-08T14:38:15.391Z" + isCompleted: true + completedAt: "2022-08-08T09:40:47.398Z" + wasSuccessful: true + isExpired: false + createdBy: "elastic" + comment: "Not a threat to the network" + diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.gen.ts index 531236ea248bf..b9cf0db2b4ce9 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.gen.ts @@ -16,12 +16,7 @@ import { z } from '@kbn/zod'; -import { - SuccessResponse, - BaseActionSchema, - Command, - Timeout, -} from '../../../model/schema/common.gen'; +import { BaseActionSchema, Command, Timeout } from '../../../model/schema/common.gen'; export type ExecuteRouteRequestBody = z.infer; export const ExecuteRouteRequestBody = BaseActionSchema.merge( @@ -33,6 +28,9 @@ export const ExecuteRouteRequestBody = BaseActionSchema.merge( }) ); +export type ExecuteRouteResponse = z.infer; +export const ExecuteRouteResponse = z.object({}); + export type EndpointExecuteActionRequestBody = z.infer; export const EndpointExecuteActionRequestBody = ExecuteRouteRequestBody; export type EndpointExecuteActionRequestBodyInput = z.input< @@ -40,4 +38,4 @@ export type EndpointExecuteActionRequestBodyInput = z.input< >; export type EndpointExecuteActionResponse = z.infer; -export const EndpointExecuteActionResponse = SuccessResponse; +export const EndpointExecuteActionResponse = ExecuteRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.schema.yaml index f2496687b8fb0..84e6fa32d1389 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.schema.yaml @@ -22,11 +22,18 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/ExecuteRouteResponse' components: schemas: ExecuteRouteRequestBody: + example: + parameters: + command: "ls -al" + timeout: 600 + endpoint_ids: + - "b3d6de74-36b0-4fa8-be46-c375bf1771bf" + comment: "Get list of all files" allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' - type: object @@ -42,3 +49,31 @@ components: $ref: '../../../model/schema/common.schema.yaml#/components/schemas/Command' timeout: $ref: '../../../model/schema/common.schema.yaml#/components/schemas/Timeout' + ExecuteRouteResponse: + type: object + properties: { } + example: + data: + id: "9f934028-2300-4927-b531-b26376793dc4" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r" + agentType: "endpoint" + command: "execute" + startedAt: "2023-07-28T18:43:27.362Z" + isCompleted: false + wasSuccessful: false + isExpired: false + status: "pending" + outputs: { } + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + createdBy: "myuser" + comment: "Get list of all files" + parameters: + command: "ls -al" + timeout: 600 diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.gen.ts index e094bde8649d2..920b0a46f5f5f 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.gen.ts @@ -16,7 +16,7 @@ import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; export type GetFileRouteRequestBody = z.infer; export const GetFileRouteRequestBody = BaseActionSchema.merge( @@ -27,6 +27,9 @@ export const GetFileRouteRequestBody = BaseActionSchema.merge( }) ); +export type GetFileRouteResponse = z.infer; +export const GetFileRouteResponse = z.object({}); + export type EndpointGetFileActionRequestBody = z.infer; export const EndpointGetFileActionRequestBody = GetFileRouteRequestBody; export type EndpointGetFileActionRequestBodyInput = z.input< @@ -34,4 +37,4 @@ export type EndpointGetFileActionRequestBodyInput = z.input< >; export type EndpointGetFileActionResponse = z.infer; -export const EndpointGetFileActionResponse = SuccessResponse; +export const EndpointGetFileActionResponse = GetFileRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.schema.yaml index cc36b843110b8..5ed449e492aac 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.schema.yaml @@ -23,11 +23,17 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetFileRouteResponse' components: schemas: GetFileRouteRequestBody: + example: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + parameters: + path: "/usr/my-file.txt" + comment: "Get my file" allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' - type: object @@ -41,4 +47,31 @@ components: properties: path: type: string + GetFileRouteResponse: + type: object + properties: { } + example: + data: + id: "27ba1b42-7cc6-4e53-86ce-675c876092b2" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r" + agentType: "endpoint" + command: "get-file" + startedAt: "2023-07-28T19:00:03.911Z" + isCompleted: false + wasSuccessful: false + isExpired: false + status: "pending" + outputs: { } + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + createdBy: "myuser" + parameters: + path: "/usr/my-file.txt" + diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.gen.ts index 030ba1433fb7b..f14b103f84bd7 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.gen.ts @@ -14,18 +14,18 @@ * version: 2023-10-31 */ -import type { z } from '@kbn/zod'; +import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; -export type IsolateRouteRequestBody = z.infer; -export const IsolateRouteRequestBody = BaseActionSchema; +export type IsolateRouteResponse = z.infer; +export const IsolateRouteResponse = z.object({}); export type EndpointIsolateActionRequestBody = z.infer; -export const EndpointIsolateActionRequestBody = IsolateRouteRequestBody; +export const EndpointIsolateActionRequestBody = BaseActionSchema; export type EndpointIsolateActionRequestBodyInput = z.input< typeof EndpointIsolateActionRequestBody >; export type EndpointIsolateActionResponse = z.infer; -export const EndpointIsolateActionResponse = SuccessResponse; +export const EndpointIsolateActionResponse = IsolateRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.schema.yaml index 396d8e3d54b1e..1dbbea5b5c430 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.schema.yaml @@ -15,16 +15,62 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/IsolateRouteRequestBody' + $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' + examples: + single_endpoint: + summary: "Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8" + value: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + multiple_endpoints: + summary: "Isolates several hosts; includes a comment" + value: + endpoint_ids: + - "9972d10e-4b9e-41aa-a534-a85e2a28ea42" + - "bc0e4f0c-3bca-4633-9fee-156c0b505d16" + - "fa89271b-b9d4-43f2-a684-307cffddeb5a" + comment: "Locked down, pending further investigation" + with_case_id: + summary: "Isolates a single host with a case_id value of 1234" + value: + endpoint_ids: + - "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0" + - "b30a11bf-1395-4707-b508-fbb45ef9793e" + case_ids: + - "4976be38-c134-4554-bd5e-0fd89ce63667" + comment: "Isolating as initial response" responses: '200': description: OK content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' - + $ref: '#/components/schemas/IsolateRouteResponse' components: schemas: - IsolateRouteRequestBody: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' + IsolateRouteResponse: + type: object + properties: { } + example: + action: "233db9ea-6733-4849-9226-5a7039c7161d" + data: + id: "233db9ea-6733-4849-9226-5a7039c7161d" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + command: "suspend-process" + agentType: "endpoint" + isExpired: false + isCompleted: true + wasSuccessful: true + errors: [ ] + startedAt: "2022-07-29T19:08:49.126Z" + completedAt: "2022-07-29T19:09:44.961Z" + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + type: "json" + content: + key: "value" + createdBy: "myuser" + comment: "suspend the process" + parameters: + entity_id: "abc123" diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.gen.ts index 0f75653323bd2..cda61249e3f66 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.gen.ts @@ -16,17 +16,27 @@ import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema, Pid, EntityId } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; export type KillProcessRouteRequestBody = z.infer; export const KillProcessRouteRequestBody = BaseActionSchema.merge( z.object({ parameters: z.union([ - Pid, - EntityId, z.object({ /** - * Valid for SentinelOne agent type only + * The process ID (PID) of the process to terminate. + */ + pid: z.number().int().min(1).optional(), + }), + z.object({ + /** + * The entity ID of the process to terminate. + */ + entity_id: z.string().min(1).optional(), + }), + z.object({ + /** + * The name of the process to terminate. Valid for SentinelOne agent type only. */ process_name: z.string().min(1).optional(), }), @@ -34,6 +44,9 @@ export const KillProcessRouteRequestBody = BaseActionSchema.merge( }) ); +export type KillProcessRouteResponse = z.infer; +export const KillProcessRouteResponse = z.object({}); + export type EndpointKillProcessActionRequestBody = z.infer< typeof EndpointKillProcessActionRequestBody >; @@ -43,4 +56,4 @@ export type EndpointKillProcessActionRequestBodyInput = z.input< >; export type EndpointKillProcessActionResponse = z.infer; -export const EndpointKillProcessActionResponse = SuccessResponse; +export const EndpointKillProcessActionResponse = KillProcessRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.schema.yaml index fc0f68ef72bc6..ba314589cc4e7 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.schema.yaml @@ -22,11 +22,17 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/KillProcessRouteResponse' components: schemas: KillProcessRouteRequestBody: + example: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + parameters: + entity_id: "abc123" + comment: "terminate the process" allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' - type: object @@ -35,11 +41,49 @@ components: properties: parameters: oneOf: - - $ref: "../../../model/schema/common.schema.yaml#/components/schemas/Pid" - - $ref: "../../../model/schema/common.schema.yaml#/components/schemas/EntityId" + - type: object + properties: + pid: + type: integer + description: "The process ID (PID) of the process to terminate." + example: 123 + minimum: 1 + - type: object + properties: + entity_id: + type: string + description: "The entity ID of the process to terminate." + example: "abc123" + minLength: 1 - type: object properties: process_name: type: string + description: "The name of the process to terminate. Valid for SentinelOne agent type only." + example: "Elastic" minLength: 1 - description: Valid for SentinelOne agent type only + KillProcessRouteResponse: + type: object + properties: { } + example: + data: + id: "233db9ea-6733-4849-9226-5a7039c7161d" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + command: "kill-process" + agentType: "endpoint" + isExpired: false + isCompleted: true + wasSuccessful: true + errors: [ ] + startedAt: "2022-07-29T19:08:49.126Z" + completedAt: "2022-07-29T19:09:44.961Z" + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + type: "json" + content: + key: "value" + createdBy: "myuser" + comment: "terminate the process" + parameters: + entity_id: "abc123" diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.gen.ts index 63e31a863e58e..1b590d73f0bec 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.gen.ts @@ -14,13 +14,16 @@ * version: 2023-10-31 */ -import type { z } from '@kbn/zod'; +import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; export type GetProcessesRouteRequestBody = z.infer; export const GetProcessesRouteRequestBody = BaseActionSchema; +export type GetProcessesRouteResponse = z.infer; +export const GetProcessesRouteResponse = z.object({}); + export type EndpointGetProcessesActionRequestBody = z.infer< typeof EndpointGetProcessesActionRequestBody >; @@ -30,4 +33,4 @@ export type EndpointGetProcessesActionRequestBodyInput = z.input< >; export type EndpointGetProcessesActionResponse = z.infer; -export const EndpointGetProcessesActionResponse = SuccessResponse; +export const EndpointGetProcessesActionResponse = GetProcessesRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.schema.yaml index dc2735e04b50f..1eb69fc04018d 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.schema.yaml @@ -22,10 +22,37 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetProcessesRouteResponse' components: schemas: GetProcessesRouteRequestBody: + example: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' + GetProcessesRouteResponse: + type: object + properties: { } + example: + data: + id: "233db9ea-6733-4849-9226-5a7039c7161d" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + command: "running-processes" + agentType: "endpoint" + isExpired: false + isCompleted: true + wasSuccessful: true + errors: [ ] + startedAt: "2022-07-29T19:08:49.126Z" + completedAt: "2022-07-29T19:09:44.961Z" + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + type: "json" + content: + key: "value" + createdBy: "myuser" + comment: "" + parameters: { } diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.gen.ts index 2d6f458e79994..0bb78c35fc1f1 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.gen.ts @@ -16,20 +16,26 @@ import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; export type ScanRouteRequestBody = z.infer; export const ScanRouteRequestBody = BaseActionSchema.merge( z.object({ parameters: z.object({ + /** + * The folder or file’s full path (including the file name). + */ path: z.string(), }), }) ); +export type ScanRouteResponse = z.infer; +export const ScanRouteResponse = z.object({}); + export type EndpointScanActionRequestBody = z.infer; export const EndpointScanActionRequestBody = ScanRouteRequestBody; export type EndpointScanActionRequestBodyInput = z.input; export type EndpointScanActionResponse = z.infer; -export const EndpointScanActionResponse = SuccessResponse; +export const EndpointScanActionResponse = ScanRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.schema.yaml index 7ebf23a51ad7a..dc11a463319cd 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.schema.yaml @@ -22,11 +22,16 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' - + $ref: '#/components/schemas/ScanRouteResponse' components: schemas: ScanRouteRequestBody: + example: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + parameters: + path: "/usr/my-file.txt" + comment: "Scan the file for malware" allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' - type: object @@ -40,4 +45,34 @@ components: properties: path: type: string + description: "The folder or file’s full path (including the file name)." + example: "/usr/my-file.txt" + ScanRouteResponse: + type: object + properties: { } + example: + data: + id: "27ba1b42-7cc6-4e53-86ce-675c876092b2" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r" + agentType: "endpoint" + command: "scan" + startedAt: "2023-07-28T19:00:03.911Z" + isCompleted: false + wasSuccessful: false + isExpired: false + status: "pending" + outputs: { } + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + createdBy: "myuser" + parameters: + path: "/usr/my-file.txt" + + diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen.ts index ae737755e9880..12216e46bdf72 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen.ts @@ -16,15 +16,31 @@ import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema, Pid, EntityId } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; export type SuspendProcessRouteRequestBody = z.infer; export const SuspendProcessRouteRequestBody = BaseActionSchema.merge( z.object({ - parameters: z.union([Pid, EntityId]), + parameters: z.union([ + z.object({ + /** + * The process ID (PID) of the process to suspend. + */ + pid: z.number().int().min(1).optional(), + }), + z.object({ + /** + * The entity ID of the process to suspend. + */ + entity_id: z.string().min(1).optional(), + }), + ]), }) ); +export type SuspendProcessRouteResponse = z.infer; +export const SuspendProcessRouteResponse = z.object({}); + export type EndpointSuspendProcessActionRequestBody = z.infer< typeof EndpointSuspendProcessActionRequestBody >; @@ -36,4 +52,4 @@ export type EndpointSuspendProcessActionRequestBodyInput = z.input< export type EndpointSuspendProcessActionResponse = z.infer< typeof EndpointSuspendProcessActionResponse >; -export const EndpointSuspendProcessActionResponse = SuccessResponse; +export const EndpointSuspendProcessActionResponse = SuspendProcessRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.schema.yaml index bc1a38351df44..505b8424b6c2c 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.schema.yaml @@ -22,11 +22,17 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/SuspendProcessRouteResponse' components: schemas: SuspendProcessRouteRequestBody: + example: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + parameters: + entity_id: "abc123" + comment: "suspend the process" allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' - type: object @@ -35,5 +41,42 @@ components: properties: parameters: oneOf: - - $ref: "../../../model/schema/common.schema.yaml#/components/schemas/Pid" - - $ref: "../../../model/schema/common.schema.yaml#/components/schemas/EntityId" + - type: object + properties: + pid: + type: integer + description: "The process ID (PID) of the process to suspend." + example: 123 + minimum: 1 + - type: object + properties: + entity_id: + type: string + description: "The entity ID of the process to suspend." + example: "abc123" + minLength: 1 + SuspendProcessRouteResponse: + type: object + properties: { } + example: + data: + id: "233db9ea-6733-4849-9226-5a7039c7161d" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + command: "suspend-process" + agentType: "endpoint" + isExpired: false + isCompleted: true + wasSuccessful: true + errors: [ ] + startedAt: "2022-07-29T19:08:49.126Z" + completedAt: "2022-07-29T19:09:44.961Z" + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + type: "json" + content: + key: "value" + createdBy: "myuser" + comment: "suspend the process" + parameters: + entity_id: "abc123" diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen.ts index 115ff4162e206..be1bc891a6680 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen.ts @@ -14,18 +14,18 @@ * version: 2023-10-31 */ -import type { z } from '@kbn/zod'; +import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; -export type UnisolateRouteRequestBody = z.infer; -export const UnisolateRouteRequestBody = BaseActionSchema; +export type UnisolateRouteResponse = z.infer; +export const UnisolateRouteResponse = z.object({}); export type EndpointUnisolateActionRequestBody = z.infer; -export const EndpointUnisolateActionRequestBody = UnisolateRouteRequestBody; +export const EndpointUnisolateActionRequestBody = BaseActionSchema; export type EndpointUnisolateActionRequestBodyInput = z.input< typeof EndpointUnisolateActionRequestBody >; export type EndpointUnisolateActionResponse = z.infer; -export const EndpointUnisolateActionResponse = SuccessResponse; +export const EndpointUnisolateActionResponse = UnisolateRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.schema.yaml index 6f5d2087c556e..11662d00ce331 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.schema.yaml @@ -14,17 +14,63 @@ paths: required: true content: application/json: + examples: + singleHost: + summary: "Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8" + value: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + multipleHosts: + summary: "Releases several hosts; includes a comment:" + value: + endpoint_ids: + - "9972d10e-4b9e-41aa-a534-a85e2a28ea42" + - "bc0e4f0c-3bca-4633-9fee-156c0b505d16" + - "fa89271b-b9d4-43f2-a684-307cffddeb5a" + comment: "Benign process identified, releasing group" + withCaseId: + summary: "Releases hosts with an associated case; includes a comment." + value: + endpoint_ids: + - "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0" + - "b30a11bf-1395-4707-b508-fbb45ef9793e" + case_ids: + - "4976be38-c134-4554-bd5e-0fd89ce63667" + comment: "Remediation complete, restoring network" schema: - $ref: '#/components/schemas/UnisolateRouteRequestBody' + $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' responses: '200': description: OK content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' - + $ref: '#/components/schemas/UnisolateRouteResponse' components: schemas: - UnisolateRouteRequestBody: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' + UnisolateRouteResponse: + type: object + properties: {} + example: + action: "233db9ea-6733-4849-9226-5a7039c7161d" + data: + id: "233db9ea-6733-4849-9226-5a7039c7161d" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + command: "suspend-process" + agentType: "endpoint" + isExpired: false + isCompleted: true + wasSuccessful: true + errors: [ ] + startedAt: "2022-07-29T19:08:49.126Z" + completedAt: "2022-07-29T19:09:44.961Z" + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + type: "json" + content: + key: "value" + createdBy: "myuser" + comment: "suspend the process" + parameters: + entity_id: "abc123" diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.gen.ts index fbce5717a6a22..adadf042652a0 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.gen.ts @@ -16,21 +16,26 @@ import { z } from '@kbn/zod'; -import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen'; +import { BaseActionSchema } from '../../../model/schema/common.gen'; export type UploadRouteRequestBody = z.infer; export const UploadRouteRequestBody = BaseActionSchema.merge( z.object({ parameters: z.object({ + /** + * Overwrite the file on the host if it already exists. + */ overwrite: z.boolean().optional().default(false), }), + /** + * The binary content of the file. + */ file: z.string(), }) ); -export type EndpointUploadActionRequestBody = z.infer; -export const EndpointUploadActionRequestBody = UploadRouteRequestBody; -export type EndpointUploadActionRequestBodyInput = z.input; +export type UploadRouteResponse = z.infer; +export const UploadRouteResponse = z.object({}); export type EndpointUploadActionResponse = z.infer; -export const EndpointUploadActionResponse = SuccessResponse; +export const EndpointUploadActionResponse = UploadRouteResponse; diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.schema.yaml index 512fc6c4d4613..900eeec3fbd4d 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.schema.yaml @@ -13,7 +13,7 @@ paths: requestBody: required: true content: - application/json: + multipart/form-data: schema: $ref: '#/components/schemas/UploadRouteRequestBody' responses: @@ -22,11 +22,16 @@ paths: content: application/json: schema: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/UploadRouteResponse' components: schemas: UploadRouteRequestBody: + example: + endpoint_ids: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + file: "RWxhc3RpYw==" + parameters: { } allOf: - $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema' - type: object @@ -39,8 +44,41 @@ components: properties: overwrite: type: boolean + description: "Overwrite the file on the host if it already exists." + example: false default: false # File extends Blob - any binary data will be base-64 encoded file: type: string + description: "The binary content of the file." + example: "RWxhc3RpYw==" format: binary + UploadRouteResponse: + type: object + properties: { } + example: + data: + id: "9ff6aebc-2cb6-481e-8869-9b30036c9731" + agents: + - "ed518850-681a-4d60-bb98-e22640cae2a8" + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: "Host-5i6cuc8kdv" + command: "upload" + agentType: "endpoint" + startedAt: "2023-07-03T15:07:22.837Z" + isCompleted: false + wasSuccessful: false + isExpired: false + status: "pending" + outputs: { } + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + createdBy: "elastic" + parameters: + file_name: "fix-malware.sh" + file_id: "10e4ce3d-4abb-4f93-a0cd-eaf63a489280" + file_sha256: "a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a" + file_size: 69 diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.gen.ts index a30695af76bf4..c8df058537fc2 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.gen.ts @@ -37,13 +37,13 @@ export type PageSize = z.infer; export const PageSize = z.number().int().min(1).max(100).default(10); /** - * Start date + * A start date in ISO 8601 format or Date Math format. */ export type StartDate = z.infer; export const StartDate = z.string(); /** - * End date + * An end date in ISO format or Date Math format. */ export type EndDate = z.infer; export const EndDate = z.string(); @@ -94,6 +94,9 @@ export const SortField = z.enum([ export type SortFieldEnum = typeof SortField.enum; export const SortFieldEnum = SortField.enum; +/** + * A list of agent IDs. Max of 50. + */ export type AgentIds = z.infer; export const AgentIds = z.union([z.array(z.string().min(1)).min(1).max(50), z.string().min(1)]); @@ -115,6 +118,9 @@ export const Command = z.enum([ export type CommandEnum = typeof Command.enum; export const CommandEnum = Command.enum; +/** + * A list of response action command names. + */ export type Commands = z.infer; export const Commands = z.array(Command); @@ -133,13 +139,13 @@ export type Statuses = z.infer; export const Statuses = z.array(Status); /** - * User IDs + * A list of user IDs. */ export type UserIds = z.infer; export const UserIds = z.union([z.array(z.string().min(1)).min(1), z.string().min(1)]); /** - * Shows detailed outputs for an action response + * A list of action IDs that should include the complete output of the action. */ export type WithOutputs = z.infer; export const WithOutputs = z.union([z.array(z.string().min(1)).min(1), z.string().min(1)]); @@ -183,7 +189,7 @@ export type Parameters = z.infer; export const Parameters = z.object({}); /** - * The host agent type (optional). Defaults to endpoint. + * List of agent types to retrieve. Defaults to `endpoint`. */ export type AgentTypes = z.infer; export const AgentTypes = z.enum([ @@ -210,16 +216,6 @@ export const NoParametersRequestSchema = z.object({ body: BaseActionSchema, }); -export type Pid = z.infer; -export const Pid = z.object({ - pid: z.number().int().min(1).optional(), -}); - -export type EntityId = z.infer; -export const EntityId = z.object({ - entity_id: z.string().min(1).optional(), -}); - export type ProtectionUpdatesNoteResponse = z.infer; export const ProtectionUpdatesNoteResponse = z.object({ note: z.string().optional(), diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.schema.yaml b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.schema.yaml index 457fa19f26478..324efce4960db 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.schema.yaml @@ -25,10 +25,12 @@ components: example: 10 StartDate: type: string - description: Start date + description: A start date in ISO 8601 format or Date Math format. + example: "2023-10-31T00:00:00.000Z" EndDate: type: string - description: End date + description: An end date in ISO format or Date Math format. + example: "2023-10-31T23:59:59.999Z" AgentId: type: string description: Agent ID @@ -80,6 +82,8 @@ components: maxItems: 50 - type: string minLength: 1 + description: A list of agent IDs. Max of 50. + example: [ "agent-id-1", "agent-id-2" ] minLength: 1 Command: @@ -99,6 +103,8 @@ components: Commands: type: array + description: A list of response action command names. + example: [ "isolate", "unisolate" ] items: $ref: '#/components/schemas/Command' @@ -130,7 +136,8 @@ components: minItems: 1 - type: string minLength: 1 - description: User IDs + description: A list of user IDs. + example: [ "user-id-1", "user-id-2" ] WithOutputs: oneOf: @@ -141,7 +148,8 @@ components: minItems: 1 - type: string minLength: 1 - description: Shows detailed outputs for an action response + description: A list of action IDs that should include the complete output of the action. + example: [ "action-id-1", "action-id-2" ] Type: type: string @@ -153,6 +161,7 @@ components: Types: type: array description: List of types of response actions + example: [ "automated", "manual" ] items: $ref: '#/components/schemas/Type' minLength: 1 @@ -160,27 +169,35 @@ components: EndpointIds: type: array + description: List of endpoint IDs (cannot contain empty strings) + example: [ "endpoint-id-1", "endpoint-id-2" ] items: type: string minLength: 1 minItems: 1 - description: List of endpoint IDs (cannot contain empty strings) + CaseIds: type: array + description: Case IDs to be updated (cannot contain empty strings) + example: [ "case-id-1", "case-id-2" ] items: type: string minLength: 1 minItems: 1 - description: Case IDs to be updated (cannot contain empty strings) + Comment: type: string description: Optional comment + example: "This is a comment" + Parameters: type: object description: Optional parameters object + AgentTypes: type: string - description: The host agent type (optional). Defaults to endpoint. + description: List of agent types to retrieve. Defaults to `endpoint`. + example: endpoint enum: - endpoint - sentinel_one @@ -214,20 +231,6 @@ components: body: $ref: '#/components/schemas/BaseActionSchema' - Pid: - type: object - properties: - pid: - type: integer - minimum: 1 - - EntityId: - type: object - properties: - entity_id: - type: string - minLength: 1 - ProtectionUpdatesNoteResponse: type: object properties: diff --git a/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts b/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts index 4eb74d3866876..4b04c8270c9ce 100644 --- a/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts +++ b/x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts @@ -188,10 +188,7 @@ import type { EndpointUnisolateActionRequestBodyInput, EndpointUnisolateActionResponse, } from './endpoint/actions/response_actions/unisolate/unisolate.gen'; -import type { - EndpointUploadActionRequestBodyInput, - EndpointUploadActionResponse, -} from './endpoint/actions/response_actions/upload/upload.gen'; +import type { EndpointUploadActionResponse } from './endpoint/actions/response_actions/upload/upload.gen'; import type { EndpointGetActionsStateResponse } from './endpoint/actions/state/state.gen'; import type { EndpointGetActionsStatusRequestQueryInput, @@ -1182,7 +1179,7 @@ If a record already exists for the specified entity, that record is overwritten [ELASTIC_HTTP_VERSION_HEADER]: '2023-10-31', }, method: 'POST', - body: props.body, + body: props.attachment, }) .catch(catchAxiosErrorFormatAndThrow); } @@ -2509,7 +2506,7 @@ export interface EndpointUnisolateRedirectProps { body: EndpointUnisolateRedirectRequestBodyInput; } export interface EndpointUploadActionProps { - body: EndpointUploadActionRequestBodyInput; + attachment: FormData; } export interface ExportRulesProps { query: ExportRulesRequestQueryInput; diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml index 8aa8f94ee796f..0fc0a4550ef27 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml @@ -17,16 +17,61 @@ paths: operationId: EndpointGetActionsList parameters: - in: query - name: query - required: true + name: page + required: false + schema: + $ref: '#/components/schemas/Page' + - in: query + name: pageSize + required: false schema: - $ref: '#/components/schemas/GetEndpointActionListRouteQuery' + $ref: '#/components/schemas/PageSize' + - in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Commands' + - in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/AgentIds' + - in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/UserIds' + - in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/StartDate' + - in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/EndDate' + - in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/AgentTypes' + - in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/WithOutputs' + - in: query + name: types + required: false + schema: + $ref: '#/components/schemas/Types' responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetEndpointActionListResponse' description: OK summary: Get response actions tags: @@ -89,13 +134,15 @@ paths: name: action_id required: true schema: + description: The ID of the action to retrieve. + example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetEndpointActionResponse' description: OK summary: Get action details tags: @@ -165,7 +212,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/ExecuteRouteResponse' description: OK summary: Run a command tags: @@ -185,7 +232,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetFileRouteResponse' description: OK summary: Get a file tags: @@ -199,15 +246,55 @@ paths: requestBody: content: application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: 'Locked down, pending further investigation' + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: >- + Isolates a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/IsolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/AgentTypes' + alert_ids: + $ref: '#/components/schemas/AlertIds' + case_ids: + $ref: '#/components/schemas/CaseIds' + comment: + $ref: '#/components/schemas/Comment' + endpoint_ids: + $ref: '#/components/schemas/EndpointIds' + parameters: + $ref: '#/components/schemas/Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/IsolateRouteResponse' description: OK summary: Isolate an endpoint tags: @@ -227,7 +314,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/KillProcessRouteResponse' description: OK summary: Terminate a process tags: @@ -247,7 +334,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetProcessesRouteResponse' description: OK summary: Get running processes tags: @@ -287,7 +374,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/ScanRouteResponse' description: OK summary: Scan a file or directory tags: @@ -323,7 +410,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/SuspendProcessRouteResponse' description: OK summary: Suspend a process tags: @@ -335,15 +422,55 @@ paths: requestBody: content: application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: 'Benign process identified, releasing group' + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: >- + Releases a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: 'Remediation complete, restoring network' + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/UnisolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/AgentTypes' + alert_ids: + $ref: '#/components/schemas/AlertIds' + case_ids: + $ref: '#/components/schemas/CaseIds' + comment: + $ref: '#/components/schemas/Comment' + endpoint_ids: + $ref: '#/components/schemas/EndpointIds' + parameters: + $ref: '#/components/schemas/Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/UnisolateRouteResponse' description: OK summary: Release an isolated endpoint tags: @@ -354,7 +481,7 @@ paths: operationId: EndpointUploadAction requestBody: content: - application/json: + multipart/form-data: schema: $ref: '#/components/schemas/UploadRouteRequestBody' required: true @@ -363,7 +490,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/UploadRouteResponse' description: OK summary: Upload a file tags: @@ -729,6 +856,10 @@ components: description: Agent ID type: string AgentIds: + description: A list of agent IDs. Max of 50. + example: + - agent-id-1 + - agent-id-2 minLength: 1 oneOf: - items: @@ -740,12 +871,13 @@ components: - minLength: 1 type: string AgentTypes: - description: The host agent type (optional). Defaults to endpoint. + description: List of agent types to retrieve. Defaults to `endpoint`. enum: - endpoint - sentinel_one - crowdstrike - microsoft_defender_endpoint + example: endpoint type: string AlertIds: description: A list of alerts `id`s. @@ -757,6 +889,9 @@ components: type: array CaseIds: description: Case IDs to be updated (cannot contain empty strings) + example: + - case-id-1 + - case-id-2 items: minLength: 1 type: string @@ -794,17 +929,26 @@ components: minLength: 1 type: string Commands: + description: A list of response action command names. + example: + - isolate + - unisolate items: $ref: '#/components/schemas/Command' type: array Comment: description: Optional comment + example: This is a comment type: string EndDate: - description: End date + description: An end date in ISO format or Date Math format. + example: '2023-10-31T23:59:59.999Z' type: string EndpointIds: description: List of endpoint IDs (cannot contain empty strings) + example: + - endpoint-id-1 + - endpoint-id-2 items: minLength: 1 type: string @@ -898,12 +1042,6 @@ components: revision: 2 type: object properties: {} - EntityId: - type: object - properties: - entity_id: - minLength: 1 - type: string ExecuteRouteRequestBody: allOf: - type: object @@ -935,33 +1073,128 @@ components: - command required: - parameters - GetEndpointActionListRouteQuery: + example: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + ExecuteRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + comment: Get list of all files + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false type: object - properties: - agentIds: - $ref: '#/components/schemas/AgentIds' - agentTypes: - $ref: '#/components/schemas/AgentTypes' - commands: - $ref: '#/components/schemas/Commands' - endDate: - $ref: '#/components/schemas/EndDate' - page: - $ref: '#/components/schemas/Page' - pageSize: - default: 10 - description: Number of items per page - maximum: 10000 - minimum: 1 - type: integer - startDate: - $ref: '#/components/schemas/StartDate' - types: - $ref: '#/components/schemas/Types' - userIds: - $ref: '#/components/schemas/UserIds' - withOutputs: - $ref: '#/components/schemas/WithOutputs' + properties: {} + GetEndpointActionListResponse: + example: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: kill-process + comment: bad process - taking up too much cpu + completedAt: '2022-08-08T09:44:50.952Z' + createdBy: elastic + id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:44.125Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: unisolate + comment: Not a threat to the network + completedAt: '2022-08-08T09:40:47.398Z' + createdBy: elastic + id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:15.391Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 4 + type: object + properties: {} + GetEndpointActionResponse: + example: + data: + agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + outputs: + afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0: + content: + entries: + - command: /opt/cmd1 + entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt + pid: '822' + user: Dexter + - command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3 + entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt + pid: '984' + user: Jada + type: json + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + type: object + properties: {} GetFileRouteRequestBody: allOf: - type: object @@ -991,7 +1224,42 @@ components: - path required: - parameters + example: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + GetFileRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} GetProcessesRouteRequestBody: + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 type: object properties: agent_type: @@ -1008,6 +1276,30 @@ components: $ref: '#/components/schemas/Parameters' required: - endpoint_ids + GetProcessesRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: running-processes + comment: '' + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: {} + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} HostPathScriptParameters: type: object properties: @@ -1039,23 +1331,32 @@ components: - unenrolled type: string type: array - IsolateRouteRequestBody: + IsolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/AgentTypes' - alert_ids: - $ref: '#/components/schemas/AlertIds' - case_ids: - $ref: '#/components/schemas/CaseIds' - comment: - $ref: '#/components/schemas/Comment' - endpoint_ids: - $ref: '#/components/schemas/EndpointIds' - parameters: - $ref: '#/components/schemas/Parameters' - required: - - endpoint_ids + properties: {} KillProcessRouteRequestBody: allOf: - type: object @@ -1078,16 +1379,62 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Pid' - - $ref: '#/components/schemas/EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to terminate. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to terminate. + example: abc123 + minLength: 1 + type: string - type: object properties: process_name: - description: Valid for SentinelOne agent type only + description: >- + The name of the process to terminate. Valid for + SentinelOne agent type only. + example: Elastic minLength: 1 type: string required: - parameters + example: + comment: terminate the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + KillProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: kill-process + comment: terminate the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Kuery: description: A KQL string. example: 'united.endpoint.host.os.name : ''Windows''' @@ -1314,12 +1661,6 @@ components: $ref: '#/components/schemas/PendingActionDataType' - additionalProperties: true type: object - Pid: - type: object - properties: - pid: - minimum: 1 - type: integer ProtectionUpdatesNoteResponse: type: object properties: @@ -1379,11 +1720,45 @@ components: type: object properties: path: + description: The folder or file’s full path (including the file name). + example: /usr/my-file.txt type: string required: - path required: - parameters + example: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + ScanRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} SortDirection: description: Determines the sort order. enum: @@ -1406,7 +1781,8 @@ components: example: enrolled_at type: string StartDate: - description: Start date + description: A start date in ISO 8601 format or Date Math format. + example: '2023-10-31T00:00:00.000Z' type: string SuccessResponse: type: object @@ -1433,10 +1809,53 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Pid' - - $ref: '#/components/schemas/EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to suspend. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to suspend. + example: abc123 + minLength: 1 + type: string required: - parameters + example: + comment: suspend the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + SuspendProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Timeout: description: The maximum timeout value in milliseconds (optional) minimum: 1 @@ -1449,28 +1868,40 @@ components: type: string Types: description: List of types of response actions + example: + - automated + - manual items: $ref: '#/components/schemas/Type' maxLength: 2 minLength: 1 type: array - UnisolateRouteRequestBody: + UnisolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/AgentTypes' - alert_ids: - $ref: '#/components/schemas/AlertIds' - case_ids: - $ref: '#/components/schemas/CaseIds' - comment: - $ref: '#/components/schemas/Comment' - endpoint_ids: - $ref: '#/components/schemas/EndpointIds' - parameters: - $ref: '#/components/schemas/Parameters' - required: - - endpoint_ids + properties: {} UploadRouteRequestBody: allOf: - type: object @@ -1492,6 +1923,8 @@ components: - type: object properties: file: + description: The binary content of the file. + example: RWxhc3RpYw== format: binary type: string parameters: @@ -1499,12 +1932,51 @@ components: properties: overwrite: default: false + description: Overwrite the file on the host if it already exists. + example: false type: boolean required: - parameters - file + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + file: RWxhc3RpYw== + parameters: {} + UploadRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + type: object + properties: {} UserIds: - description: User IDs + description: A list of user IDs. + example: + - user-id-1 + - user-id-2 oneOf: - items: minLength: 1 @@ -1514,7 +1986,12 @@ components: - minLength: 1 type: string WithOutputs: - description: Shows detailed outputs for an action response + description: >- + A list of action IDs that should include the complete output of the + action. + example: + - action-id-1 + - action-id-2 oneOf: - items: minLength: 1 diff --git a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml index 255aee2e87c04..7bf111fdcf1ab 100644 --- a/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml @@ -17,16 +17,61 @@ paths: operationId: EndpointGetActionsList parameters: - in: query - name: query - required: true + name: page + required: false + schema: + $ref: '#/components/schemas/Page' + - in: query + name: pageSize + required: false + schema: + $ref: '#/components/schemas/PageSize' + - in: query + name: commands + required: false + schema: + $ref: '#/components/schemas/Commands' + - in: query + name: agentIds + required: false + schema: + $ref: '#/components/schemas/AgentIds' + - in: query + name: userIds + required: false + schema: + $ref: '#/components/schemas/UserIds' + - in: query + name: startDate + required: false + schema: + $ref: '#/components/schemas/StartDate' + - in: query + name: endDate + required: false + schema: + $ref: '#/components/schemas/EndDate' + - in: query + name: agentTypes + required: false + schema: + $ref: '#/components/schemas/AgentTypes' + - in: query + name: withOutputs + required: false + schema: + $ref: '#/components/schemas/WithOutputs' + - in: query + name: types + required: false schema: - $ref: '#/components/schemas/GetEndpointActionListRouteQuery' + $ref: '#/components/schemas/Types' responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetEndpointActionListResponse' description: OK summary: Get response actions tags: @@ -89,13 +134,15 @@ paths: name: action_id required: true schema: + description: The ID of the action to retrieve. + example: fr518850-681a-4y60-aa98-e22640cae2b8 type: string responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetEndpointActionResponse' description: OK summary: Get action details tags: @@ -165,7 +212,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/ExecuteRouteResponse' description: OK summary: Run a command tags: @@ -185,7 +232,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetFileRouteResponse' description: OK summary: Get a file tags: @@ -199,15 +246,55 @@ paths: requestBody: content: application/json: + examples: + multiple_endpoints: + summary: Isolates several hosts; includes a comment + value: + comment: 'Locked down, pending further investigation' + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + single_endpoint: + summary: >- + Isolates a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + with_case_id: + summary: Isolates a single host with a case_id value of 1234 + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: Isolating as initial response + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/IsolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/AgentTypes' + alert_ids: + $ref: '#/components/schemas/AlertIds' + case_ids: + $ref: '#/components/schemas/CaseIds' + comment: + $ref: '#/components/schemas/Comment' + endpoint_ids: + $ref: '#/components/schemas/EndpointIds' + parameters: + $ref: '#/components/schemas/Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/IsolateRouteResponse' description: OK summary: Isolate an endpoint tags: @@ -227,7 +314,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/KillProcessRouteResponse' description: OK summary: Terminate a process tags: @@ -247,7 +334,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/GetProcessesRouteResponse' description: OK summary: Get running processes tags: @@ -287,7 +374,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/ScanRouteResponse' description: OK summary: Scan a file or directory tags: @@ -323,7 +410,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/SuspendProcessRouteResponse' description: OK summary: Suspend a process tags: @@ -335,15 +422,55 @@ paths: requestBody: content: application/json: + examples: + multipleHosts: + summary: 'Releases several hosts; includes a comment:' + value: + comment: 'Benign process identified, releasing group' + endpoint_ids: + - 9972d10e-4b9e-41aa-a534-a85e2a28ea42 + - bc0e4f0c-3bca-4633-9fee-156c0b505d16 + - fa89271b-b9d4-43f2-a684-307cffddeb5a + singleHost: + summary: >- + Releases a single host with an endpoint_id value of + ed518850-681a-4d60-bb98-e22640cae2a8 + value: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + withCaseId: + summary: Releases hosts with an associated case; includes a comment. + value: + case_ids: + - 4976be38-c134-4554-bd5e-0fd89ce63667 + comment: 'Remediation complete, restoring network' + endpoint_ids: + - 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0 + - b30a11bf-1395-4707-b508-fbb45ef9793e schema: - $ref: '#/components/schemas/UnisolateRouteRequestBody' + type: object + properties: + agent_type: + $ref: '#/components/schemas/AgentTypes' + alert_ids: + $ref: '#/components/schemas/AlertIds' + case_ids: + $ref: '#/components/schemas/CaseIds' + comment: + $ref: '#/components/schemas/Comment' + endpoint_ids: + $ref: '#/components/schemas/EndpointIds' + parameters: + $ref: '#/components/schemas/Parameters' + required: + - endpoint_ids required: true responses: '200': content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/UnisolateRouteResponse' description: OK summary: Release an isolated endpoint tags: @@ -354,7 +481,7 @@ paths: operationId: EndpointUploadAction requestBody: content: - application/json: + multipart/form-data: schema: $ref: '#/components/schemas/UploadRouteRequestBody' required: true @@ -363,7 +490,7 @@ paths: content: application/json: schema: - $ref: '#/components/schemas/SuccessResponse' + $ref: '#/components/schemas/UploadRouteResponse' description: OK summary: Upload a file tags: @@ -629,6 +756,10 @@ components: description: Agent ID type: string AgentIds: + description: A list of agent IDs. Max of 50. + example: + - agent-id-1 + - agent-id-2 minLength: 1 oneOf: - items: @@ -640,12 +771,13 @@ components: - minLength: 1 type: string AgentTypes: - description: The host agent type (optional). Defaults to endpoint. + description: List of agent types to retrieve. Defaults to `endpoint`. enum: - endpoint - sentinel_one - crowdstrike - microsoft_defender_endpoint + example: endpoint type: string AlertIds: description: A list of alerts `id`s. @@ -657,6 +789,9 @@ components: type: array CaseIds: description: Case IDs to be updated (cannot contain empty strings) + example: + - case-id-1 + - case-id-2 items: minLength: 1 type: string @@ -694,17 +829,26 @@ components: minLength: 1 type: string Commands: + description: A list of response action command names. + example: + - isolate + - unisolate items: $ref: '#/components/schemas/Command' type: array Comment: description: Optional comment + example: This is a comment type: string EndDate: - description: End date + description: An end date in ISO format or Date Math format. + example: '2023-10-31T23:59:59.999Z' type: string EndpointIds: description: List of endpoint IDs (cannot contain empty strings) + example: + - endpoint-id-1 + - endpoint-id-2 items: minLength: 1 type: string @@ -798,12 +942,6 @@ components: revision: 2 type: object properties: {} - EntityId: - type: object - properties: - entity_id: - minLength: 1 - type: string ExecuteRouteRequestBody: allOf: - type: object @@ -835,33 +973,128 @@ components: - command required: - parameters - GetEndpointActionListRouteQuery: + example: + comment: Get list of all files + endpoint_ids: + - b3d6de74-36b0-4fa8-be46-c375bf1771bf + parameters: + command: ls -al + timeout: 600 + ExecuteRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: execute + comment: Get list of all files + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 9f934028-2300-4927-b531-b26376793dc4 + isCompleted: false + isExpired: false + outputs: {} + parameters: + command: ls -al + timeout: 600 + startedAt: '2023-07-28T18:43:27.362Z' + status: pending + wasSuccessful: false type: object - properties: - agentIds: - $ref: '#/components/schemas/AgentIds' - agentTypes: - $ref: '#/components/schemas/AgentTypes' - commands: - $ref: '#/components/schemas/Commands' - endDate: - $ref: '#/components/schemas/EndDate' - page: - $ref: '#/components/schemas/Page' - pageSize: - default: 10 - description: Number of items per page - maximum: 10000 - minimum: 1 - type: integer - startDate: - $ref: '#/components/schemas/StartDate' - types: - $ref: '#/components/schemas/Types' - userIds: - $ref: '#/components/schemas/UserIds' - withOutputs: - $ref: '#/components/schemas/WithOutputs' + properties: {} + GetEndpointActionListResponse: + example: + data: + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: isolate + completedAt: '2022-08-08T10:41:57.352Z' + createdBy: elastic + id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3 + isCompleted: true + isExpired: false + startedAt: '2022-08-08T15:23:37.359Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: kill-process + comment: bad process - taking up too much cpu + completedAt: '2022-08-08T09:44:50.952Z' + createdBy: elastic + id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:44.125Z' + wasSuccessful: true + - agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: unisolate + comment: Not a threat to the network + completedAt: '2022-08-08T09:40:47.398Z' + createdBy: elastic + id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a + isCompleted: true + isExpired: false + startedAt: '2022-08-08T14:38:15.391Z' + wasSuccessful: true + elasticAgentIds: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + endDate: now + page: 1 + pageSize: 10 + startDate: now-24h/h + total: 4 + type: object + properties: {} + GetEndpointActionResponse: + example: + data: + agents: + - afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0 + agentType: endpoint + command: running-processes + completedAt: '2022-08-08T09:50:47.672Z' + createdBy: elastic + id: b3d6de74-36b0-4fa8-be46-c375bf1771bf + isCompleted: true + isExpired: false + outputs: + afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0: + content: + entries: + - command: /opt/cmd1 + entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt + pid: '822' + user: Dexter + - command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3 + entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt + pid: '984' + user: Jada + type: json + startedAt: '2022-08-08T15:24:57.402Z' + wasSuccessful: true + type: object + properties: {} GetFileRouteRequestBody: allOf: - type: object @@ -891,7 +1124,42 @@ components: - path required: - parameters + example: + comment: Get my file + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + GetFileRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: get-file + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} GetProcessesRouteRequestBody: + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 type: object properties: agent_type: @@ -908,6 +1176,30 @@ components: $ref: '#/components/schemas/Parameters' required: - endpoint_ids + GetProcessesRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: running-processes + comment: '' + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: {} + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} HostPathScriptParameters: type: object properties: @@ -939,23 +1231,32 @@ components: - unenrolled type: string type: array - IsolateRouteRequestBody: + IsolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/AgentTypes' - alert_ids: - $ref: '#/components/schemas/AlertIds' - case_ids: - $ref: '#/components/schemas/CaseIds' - comment: - $ref: '#/components/schemas/Comment' - endpoint_ids: - $ref: '#/components/schemas/EndpointIds' - parameters: - $ref: '#/components/schemas/Parameters' - required: - - endpoint_ids + properties: {} KillProcessRouteRequestBody: allOf: - type: object @@ -978,16 +1279,62 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Pid' - - $ref: '#/components/schemas/EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to terminate. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to terminate. + example: abc123 + minLength: 1 + type: string - type: object properties: process_name: - description: Valid for SentinelOne agent type only + description: >- + The name of the process to terminate. Valid for + SentinelOne agent type only. + example: Elastic minLength: 1 type: string required: - parameters + example: + comment: terminate the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + KillProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: kill-process + comment: terminate the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Kuery: description: A KQL string. example: 'united.endpoint.host.os.name : ''Windows''' @@ -1214,12 +1561,6 @@ components: $ref: '#/components/schemas/PendingActionDataType' - additionalProperties: true type: object - Pid: - type: object - properties: - pid: - minimum: 1 - type: integer ProtectionUpdatesNoteResponse: type: object properties: @@ -1279,11 +1620,45 @@ components: type: object properties: path: + description: The folder or file’s full path (including the file name). + example: /usr/my-file.txt type: string required: - path required: - parameters + example: + comment: Scan the file for malware + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + path: /usr/my-file.txt + ScanRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: scan + createdBy: myuser + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r + id: 27ba1b42-7cc6-4e53-86ce-675c876092b2 + isCompleted: false + isExpired: false + outputs: {} + parameters: + path: /usr/my-file.txt + startedAt: '2023-07-28T19:00:03.911Z' + status: pending + wasSuccessful: false + type: object + properties: {} SortDirection: description: Determines the sort order. enum: @@ -1306,7 +1681,8 @@ components: example: enrolled_at type: string StartDate: - description: Start date + description: A start date in ISO 8601 format or Date Math format. + example: '2023-10-31T00:00:00.000Z' type: string SuccessResponse: type: object @@ -1333,10 +1709,53 @@ components: properties: parameters: oneOf: - - $ref: '#/components/schemas/Pid' - - $ref: '#/components/schemas/EntityId' + - type: object + properties: + pid: + description: The process ID (PID) of the process to suspend. + example: 123 + minimum: 1 + type: integer + - type: object + properties: + entity_id: + description: The entity ID of the process to suspend. + example: abc123 + minLength: 1 + type: string required: - parameters + example: + comment: suspend the process + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + parameters: + entity_id: abc123 + SuspendProcessRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true + type: object + properties: {} Timeout: description: The maximum timeout value in milliseconds (optional) minimum: 1 @@ -1349,28 +1768,40 @@ components: type: string Types: description: List of types of response actions + example: + - automated + - manual items: $ref: '#/components/schemas/Type' maxLength: 2 minLength: 1 type: array - UnisolateRouteRequestBody: + UnisolateRouteResponse: + example: + action: 233db9ea-6733-4849-9226-5a7039c7161d + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentType: endpoint + command: suspend-process + comment: suspend the process + completedAt: '2022-07-29T19:09:44.961Z' + createdBy: myuser + errors: [] + id: 233db9ea-6733-4849-9226-5a7039c7161d + isCompleted: true + isExpired: false + outputs: + ed518850-681a-4d60-bb98-e22640cae2a8: + content: + key: value + type: json + parameters: + entity_id: abc123 + startedAt: '2022-07-29T19:08:49.126Z' + wasSuccessful: true type: object - properties: - agent_type: - $ref: '#/components/schemas/AgentTypes' - alert_ids: - $ref: '#/components/schemas/AlertIds' - case_ids: - $ref: '#/components/schemas/CaseIds' - comment: - $ref: '#/components/schemas/Comment' - endpoint_ids: - $ref: '#/components/schemas/EndpointIds' - parameters: - $ref: '#/components/schemas/Parameters' - required: - - endpoint_ids + properties: {} UploadRouteRequestBody: allOf: - type: object @@ -1392,6 +1823,8 @@ components: - type: object properties: file: + description: The binary content of the file. + example: RWxhc3RpYw== format: binary type: string parameters: @@ -1399,12 +1832,51 @@ components: properties: overwrite: default: false + description: Overwrite the file on the host if it already exists. + example: false type: boolean required: - parameters - file + example: + endpoint_ids: + - ed518850-681a-4d60-bb98-e22640cae2a8 + file: RWxhc3RpYw== + parameters: {} + UploadRouteResponse: + example: + data: + agents: + - ed518850-681a-4d60-bb98-e22640cae2a8 + agentState: + ed518850-681a-4d60-bb98-e22640cae2a8: + isCompleted: false + wasSuccessful: false + agentType: endpoint + command: upload + createdBy: elastic + hosts: + ed518850-681a-4d60-bb98-e22640cae2a8: + name: Host-5i6cuc8kdv + id: 9ff6aebc-2cb6-481e-8869-9b30036c9731 + isCompleted: false + isExpired: false + outputs: {} + parameters: + file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280 + file_name: fix-malware.sh + file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a + file_size: 69 + startedAt: '2023-07-03T15:07:22.837Z' + status: pending + wasSuccessful: false + type: object + properties: {} UserIds: - description: User IDs + description: A list of user IDs. + example: + - user-id-1 + - user-id-2 oneOf: - items: minLength: 1 @@ -1414,7 +1886,12 @@ components: - minLength: 1 type: string WithOutputs: - description: Shows detailed outputs for an action response + description: >- + A list of action IDs that should include the complete output of the + action. + example: + - action-id-1 + - action-id-2 oneOf: - items: minLength: 1 diff --git a/x-pack/test/api_integration/services/security_solution_api.gen.ts b/x-pack/test/api_integration/services/security_solution_api.gen.ts index df2ccd52b0ec3..c02f12b3812c8 100644 --- a/x-pack/test/api_integration/services/security_solution_api.gen.ts +++ b/x-pack/test/api_integration/services/security_solution_api.gen.ts @@ -66,7 +66,6 @@ import { EndpointScanActionRequestBodyInput } from '@kbn/security-solution-plugi import { EndpointSuspendProcessActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen'; import { EndpointUnisolateActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen'; import { EndpointUnisolateRedirectRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/unisolate/deprecated_unisolate.gen'; -import { EndpointUploadActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/upload/upload.gen'; import { ExportRulesRequestQueryInput, ExportRulesRequestBodyInput, @@ -750,13 +749,12 @@ If a record already exists for the specified entity, that record is overwritten /** * Upload a file to an endpoint. */ - endpointUploadAction(props: EndpointUploadActionProps, kibanaSpace: string = 'default') { + endpointUploadAction(kibanaSpace: string = 'default') { return supertest .post(routeWithNamespace('/api/endpoint/action/upload', kibanaSpace)) .set('kbn-xsrf', 'true') .set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31') - .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana') - .send(props.body as object); + .set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana'); }, entityStoreGetPrivileges(kibanaSpace: string = 'default') { return supertest @@ -1799,9 +1797,6 @@ export interface EndpointUnisolateActionProps { export interface EndpointUnisolateRedirectProps { body: EndpointUnisolateRedirectRequestBodyInput; } -export interface EndpointUploadActionProps { - body: EndpointUploadActionRequestBodyInput; -} export interface ExportRulesProps { query: ExportRulesRequestQueryInput; body: ExportRulesRequestBodyInput;