github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-06-27 18:51:07 -04:00
Code Issues Projects Releases Packages Wiki Activity

[EDR Workflows] OpenApi Missing Content - Response Actions (#212510)

Browse source 
## For reviewers:
Only `*.schema.yml` files were edited (excluding
`*.bundled.schema.yml`). Rest of the changes comes from auto generation
and can be ignored.

## Description

Part of DW team effort - elastic/security-team#11804

This PR aligns the property/schema descriptions and examples in
AsciiDocs with OpenAPI schemas. The primary goal of this PR was not to
extend or enhance the documentation but to migrate from one system to
another.

Ascii docs -
https://www.elastic.co/guide/en/security/8.17/management-api-overview.html
OpenApi generated docs -
https://www.elastic.co/docs/api/doc/kibana/operation/operation-endpointgetactionslist

Changes:

Copied missing property descriptions from AsciiDoc to OpenApi properties
Copied existing AsciiDoc examples for both requests and responses
Fixed falsy query object in some GET requests - in OpenApi it was
defined as an object, not as path query params.

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
Co-authored-by: Paul Tavares <56442535+paul-tavares@users.noreply.github.com>
Co-authored-by: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com>
This commit is contained in:
Konrad Szwarc 2025-02-28 17:44:00 +01:00 committed by GitHub
parent 5c0db3ed0d
commit 2700a2a951
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
30 changed files with 2938 additions and 557 deletions
Download patch file Download diff file Expand all files Collapse all files

663
oas_docs/output/kibana.serverless.yaml
View file

@ -9572,16 +9572,61 @@ paths:
operationId: EndpointGetActionsList
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListRouteQuery'
$ref: '#/components/schemas/Security_Endpoint_Management_API_Page'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize'
- in: query
name: commands
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Commands'
- in: query
name: agentIds
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds'
- in: query
name: userIds
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds'
- in: query
name: startDate
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate'
- in: query
name: endDate
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate'
- in: query
name: agentTypes
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
- in: query
name: withOutputs
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs'
- in: query
name: types
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Types'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse'
description: OK
summary: Get response actions
tags:
@ -9620,13 +9665,15 @@ paths:
name: action_id
required: true
schema:
description: The ID of the action to retrieve.
example: fr518850-681a-4y60-aa98-e22640cae2b8
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionResponse'
description: OK
summary: Get action details
tags:
@ -9699,7 +9746,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse'
description: OK
summary: Run a command
tags:
@ -9720,7 +9767,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse'
description: OK
summary: Get a file
tags:
@ -9733,15 +9780,53 @@ paths:
requestBody:
content:
application/json:
examples:
multiple_endpoints:
summary: Isolates several hosts; includes a comment
value:
comment: Locked down, pending further investigation
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
single_endpoint:
summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
with_case_id:
summary: Isolates a single host with a case_id value of 1234
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Isolating as initial response
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse'
description: OK
summary: Isolate an endpoint
tags:
@ -9762,7 +9847,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse'
description: OK
summary: Terminate a process
tags:
@ -9783,7 +9868,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse'
description: OK
summary: Get running processes
tags:
@ -9825,7 +9910,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse'
description: OK
summary: Scan a file or directory
tags:
@ -9861,7 +9946,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse'
description: OK
summary: Suspend a process
tags:
@ -9874,15 +9959,53 @@ paths:
requestBody:
content:
application/json:
examples:
multipleHosts:
summary: 'Releases several hosts; includes a comment:'
value:
comment: Benign process identified, releasing group
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
singleHost:
summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
withCaseId:
summary: Releases hosts with an associated case; includes a comment.
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Remediation complete, restoring network
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse'
description: OK
summary: Release an isolated endpoint
tags:
@ -9894,7 +10017,7 @@ paths:
operationId: EndpointUploadAction
requestBody:
content:
application/json:
multipart/form-data:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody'
required: true
@ -9903,7 +10026,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse'
description: OK
summary: Upload a file
tags:
@ -51747,6 +51870,10 @@ components:
description: Agent ID
type: string
Security_Endpoint_Management_API_AgentIds:
description: A list of agent IDs. Max of 50.
example:
- agent-id-1
- agent-id-2
minLength: 1
oneOf:
- items:
@ -51758,12 +51885,13 @@ components:
- minLength: 1
type: string
Security_Endpoint_Management_API_AgentTypes:
description: The host agent type (optional). Defaults to endpoint.
description: List of agent types to retrieve. Defaults to `endpoint`.
enum:
- endpoint
- sentinel_one
- crowdstrike
- microsoft_defender_endpoint
example: endpoint
type: string
Security_Endpoint_Management_API_AlertIds:
description: A list of alerts `id`s.
@ -51775,6 +51903,9 @@ components:
type: array
Security_Endpoint_Management_API_CaseIds:
description: Case IDs to be updated (cannot contain empty strings)
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
@ -51812,17 +51943,26 @@ components:
minLength: 1
type: string
Security_Endpoint_Management_API_Commands:
description: A list of response action command names.
example:
- isolate
- unisolate
items:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Command'
type: array
Security_Endpoint_Management_API_Comment:
description: Optional comment
example: This is a comment
type: string
Security_Endpoint_Management_API_EndDate:
description: End date
description: An end date in ISO format or Date Math format.
example: '2023-10-31T23:59:59.999Z'
type: string
Security_Endpoint_Management_API_EndpointIds:
description: List of endpoint IDs (cannot contain empty strings)
example:
- endpoint-id-1
- endpoint-id-2
items:
minLength: 1
type: string
@ -51914,12 +52054,6 @@ components:
revision: 2
type: object
properties: {}
Security_Endpoint_Management_API_EntityId:
type: object
properties:
entity_id:
minLength: 1
type: string
Security_Endpoint_Management_API_ExecuteRouteRequestBody:
allOf:
- type: object
@ -51951,33 +52085,128 @@ components:
- command
required:
- parameters
Security_Endpoint_Management_API_GetEndpointActionListRouteQuery:
example:
comment: Get list of all files
endpoint_ids:
- b3d6de74-36b0-4fa8-be46-c375bf1771bf
parameters:
command: ls -al
timeout: 600
Security_Endpoint_Management_API_ExecuteRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: execute
comment: Get list of all files
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 9f934028-2300-4927-b531-b26376793dc4
isCompleted: false
isExpired: false
outputs: {}
parameters:
command: ls -al
timeout: 600
startedAt: '2023-07-28T18:43:27.362Z'
status: pending
wasSuccessful: false
type: object
properties:
agentIds:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds'
agentTypes:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
commands:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Commands'
endDate:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate'
page:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Page'
pageSize:
default: 10
description: Number of items per page
maximum: 10000
minimum: 1
type: integer
startDate:
$ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate'
types:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Types'
userIds:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds'
withOutputs:
$ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs'
properties: {}
Security_Endpoint_Management_API_GetEndpointActionListResponse:
example:
data:
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: isolate
completedAt: '2022-08-08T10:41:57.352Z'
createdBy: elastic
id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:23:37.359Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: kill-process
comment: bad process - taking up too much cpu
completedAt: '2022-08-08T09:44:50.952Z'
createdBy: elastic
id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:44.125Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: unisolate
comment: Not a threat to the network
completedAt: '2022-08-08T09:40:47.398Z'
createdBy: elastic
id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:15.391Z'
wasSuccessful: true
elasticAgentIds:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
endDate: now
page: 1
pageSize: 10
startDate: now-24h/h
total: 4
type: object
properties: {}
Security_Endpoint_Management_API_GetEndpointActionResponse:
example:
data:
agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
outputs:
afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0:
content:
entries:
- command: /opt/cmd1
entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt
pid: '822'
user: Dexter
- command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3
entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt
pid: '984'
user: Jada
type: json
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_GetFileRouteRequestBody:
allOf:
- type: object
@ -52007,7 +52236,42 @@ components:
- path
required:
- parameters
example:
comment: Get my file
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
Security_Endpoint_Management_API_GetFileRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: get-file
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
Security_Endpoint_Management_API_GetProcessesRouteRequestBody:
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
type: object
properties:
agent_type:
@ -52024,6 +52288,30 @@ components:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
Security_Endpoint_Management_API_GetProcessesRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: running-processes
comment: ''
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters: {}
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_HostPathScriptParameters:
type: object
properties:
@ -52055,23 +52343,32 @@ components:
- unenrolled
type: string
type: array
Security_Endpoint_Management_API_IsolateRouteRequestBody:
Security_Endpoint_Management_API_IsolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
properties: {}
Security_Endpoint_Management_API_KillProcessRouteRequestBody:
allOf:
- type: object
@ -52094,16 +52391,60 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to terminate.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to terminate.
example: abc123
minLength: 1
type: string
- type: object
properties:
process_name:
description: Valid for SentinelOne agent type only
description: The name of the process to terminate. Valid for SentinelOne agent type only.
example: Elastic
minLength: 1
type: string
required:
- parameters
example:
comment: terminate the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
Security_Endpoint_Management_API_KillProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: kill-process
comment: terminate the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_Kuery:
description: A KQL string.
example: 'united.endpoint.host.os.name : ''Windows'''
@ -52324,12 +52665,6 @@ components:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
- additionalProperties: true
type: object
Security_Endpoint_Management_API_Pid:
type: object
properties:
pid:
minimum: 1
type: integer
Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse:
type: object
properties:
@ -52387,11 +52722,45 @@ components:
type: object
properties:
path:
description: The folder or files full path (including the file name).
example: /usr/my-file.txt
type: string
required:
- path
required:
- parameters
example:
comment: Scan the file for malware
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
Security_Endpoint_Management_API_ScanRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: scan
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
Security_Endpoint_Management_API_SortDirection:
description: Determines the sort order.
enum:
@ -52414,7 +52783,8 @@ components:
example: enrolled_at
type: string
Security_Endpoint_Management_API_StartDate:
description: Start date
description: A start date in ISO 8601 format or Date Math format.
example: '2023-10-31T00:00:00.000Z'
type: string
Security_Endpoint_Management_API_SuccessResponse:
type: object
@ -52441,10 +52811,53 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to suspend.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to suspend.
example: abc123
minLength: 1
type: string
required:
- parameters
example:
comment: suspend the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
Security_Endpoint_Management_API_SuspendProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_Timeout:
description: The maximum timeout value in milliseconds (optional)
minimum: 1
@ -52457,28 +52870,40 @@ components:
type: string
Security_Endpoint_Management_API_Types:
description: List of types of response actions
example:
- automated
- manual
items:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Type'
maxLength: 2
minLength: 1
type: array
Security_Endpoint_Management_API_UnisolateRouteRequestBody:
Security_Endpoint_Management_API_UnisolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
properties: {}
Security_Endpoint_Management_API_UploadRouteRequestBody:
allOf:
- type: object
@ -52500,6 +52925,8 @@ components:
- type: object
properties:
file:
description: The binary content of the file.
example: RWxhc3RpYw==
format: binary
type: string
parameters:
@ -52507,12 +52934,51 @@ components:
properties:
overwrite:
default: false
description: Overwrite the file on the host if it already exists.
example: false
type: boolean
required:
- parameters
- file
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
file: RWxhc3RpYw==
parameters: {}
Security_Endpoint_Management_API_UploadRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: upload
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: Host-5i6cuc8kdv
id: 9ff6aebc-2cb6-481e-8869-9b30036c9731
isCompleted: false
isExpired: false
outputs: {}
parameters:
file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280
file_name: fix-malware.sh
file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a
file_size: 69
startedAt: '2023-07-03T15:07:22.837Z'
status: pending
wasSuccessful: false
type: object
properties: {}
Security_Endpoint_Management_API_UserIds:
description: User IDs
description: A list of user IDs.
example:
- user-id-1
- user-id-2
oneOf:
- items:
minLength: 1
@ -52522,7 +52988,10 @@ components:
- minLength: 1
type: string
Security_Endpoint_Management_API_WithOutputs:
description: Shows detailed outputs for an action response
description: A list of action IDs that should include the complete output of the action.
example:
- action-id-1
- action-id-2
oneOf:
- items:
minLength: 1

663
oas_docs/output/kibana.yaml
View file

@ -11757,16 +11757,61 @@ paths:
operationId: EndpointGetActionsList
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListRouteQuery'
$ref: '#/components/schemas/Security_Endpoint_Management_API_Page'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize'
- in: query
name: commands
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Commands'
- in: query
name: agentIds
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds'
- in: query
name: userIds
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds'
- in: query
name: startDate
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate'
- in: query
name: endDate
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate'
- in: query
name: agentTypes
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
- in: query
name: withOutputs
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs'
- in: query
name: types
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Types'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse'
description: OK
summary: Get response actions
tags:
@ -11803,13 +11848,15 @@ paths:
name: action_id
required: true
schema:
description: The ID of the action to retrieve.
example: fr518850-681a-4y60-aa98-e22640cae2b8
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionResponse'
description: OK
summary: Get action details
tags:
@ -11879,7 +11926,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse'
description: OK
summary: Run a command
tags:
@ -11899,7 +11946,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse'
description: OK
summary: Get a file
tags:
@ -11911,15 +11958,53 @@ paths:
requestBody:
content:
application/json:
examples:
multiple_endpoints:
summary: Isolates several hosts; includes a comment
value:
comment: Locked down, pending further investigation
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
single_endpoint:
summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
with_case_id:
summary: Isolates a single host with a case_id value of 1234
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Isolating as initial response
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse'
description: OK
summary: Isolate an endpoint
tags:
@ -11939,7 +12024,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse'
description: OK
summary: Terminate a process
tags:
@ -11959,7 +12044,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse'
description: OK
summary: Get running processes
tags:
@ -11999,7 +12084,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse'
description: OK
summary: Scan a file or directory
tags:
@ -12033,7 +12118,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse'
description: OK
summary: Suspend a process
tags:
@ -12045,15 +12130,53 @@ paths:
requestBody:
content:
application/json:
examples:
multipleHosts:
summary: 'Releases several hosts; includes a comment:'
value:
comment: Benign process identified, releasing group
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
singleHost:
summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
withCaseId:
summary: Releases hosts with an associated case; includes a comment.
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Remediation complete, restoring network
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse'
description: OK
summary: Release an isolated endpoint
tags:
@ -12064,7 +12187,7 @@ paths:
operationId: EndpointUploadAction
requestBody:
content:
application/json:
multipart/form-data:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody'
required: true
@ -12073,7 +12196,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse'
description: OK
summary: Upload a file
tags:
@ -58514,6 +58637,10 @@ components:
description: Agent ID
type: string
Security_Endpoint_Management_API_AgentIds:
description: A list of agent IDs. Max of 50.
example:
- agent-id-1
- agent-id-2
minLength: 1
oneOf:
- items:
@ -58525,12 +58652,13 @@ components:
- minLength: 1
type: string
Security_Endpoint_Management_API_AgentTypes:
description: The host agent type (optional). Defaults to endpoint.
description: List of agent types to retrieve. Defaults to `endpoint`.
enum:
- endpoint
- sentinel_one
- crowdstrike
- microsoft_defender_endpoint
example: endpoint
type: string
Security_Endpoint_Management_API_AlertIds:
description: A list of alerts `id`s.
@ -58542,6 +58670,9 @@ components:
type: array
Security_Endpoint_Management_API_CaseIds:
description: Case IDs to be updated (cannot contain empty strings)
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
@ -58579,17 +58710,26 @@ components:
minLength: 1
type: string
Security_Endpoint_Management_API_Commands:
description: A list of response action command names.
example:
- isolate
- unisolate
items:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Command'
type: array
Security_Endpoint_Management_API_Comment:
description: Optional comment
example: This is a comment
type: string
Security_Endpoint_Management_API_EndDate:
description: End date
description: An end date in ISO format or Date Math format.
example: '2023-10-31T23:59:59.999Z'
type: string
Security_Endpoint_Management_API_EndpointIds:
description: List of endpoint IDs (cannot contain empty strings)
example:
- endpoint-id-1
- endpoint-id-2
items:
minLength: 1
type: string
@ -58681,12 +58821,6 @@ components:
revision: 2
type: object
properties: {}
Security_Endpoint_Management_API_EntityId:
type: object
properties:
entity_id:
minLength: 1
type: string
Security_Endpoint_Management_API_ExecuteRouteRequestBody:
allOf:
- type: object
@ -58718,33 +58852,128 @@ components:
- command
required:
- parameters
Security_Endpoint_Management_API_GetEndpointActionListRouteQuery:
example:
comment: Get list of all files
endpoint_ids:
- b3d6de74-36b0-4fa8-be46-c375bf1771bf
parameters:
command: ls -al
timeout: 600
Security_Endpoint_Management_API_ExecuteRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: execute
comment: Get list of all files
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 9f934028-2300-4927-b531-b26376793dc4
isCompleted: false
isExpired: false
outputs: {}
parameters:
command: ls -al
timeout: 600
startedAt: '2023-07-28T18:43:27.362Z'
status: pending
wasSuccessful: false
type: object
properties:
agentIds:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds'
agentTypes:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
commands:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Commands'
endDate:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate'
page:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Page'
pageSize:
default: 10
description: Number of items per page
maximum: 10000
minimum: 1
type: integer
startDate:
$ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate'
types:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Types'
userIds:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds'
withOutputs:
$ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs'
properties: {}
Security_Endpoint_Management_API_GetEndpointActionListResponse:
example:
data:
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: isolate
completedAt: '2022-08-08T10:41:57.352Z'
createdBy: elastic
id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:23:37.359Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: kill-process
comment: bad process - taking up too much cpu
completedAt: '2022-08-08T09:44:50.952Z'
createdBy: elastic
id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:44.125Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: unisolate
comment: Not a threat to the network
completedAt: '2022-08-08T09:40:47.398Z'
createdBy: elastic
id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:15.391Z'
wasSuccessful: true
elasticAgentIds:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
endDate: now
page: 1
pageSize: 10
startDate: now-24h/h
total: 4
type: object
properties: {}
Security_Endpoint_Management_API_GetEndpointActionResponse:
example:
data:
agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
outputs:
afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0:
content:
entries:
- command: /opt/cmd1
entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt
pid: '822'
user: Dexter
- command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3
entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt
pid: '984'
user: Jada
type: json
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_GetFileRouteRequestBody:
allOf:
- type: object
@ -58774,7 +59003,42 @@ components:
- path
required:
- parameters
example:
comment: Get my file
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
Security_Endpoint_Management_API_GetFileRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: get-file
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
Security_Endpoint_Management_API_GetProcessesRouteRequestBody:
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
type: object
properties:
agent_type:
@ -58791,6 +59055,30 @@ components:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
Security_Endpoint_Management_API_GetProcessesRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: running-processes
comment: ''
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters: {}
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_HostPathScriptParameters:
type: object
properties:
@ -58822,23 +59110,32 @@ components:
- unenrolled
type: string
type: array
Security_Endpoint_Management_API_IsolateRouteRequestBody:
Security_Endpoint_Management_API_IsolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
properties: {}
Security_Endpoint_Management_API_KillProcessRouteRequestBody:
allOf:
- type: object
@ -58861,16 +59158,60 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to terminate.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to terminate.
example: abc123
minLength: 1
type: string
- type: object
properties:
process_name:
description: Valid for SentinelOne agent type only
description: The name of the process to terminate. Valid for SentinelOne agent type only.
example: Elastic
minLength: 1
type: string
required:
- parameters
example:
comment: terminate the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
Security_Endpoint_Management_API_KillProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: kill-process
comment: terminate the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_Kuery:
description: A KQL string.
example: 'united.endpoint.host.os.name : ''Windows'''
@ -59091,12 +59432,6 @@ components:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
- additionalProperties: true
type: object
Security_Endpoint_Management_API_Pid:
type: object
properties:
pid:
minimum: 1
type: integer
Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse:
type: object
properties:
@ -59154,11 +59489,45 @@ components:
type: object
properties:
path:
description: The folder or files full path (including the file name).
example: /usr/my-file.txt
type: string
required:
- path
required:
- parameters
example:
comment: Scan the file for malware
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
Security_Endpoint_Management_API_ScanRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: scan
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
Security_Endpoint_Management_API_SortDirection:
description: Determines the sort order.
enum:
@ -59181,7 +59550,8 @@ components:
example: enrolled_at
type: string
Security_Endpoint_Management_API_StartDate:
description: Start date
description: A start date in ISO 8601 format or Date Math format.
example: '2023-10-31T00:00:00.000Z'
type: string
Security_Endpoint_Management_API_SuccessResponse:
type: object
@ -59208,10 +59578,53 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to suspend.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to suspend.
example: abc123
minLength: 1
type: string
required:
- parameters
example:
comment: suspend the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
Security_Endpoint_Management_API_SuspendProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_Timeout:
description: The maximum timeout value in milliseconds (optional)
minimum: 1
@ -59224,28 +59637,40 @@ components:
type: string
Security_Endpoint_Management_API_Types:
description: List of types of response actions
example:
- automated
- manual
items:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Type'
maxLength: 2
minLength: 1
type: array
Security_Endpoint_Management_API_UnisolateRouteRequestBody:
Security_Endpoint_Management_API_UnisolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
properties: {}
Security_Endpoint_Management_API_UploadRouteRequestBody:
allOf:
- type: object
@ -59267,6 +59692,8 @@ components:
- type: object
properties:
file:
description: The binary content of the file.
example: RWxhc3RpYw==
format: binary
type: string
parameters:
@ -59274,12 +59701,51 @@ components:
properties:
overwrite:
default: false
description: Overwrite the file on the host if it already exists.
example: false
type: boolean
required:
- parameters
- file
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
file: RWxhc3RpYw==
parameters: {}
Security_Endpoint_Management_API_UploadRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: upload
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: Host-5i6cuc8kdv
id: 9ff6aebc-2cb6-481e-8869-9b30036c9731
isCompleted: false
isExpired: false
outputs: {}
parameters:
file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280
file_name: fix-malware.sh
file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a
file_size: 69
startedAt: '2023-07-03T15:07:22.837Z'
status: pending
wasSuccessful: false
type: object
properties: {}
Security_Endpoint_Management_API_UserIds:
description: User IDs
description: A list of user IDs.
example:
- user-id-1
- user-id-2
oneOf:
- items:
minLength: 1
@ -59289,7 +59755,10 @@ components:
- minLength: 1
type: string
Security_Endpoint_Management_API_WithOutputs:
description: Shows detailed outputs for an action response
description: A list of action IDs that should include the complete output of the action.
example:
- action-id-1
- action-id-2
oneOf:
- items:
minLength: 1

5
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.gen.ts
View file

@ -16,7 +16,8 @@
import { z } from '@kbn/zod';
import { SuccessResponse } from '../../model/schema/common.gen';
export type GetEndpointActionResponse = z.infer<typeof GetEndpointActionResponse>;
export const GetEndpointActionResponse = z.object({});
export type EndpointGetActionsDetailsRequestParams = z.infer<
typeof EndpointGetActionsDetailsRequestParams
@ -29,4 +30,4 @@ export type EndpointGetActionsDetailsRequestParamsInput = z.input<
>;
export type EndpointGetActionsDetailsResponse = z.infer<typeof EndpointGetActionsDetailsResponse>;
export const EndpointGetActionsDetailsResponse = SuccessResponse;
export const EndpointGetActionsDetailsResponse = GetEndpointActionResponse;

36
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.schema.yaml
View file

@ -16,12 +16,46 @@ paths:
required: true
schema:
type: string
description: The ID of the action to retrieve.
example: 'fr518850-681a-4y60-aa98-e22640cae2b8'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetEndpointActionResponse'
components:
schemas:
GetEndpointActionResponse:
type: object
properties: { }
example:
data:
id: "b3d6de74-36b0-4fa8-be46-c375bf1771bf"
agents:
- "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
agentType: "endpoint"
command: "running-processes"
startedAt: "2022-08-08T15:24:57.402Z"
completedAt: "2022-08-08T09:50:47.672Z"
createdBy: "elastic"
isCompleted: true
wasSuccessful: true
isExpired: false
outputs:
afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0:
type: "json"
content:
entries:
- pid: "822"
entity_id: "fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt"
user: "Dexter"
command: "/opt/cmd1"
- pid: "984"
entity_id: "pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt"
user: "Jada"
command: "/opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3"

43
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.gen.ts
View file

@ -17,42 +17,37 @@
import { z } from '@kbn/zod';
import {
SuccessResponse,
AgentIds,
AgentTypes,
Commands,
Page,
PageSize,
Commands,
AgentIds,
UserIds,
StartDate,
EndDate,
UserIds,
Types,
AgentTypes,
WithOutputs,
Types,
} from '../../model/schema/common.gen';
export type GetEndpointActionListRouteQuery = z.infer<typeof GetEndpointActionListRouteQuery>;
export const GetEndpointActionListRouteQuery = z.object({
agentIds: AgentIds.optional(),
agentTypes: AgentTypes.optional(),
commands: Commands.optional(),
page: Page.optional(),
/**
* Number of items per page
*/
pageSize: z.number().int().min(1).max(10000).optional().default(10),
startDate: StartDate.optional(),
endDate: EndDate.optional(),
userIds: UserIds.optional(),
types: Types.optional(),
withOutputs: WithOutputs.optional(),
});
export type GetEndpointActionListResponse = z.infer<typeof GetEndpointActionListResponse>;
export const GetEndpointActionListResponse = z.object({});
export type EndpointGetActionsListRequestQuery = z.infer<typeof EndpointGetActionsListRequestQuery>;
export const EndpointGetActionsListRequestQuery = z.object({
query: GetEndpointActionListRouteQuery,
page: Page.optional(),
pageSize: PageSize.optional(),
commands: Commands.optional(),
agentIds: AgentIds.optional(),
userIds: UserIds.optional(),
startDate: StartDate.optional(),
endDate: EndDate.optional(),
agentTypes: AgentTypes.optional(),
withOutputs: WithOutputs.optional(),
types: Types.optional(),
});
export type EndpointGetActionsListRequestQueryInput = z.input<
typeof EndpointGetActionsListRequestQuery
>;
export type EndpointGetActionsListResponse = z.infer<typeof EndpointGetActionsListResponse>;
export const EndpointGetActionsListResponse = SuccessResponse;
export const EndpointGetActionsListResponse = GetEndpointActionListResponse;

137
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.schema.yaml
View file

@ -11,44 +11,121 @@ paths:
x-codegen-enabled: true
x-labels: [ess, serverless]
parameters:
- name: query
- name: page
in: query
required: true
required: false
schema:
$ref: '#/components/schemas/GetEndpointActionListRouteQuery'
$ref: '../../model/schema/common.schema.yaml#/components/schemas/Page'
- name: pageSize
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/PageSize'
- name: commands
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/Commands'
- name: agentIds
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentIds'
- name: userIds
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/UserIds'
- name: startDate
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/StartDate'
- name: endDate
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/EndDate'
- name: agentTypes
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentTypes'
- name: withOutputs
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/WithOutputs'
- name: types
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/Types'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetEndpointActionListResponse'
components:
schemas:
GetEndpointActionListRouteQuery:
GetEndpointActionListResponse:
type: object
properties:
agentIds:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentIds'
agentTypes:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentTypes'
commands:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/Commands'
page:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/Page'
pageSize:
type: integer
default: 10
minimum: 1
maximum: 10000
description: Number of items per page
startDate:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/StartDate'
endDate:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/EndDate'
userIds:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/UserIds'
types:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/Types'
withOutputs:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/WithOutputs'
properties: { }
example:
page: 1
pageSize: 10
total: 4
startDate: "now-24h/h"
endDate: "now"
elasticAgentIds:
- "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
data:
- id: "b3d6de74-36b0-4fa8-be46-c375bf1771bf"
agents:
- "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
command: "running-processes"
agentType: "endpoint"
startedAt: "2022-08-08T15:24:57.402Z"
isCompleted: true
completedAt: "2022-08-08T09:50:47.672Z"
wasSuccessful: true
isExpired: false
createdBy: "elastic"
- id: "43b4098b-8752-4fbb-a7a7-6df7c74d0ee3"
agents:
- "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
command: "isolate"
agentType: "endpoint"
startedAt: "2022-08-08T15:23:37.359Z"
isCompleted: true
completedAt: "2022-08-08T10:41:57.352Z"
wasSuccessful: true
isExpired: false
createdBy: "elastic"
- id: "5bc92c86-b8e6-42dd-837f-12ad29e09caa"
agents:
- "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
command: "kill-process"
agentType: "endpoint"
startedAt: "2022-08-08T14:38:44.125Z"
isCompleted: true
completedAt: "2022-08-08T09:44:50.952Z"
wasSuccessful: true
isExpired: false
createdBy: "elastic"
comment: "bad process - taking up too much cpu"
- id: "790d54e0-3aa3-4e5b-8255-3ce9d851246a"
agents:
- "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
command: "unisolate"
agentType: "endpoint"
startedAt: "2022-08-08T14:38:15.391Z"
isCompleted: true
completedAt: "2022-08-08T09:40:47.398Z"
wasSuccessful: true
isExpired: false
createdBy: "elastic"
comment: "Not a threat to the network"

12
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.gen.ts
View file

@ -16,12 +16,7 @@
import { z } from '@kbn/zod';
import {
SuccessResponse,
BaseActionSchema,
Command,
Timeout,
} from '../../../model/schema/common.gen';
import { BaseActionSchema, Command, Timeout } from '../../../model/schema/common.gen';
export type ExecuteRouteRequestBody = z.infer<typeof ExecuteRouteRequestBody>;
export const ExecuteRouteRequestBody = BaseActionSchema.merge(
@ -33,6 +28,9 @@ export const ExecuteRouteRequestBody = BaseActionSchema.merge(
})
);
export type ExecuteRouteResponse = z.infer<typeof ExecuteRouteResponse>;
export const ExecuteRouteResponse = z.object({});
export type EndpointExecuteActionRequestBody = z.infer<typeof EndpointExecuteActionRequestBody>;
export const EndpointExecuteActionRequestBody = ExecuteRouteRequestBody;
export type EndpointExecuteActionRequestBodyInput = z.input<
@ -40,4 +38,4 @@ export type EndpointExecuteActionRequestBodyInput = z.input<
>;
export type EndpointExecuteActionResponse = z.infer<typeof EndpointExecuteActionResponse>;
export const EndpointExecuteActionResponse = SuccessResponse;
export const EndpointExecuteActionResponse = ExecuteRouteResponse;

37
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.schema.yaml
View file

@ -22,11 +22,18 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/ExecuteRouteResponse'
components:
schemas:
ExecuteRouteRequestBody:
example:
parameters:
command: "ls -al"
timeout: 600
endpoint_ids:
- "b3d6de74-36b0-4fa8-be46-c375bf1771bf"
comment: "Get list of all files"
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
- type: object
@ -42,3 +49,31 @@ components:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/Command'
timeout:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/Timeout'
ExecuteRouteResponse:
type: object
properties: { }
example:
data:
id: "9f934028-2300-4927-b531-b26376793dc4"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"
agentType: "endpoint"
command: "execute"
startedAt: "2023-07-28T18:43:27.362Z"
isCompleted: false
wasSuccessful: false
isExpired: false
status: "pending"
outputs: { }
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
createdBy: "myuser"
comment: "Get list of all files"
parameters:
command: "ls -al"
timeout: 600

7
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.gen.ts
View file

@ -16,7 +16,7 @@
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type GetFileRouteRequestBody = z.infer<typeof GetFileRouteRequestBody>;
export const GetFileRouteRequestBody = BaseActionSchema.merge(
@ -27,6 +27,9 @@ export const GetFileRouteRequestBody = BaseActionSchema.merge(
})
);
export type GetFileRouteResponse = z.infer<typeof GetFileRouteResponse>;
export const GetFileRouteResponse = z.object({});
export type EndpointGetFileActionRequestBody = z.infer<typeof EndpointGetFileActionRequestBody>;
export const EndpointGetFileActionRequestBody = GetFileRouteRequestBody;
export type EndpointGetFileActionRequestBodyInput = z.input<
@ -34,4 +37,4 @@ export type EndpointGetFileActionRequestBodyInput = z.input<
>;
export type EndpointGetFileActionResponse = z.infer<typeof EndpointGetFileActionResponse>;
export const EndpointGetFileActionResponse = SuccessResponse;
export const EndpointGetFileActionResponse = GetFileRouteResponse;

35
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.schema.yaml
View file

@ -23,11 +23,17 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetFileRouteResponse'
components:
schemas:
GetFileRouteRequestBody:
example:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
parameters:
path: "/usr/my-file.txt"
comment: "Get my file"
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
- type: object
@ -41,4 +47,31 @@ components:
properties:
path:
type: string
GetFileRouteResponse:
type: object
properties: { }
example:
data:
id: "27ba1b42-7cc6-4e53-86ce-675c876092b2"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"
agentType: "endpoint"
command: "get-file"
startedAt: "2023-07-28T19:00:03.911Z"
isCompleted: false
wasSuccessful: false
isExpired: false
status: "pending"
outputs: { }
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
createdBy: "myuser"
parameters:
path: "/usr/my-file.txt"

12
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.gen.ts
View file

@ -14,18 +14,18 @@
* version: 2023-10-31
*/
import type { z } from '@kbn/zod';
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type IsolateRouteRequestBody = z.infer<typeof IsolateRouteRequestBody>;
export const IsolateRouteRequestBody = BaseActionSchema;
export type IsolateRouteResponse = z.infer<typeof IsolateRouteResponse>;
export const IsolateRouteResponse = z.object({});
export type EndpointIsolateActionRequestBody = z.infer<typeof EndpointIsolateActionRequestBody>;
export const EndpointIsolateActionRequestBody = IsolateRouteRequestBody;
export const EndpointIsolateActionRequestBody = BaseActionSchema;
export type EndpointIsolateActionRequestBodyInput = z.input<
typeof EndpointIsolateActionRequestBody
>;
export type EndpointIsolateActionResponse = z.infer<typeof EndpointIsolateActionResponse>;
export const EndpointIsolateActionResponse = SuccessResponse;
export const EndpointIsolateActionResponse = IsolateRouteResponse;

56
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.schema.yaml
View file

@ -15,16 +15,62 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/IsolateRouteRequestBody'
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
examples:
single_endpoint:
summary: "Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8"
value:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
multiple_endpoints:
summary: "Isolates several hosts; includes a comment"
value:
endpoint_ids:
- "9972d10e-4b9e-41aa-a534-a85e2a28ea42"
- "bc0e4f0c-3bca-4633-9fee-156c0b505d16"
- "fa89271b-b9d4-43f2-a684-307cffddeb5a"
comment: "Locked down, pending further investigation"
with_case_id:
summary: "Isolates a single host with a case_id value of 1234"
value:
endpoint_ids:
- "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0"
- "b30a11bf-1395-4707-b508-fbb45ef9793e"
case_ids:
- "4976be38-c134-4554-bd5e-0fd89ce63667"
comment: "Isolating as initial response"
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/IsolateRouteResponse'
components:
schemas:
IsolateRouteRequestBody:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
IsolateRouteResponse:
type: object
properties: { }
example:
action: "233db9ea-6733-4849-9226-5a7039c7161d"
data:
id: "233db9ea-6733-4849-9226-5a7039c7161d"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
command: "suspend-process"
agentType: "endpoint"
isExpired: false
isCompleted: true
wasSuccessful: true
errors: [ ]
startedAt: "2022-07-29T19:08:49.126Z"
completedAt: "2022-07-29T19:09:44.961Z"
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
type: "json"
content:
key: "value"
createdBy: "myuser"
comment: "suspend the process"
parameters:
entity_id: "abc123"

23
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.gen.ts
View file

@ -16,17 +16,27 @@
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema, Pid, EntityId } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type KillProcessRouteRequestBody = z.infer<typeof KillProcessRouteRequestBody>;
export const KillProcessRouteRequestBody = BaseActionSchema.merge(
z.object({
parameters: z.union([
Pid,
EntityId,
z.object({
/**
* Valid for SentinelOne agent type only
* The process ID (PID) of the process to terminate.
*/
pid: z.number().int().min(1).optional(),
}),
z.object({
/**
* The entity ID of the process to terminate.
*/
entity_id: z.string().min(1).optional(),
}),
z.object({
/**
* The name of the process to terminate. Valid for SentinelOne agent type only.
*/
process_name: z.string().min(1).optional(),
}),
@ -34,6 +44,9 @@ export const KillProcessRouteRequestBody = BaseActionSchema.merge(
})
);
export type KillProcessRouteResponse = z.infer<typeof KillProcessRouteResponse>;
export const KillProcessRouteResponse = z.object({});
export type EndpointKillProcessActionRequestBody = z.infer<
typeof EndpointKillProcessActionRequestBody
>;
@ -43,4 +56,4 @@ export type EndpointKillProcessActionRequestBodyInput = z.input<
>;
export type EndpointKillProcessActionResponse = z.infer<typeof EndpointKillProcessActionResponse>;
export const EndpointKillProcessActionResponse = SuccessResponse;
export const EndpointKillProcessActionResponse = KillProcessRouteResponse;

52
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.schema.yaml
View file

@ -22,11 +22,17 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/KillProcessRouteResponse'
components:
schemas:
KillProcessRouteRequestBody:
example:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
parameters:
entity_id: "abc123"
comment: "terminate the process"
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
- type: object
@ -35,11 +41,49 @@ components:
properties:
parameters:
oneOf:
- $ref: "../../../model/schema/common.schema.yaml#/components/schemas/Pid"
- $ref: "../../../model/schema/common.schema.yaml#/components/schemas/EntityId"
- type: object
properties:
pid:
type: integer
description: "The process ID (PID) of the process to terminate."
example: 123
minimum: 1
- type: object
properties:
entity_id:
type: string
description: "The entity ID of the process to terminate."
example: "abc123"
minLength: 1
- type: object
properties:
process_name:
type: string
description: "The name of the process to terminate. Valid for SentinelOne agent type only."
example: "Elastic"
minLength: 1
description: Valid for SentinelOne agent type only
KillProcessRouteResponse:
type: object
properties: { }
example:
data:
id: "233db9ea-6733-4849-9226-5a7039c7161d"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
command: "kill-process"
agentType: "endpoint"
isExpired: false
isCompleted: true
wasSuccessful: true
errors: [ ]
startedAt: "2022-07-29T19:08:49.126Z"
completedAt: "2022-07-29T19:09:44.961Z"
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
type: "json"
content:
key: "value"
createdBy: "myuser"
comment: "terminate the process"
parameters:
entity_id: "abc123"

9
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.gen.ts
View file

@ -14,13 +14,16 @@
* version: 2023-10-31
*/
import type { z } from '@kbn/zod';
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type GetProcessesRouteRequestBody = z.infer<typeof GetProcessesRouteRequestBody>;
export const GetProcessesRouteRequestBody = BaseActionSchema;
export type GetProcessesRouteResponse = z.infer<typeof GetProcessesRouteResponse>;
export const GetProcessesRouteResponse = z.object({});
export type EndpointGetProcessesActionRequestBody = z.infer<
typeof EndpointGetProcessesActionRequestBody
>;
@ -30,4 +33,4 @@ export type EndpointGetProcessesActionRequestBodyInput = z.input<
>;
export type EndpointGetProcessesActionResponse = z.infer<typeof EndpointGetProcessesActionResponse>;
export const EndpointGetProcessesActionResponse = SuccessResponse;
export const EndpointGetProcessesActionResponse = GetProcessesRouteResponse;

29
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.schema.yaml
View file

@ -22,10 +22,37 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetProcessesRouteResponse'
components:
schemas:
GetProcessesRouteRequestBody:
example:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
GetProcessesRouteResponse:
type: object
properties: { }
example:
data:
id: "233db9ea-6733-4849-9226-5a7039c7161d"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
command: "running-processes"
agentType: "endpoint"
isExpired: false
isCompleted: true
wasSuccessful: true
errors: [ ]
startedAt: "2022-07-29T19:08:49.126Z"
completedAt: "2022-07-29T19:09:44.961Z"
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
type: "json"
content:
key: "value"
createdBy: "myuser"
comment: ""
parameters: { }

10
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.gen.ts
View file

@ -16,20 +16,26 @@
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type ScanRouteRequestBody = z.infer<typeof ScanRouteRequestBody>;
export const ScanRouteRequestBody = BaseActionSchema.merge(
z.object({
parameters: z.object({
/**
* The folder or files full path (including the file name).
*/
path: z.string(),
}),
})
);
export type ScanRouteResponse = z.infer<typeof ScanRouteResponse>;
export const ScanRouteResponse = z.object({});
export type EndpointScanActionRequestBody = z.infer<typeof EndpointScanActionRequestBody>;
export const EndpointScanActionRequestBody = ScanRouteRequestBody;
export type EndpointScanActionRequestBodyInput = z.input<typeof EndpointScanActionRequestBody>;
export type EndpointScanActionResponse = z.infer<typeof EndpointScanActionResponse>;
export const EndpointScanActionResponse = SuccessResponse;
export const EndpointScanActionResponse = ScanRouteResponse;

39
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.schema.yaml
View file

@ -22,11 +22,16 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/ScanRouteResponse'
components:
schemas:
ScanRouteRequestBody:
example:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
parameters:
path: "/usr/my-file.txt"
comment: "Scan the file for malware"
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
- type: object
@ -40,4 +45,34 @@ components:
properties:
path:
type: string
description: "The folder or files full path (including the file name)."
example: "/usr/my-file.txt"
ScanRouteResponse:
type: object
properties: { }
example:
data:
id: "27ba1b42-7cc6-4e53-86ce-675c876092b2"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"
agentType: "endpoint"
command: "scan"
startedAt: "2023-07-28T19:00:03.911Z"
isCompleted: false
wasSuccessful: false
isExpired: false
status: "pending"
outputs: { }
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
createdBy: "myuser"
parameters:
path: "/usr/my-file.txt"

22
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen.ts
View file

@ -16,15 +16,31 @@
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema, Pid, EntityId } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type SuspendProcessRouteRequestBody = z.infer<typeof SuspendProcessRouteRequestBody>;
export const SuspendProcessRouteRequestBody = BaseActionSchema.merge(
z.object({
parameters: z.union([Pid, EntityId]),
parameters: z.union([
z.object({
/**
* The process ID (PID) of the process to suspend.
*/
pid: z.number().int().min(1).optional(),
}),
z.object({
/**
* The entity ID of the process to suspend.
*/
entity_id: z.string().min(1).optional(),
}),
]),
})
);
export type SuspendProcessRouteResponse = z.infer<typeof SuspendProcessRouteResponse>;
export const SuspendProcessRouteResponse = z.object({});
export type EndpointSuspendProcessActionRequestBody = z.infer<
typeof EndpointSuspendProcessActionRequestBody
>;
@ -36,4 +52,4 @@ export type EndpointSuspendProcessActionRequestBodyInput = z.input<
export type EndpointSuspendProcessActionResponse = z.infer<
typeof EndpointSuspendProcessActionResponse
>;
export const EndpointSuspendProcessActionResponse = SuccessResponse;
export const EndpointSuspendProcessActionResponse = SuspendProcessRouteResponse;

49
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.schema.yaml
View file

@ -22,11 +22,17 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/SuspendProcessRouteResponse'
components:
schemas:
SuspendProcessRouteRequestBody:
example:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
parameters:
entity_id: "abc123"
comment: "suspend the process"
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
- type: object
@ -35,5 +41,42 @@ components:
properties:
parameters:
oneOf:
- $ref: "../../../model/schema/common.schema.yaml#/components/schemas/Pid"
- $ref: "../../../model/schema/common.schema.yaml#/components/schemas/EntityId"
- type: object
properties:
pid:
type: integer
description: "The process ID (PID) of the process to suspend."
example: 123
minimum: 1
- type: object
properties:
entity_id:
type: string
description: "The entity ID of the process to suspend."
example: "abc123"
minLength: 1
SuspendProcessRouteResponse:
type: object
properties: { }
example:
data:
id: "233db9ea-6733-4849-9226-5a7039c7161d"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
command: "suspend-process"
agentType: "endpoint"
isExpired: false
isCompleted: true
wasSuccessful: true
errors: [ ]
startedAt: "2022-07-29T19:08:49.126Z"
completedAt: "2022-07-29T19:09:44.961Z"
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
type: "json"
content:
key: "value"
createdBy: "myuser"
comment: "suspend the process"
parameters:
entity_id: "abc123"

12
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen.ts
View file

@ -14,18 +14,18 @@
* version: 2023-10-31
*/
import type { z } from '@kbn/zod';
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type UnisolateRouteRequestBody = z.infer<typeof UnisolateRouteRequestBody>;
export const UnisolateRouteRequestBody = BaseActionSchema;
export type UnisolateRouteResponse = z.infer<typeof UnisolateRouteResponse>;
export const UnisolateRouteResponse = z.object({});
export type EndpointUnisolateActionRequestBody = z.infer<typeof EndpointUnisolateActionRequestBody>;
export const EndpointUnisolateActionRequestBody = UnisolateRouteRequestBody;
export const EndpointUnisolateActionRequestBody = BaseActionSchema;
export type EndpointUnisolateActionRequestBodyInput = z.input<
typeof EndpointUnisolateActionRequestBody
>;
export type EndpointUnisolateActionResponse = z.infer<typeof EndpointUnisolateActionResponse>;
export const EndpointUnisolateActionResponse = SuccessResponse;
export const EndpointUnisolateActionResponse = UnisolateRouteResponse;

56
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.schema.yaml
View file

@ -14,17 +14,63 @@ paths:
required: true
content:
application/json:
examples:
singleHost:
summary: "Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8"
value:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
multipleHosts:
summary: "Releases several hosts; includes a comment:"
value:
endpoint_ids:
- "9972d10e-4b9e-41aa-a534-a85e2a28ea42"
- "bc0e4f0c-3bca-4633-9fee-156c0b505d16"
- "fa89271b-b9d4-43f2-a684-307cffddeb5a"
comment: "Benign process identified, releasing group"
withCaseId:
summary: "Releases hosts with an associated case; includes a comment."
value:
endpoint_ids:
- "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0"
- "b30a11bf-1395-4707-b508-fbb45ef9793e"
case_ids:
- "4976be38-c134-4554-bd5e-0fd89ce63667"
comment: "Remediation complete, restoring network"
schema:
$ref: '#/components/schemas/UnisolateRouteRequestBody'
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/UnisolateRouteResponse'
components:
schemas:
UnisolateRouteRequestBody:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
UnisolateRouteResponse:
type: object
properties: {}
example:
action: "233db9ea-6733-4849-9226-5a7039c7161d"
data:
id: "233db9ea-6733-4849-9226-5a7039c7161d"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
command: "suspend-process"
agentType: "endpoint"
isExpired: false
isCompleted: true
wasSuccessful: true
errors: [ ]
startedAt: "2022-07-29T19:08:49.126Z"
completedAt: "2022-07-29T19:09:44.961Z"
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
type: "json"
content:
key: "value"
createdBy: "myuser"
comment: "suspend the process"
parameters:
entity_id: "abc123"

15
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.gen.ts
View file

@ -16,21 +16,26 @@
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type UploadRouteRequestBody = z.infer<typeof UploadRouteRequestBody>;
export const UploadRouteRequestBody = BaseActionSchema.merge(
z.object({
parameters: z.object({
/**
* Overwrite the file on the host if it already exists.
*/
overwrite: z.boolean().optional().default(false),
}),
/**
* The binary content of the file.
*/
file: z.string(),
})
);
export type EndpointUploadActionRequestBody = z.infer<typeof EndpointUploadActionRequestBody>;
export const EndpointUploadActionRequestBody = UploadRouteRequestBody;
export type EndpointUploadActionRequestBodyInput = z.input<typeof EndpointUploadActionRequestBody>;
export type UploadRouteResponse = z.infer<typeof UploadRouteResponse>;
export const UploadRouteResponse = z.object({});
export type EndpointUploadActionResponse = z.infer<typeof EndpointUploadActionResponse>;
export const EndpointUploadActionResponse = SuccessResponse;
export const EndpointUploadActionResponse = UploadRouteResponse;

42
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.schema.yaml
View file

@ -13,7 +13,7 @@ paths:
requestBody:
required: true
content:
application/json:
multipart/form-data:
schema:
$ref: '#/components/schemas/UploadRouteRequestBody'
responses:
@ -22,11 +22,16 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/UploadRouteResponse'
components:
schemas:
UploadRouteRequestBody:
example:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
file: "RWxhc3RpYw=="
parameters: { }
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
- type: object
@ -39,8 +44,41 @@ components:
properties:
overwrite:
type: boolean
description: "Overwrite the file on the host if it already exists."
example: false
default: false
# File extends Blob - any binary data will be base-64 encoded
file:
type: string
description: "The binary content of the file."
example: "RWxhc3RpYw=="
format: binary
UploadRouteResponse:
type: object
properties: { }
example:
data:
id: "9ff6aebc-2cb6-481e-8869-9b30036c9731"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: "Host-5i6cuc8kdv"
command: "upload"
agentType: "endpoint"
startedAt: "2023-07-03T15:07:22.837Z"
isCompleted: false
wasSuccessful: false
isExpired: false
status: "pending"
outputs: { }
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
createdBy: "elastic"
parameters:
file_name: "fix-malware.sh"
file_id: "10e4ce3d-4abb-4f93-a0cd-eaf63a489280"
file_sha256: "a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a"
file_size: 69

26
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.gen.ts
View file

@ -37,13 +37,13 @@ export type PageSize = z.infer<typeof PageSize>;
export const PageSize = z.number().int().min(1).max(100).default(10);
/**
* Start date
* A start date in ISO 8601 format or Date Math format.
*/
export type StartDate = z.infer<typeof StartDate>;
export const StartDate = z.string();
/**
* End date
* An end date in ISO format or Date Math format.
*/
export type EndDate = z.infer<typeof EndDate>;
export const EndDate = z.string();
@ -94,6 +94,9 @@ export const SortField = z.enum([
export type SortFieldEnum = typeof SortField.enum;
export const SortFieldEnum = SortField.enum;
/**
* A list of agent IDs. Max of 50.
*/
export type AgentIds = z.infer<typeof AgentIds>;
export const AgentIds = z.union([z.array(z.string().min(1)).min(1).max(50), z.string().min(1)]);
@ -115,6 +118,9 @@ export const Command = z.enum([
export type CommandEnum = typeof Command.enum;
export const CommandEnum = Command.enum;
/**
* A list of response action command names.
*/
export type Commands = z.infer<typeof Commands>;
export const Commands = z.array(Command);
@ -133,13 +139,13 @@ export type Statuses = z.infer<typeof Statuses>;
export const Statuses = z.array(Status);
/**
* User IDs
* A list of user IDs.
*/
export type UserIds = z.infer<typeof UserIds>;
export const UserIds = z.union([z.array(z.string().min(1)).min(1), z.string().min(1)]);
/**
* Shows detailed outputs for an action response
* A list of action IDs that should include the complete output of the action.
*/
export type WithOutputs = z.infer<typeof WithOutputs>;
export const WithOutputs = z.union([z.array(z.string().min(1)).min(1), z.string().min(1)]);
@ -183,7 +189,7 @@ export type Parameters = z.infer<typeof Parameters>;
export const Parameters = z.object({});
/**
* The host agent type (optional). Defaults to endpoint.
* List of agent types to retrieve. Defaults to `endpoint`.
*/
export type AgentTypes = z.infer<typeof AgentTypes>;
export const AgentTypes = z.enum([
@ -210,16 +216,6 @@ export const NoParametersRequestSchema = z.object({
body: BaseActionSchema,
});
export type Pid = z.infer<typeof Pid>;
export const Pid = z.object({
pid: z.number().int().min(1).optional(),
});
export type EntityId = z.infer<typeof EntityId>;
export const EntityId = z.object({
entity_id: z.string().min(1).optional(),
});
export type ProtectionUpdatesNoteResponse = z.infer<typeof ProtectionUpdatesNoteResponse>;
export const ProtectionUpdatesNoteResponse = z.object({
note: z.string().optional(),

45
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.schema.yaml
View file

@ -25,10 +25,12 @@ components:
example: 10
StartDate:
type: string
description: Start date
description: A start date in ISO 8601 format or Date Math format.
example: "2023-10-31T00:00:00.000Z"
EndDate:
type: string
description: End date
description: An end date in ISO format or Date Math format.
example: "2023-10-31T23:59:59.999Z"
AgentId:
type: string
description: Agent ID
@ -80,6 +82,8 @@ components:
maxItems: 50
- type: string
minLength: 1
description: A list of agent IDs. Max of 50.
example: [ "agent-id-1", "agent-id-2" ]
minLength: 1
Command:
@ -99,6 +103,8 @@ components:
Commands:
type: array
description: A list of response action command names.
example: [ "isolate", "unisolate" ]
items:
$ref: '#/components/schemas/Command'
@ -130,7 +136,8 @@ components:
minItems: 1
- type: string
minLength: 1
description: User IDs
description: A list of user IDs.
example: [ "user-id-1", "user-id-2" ]
WithOutputs:
oneOf:
@ -141,7 +148,8 @@ components:
minItems: 1
- type: string
minLength: 1
description: Shows detailed outputs for an action response
description: A list of action IDs that should include the complete output of the action.
example: [ "action-id-1", "action-id-2" ]
Type:
type: string
@ -153,6 +161,7 @@ components:
Types:
type: array
description: List of types of response actions
example: [ "automated", "manual" ]
items:
$ref: '#/components/schemas/Type'
minLength: 1
@ -160,27 +169,35 @@ components:
EndpointIds:
type: array
description: List of endpoint IDs (cannot contain empty strings)
example: [ "endpoint-id-1", "endpoint-id-2" ]
items:
type: string
minLength: 1
minItems: 1
description: List of endpoint IDs (cannot contain empty strings)
CaseIds:
type: array
description: Case IDs to be updated (cannot contain empty strings)
example: [ "case-id-1", "case-id-2" ]
items:
type: string
minLength: 1
minItems: 1
description: Case IDs to be updated (cannot contain empty strings)
Comment:
type: string
description: Optional comment
example: "This is a comment"
Parameters:
type: object
description: Optional parameters object
AgentTypes:
type: string
description: The host agent type (optional). Defaults to endpoint.
description: List of agent types to retrieve. Defaults to `endpoint`.
example: endpoint
enum:
- endpoint
- sentinel_one
@ -214,20 +231,6 @@ components:
body:
$ref: '#/components/schemas/BaseActionSchema'
Pid:
type: object
properties:
pid:
type: integer
minimum: 1
EntityId:
type: object
properties:
entity_id:
type: string
minLength: 1
ProtectionUpdatesNoteResponse:
type: object
properties:

9
x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts
View file

@ -180,10 +180,7 @@ import type {
EndpointUnisolateActionRequestBodyInput,
EndpointUnisolateActionResponse,
} from './endpoint/actions/response_actions/unisolate/unisolate.gen';
import type {
EndpointUploadActionRequestBodyInput,
EndpointUploadActionResponse,
} from './endpoint/actions/response_actions/upload/upload.gen';
import type { EndpointUploadActionResponse } from './endpoint/actions/response_actions/upload/upload.gen';
import type { EndpointGetActionsStateResponse } from './endpoint/actions/state/state.gen';
import type {
EndpointGetActionsStatusRequestQueryInput,
@ -1126,7 +1123,7 @@ If a record already exists for the specified entity, that record is overwritten
[ELASTIC_HTTP_VERSION_HEADER]: '2023-10-31',
},
method: 'POST',
body: props.body,
body: props.attachment,
})
.catch(catchAxiosErrorFormatAndThrow);
}
@ -2433,7 +2430,7 @@ export interface EndpointUnisolateActionProps {
body: EndpointUnisolateActionRequestBodyInput;
}
export interface EndpointUploadActionProps {
body: EndpointUploadActionRequestBodyInput;
attachment: FormData;
}
export interface ExportRulesProps {
query: ExportRulesRequestQueryInput;

671
x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml
View file

@ -17,16 +17,61 @@ paths:
operationId: EndpointGetActionsList
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/GetEndpointActionListRouteQuery'
$ref: '#/components/schemas/Page'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSize'
- in: query
name: commands
required: false
schema:
$ref: '#/components/schemas/Commands'
- in: query
name: agentIds
required: false
schema:
$ref: '#/components/schemas/AgentIds'
- in: query
name: userIds
required: false
schema:
$ref: '#/components/schemas/UserIds'
- in: query
name: startDate
required: false
schema:
$ref: '#/components/schemas/StartDate'
- in: query
name: endDate
required: false
schema:
$ref: '#/components/schemas/EndDate'
- in: query
name: agentTypes
required: false
schema:
$ref: '#/components/schemas/AgentTypes'
- in: query
name: withOutputs
required: false
schema:
$ref: '#/components/schemas/WithOutputs'
- in: query
name: types
required: false
schema:
$ref: '#/components/schemas/Types'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetEndpointActionListResponse'
description: OK
summary: Get response actions
tags:
@ -63,13 +108,15 @@ paths:
name: action_id
required: true
schema:
description: The ID of the action to retrieve.
example: fr518850-681a-4y60-aa98-e22640cae2b8
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetEndpointActionResponse'
description: OK
summary: Get action details
tags:
@ -139,7 +186,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/ExecuteRouteResponse'
description: OK
summary: Run a command
tags:
@ -159,7 +206,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetFileRouteResponse'
description: OK
summary: Get a file
tags:
@ -173,15 +220,55 @@ paths:
requestBody:
content:
application/json:
examples:
multiple_endpoints:
summary: Isolates several hosts; includes a comment
value:
comment: Locked down, pending further investigation
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
single_endpoint:
summary: >-
Isolates a single host with an endpoint_id value of
ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
with_case_id:
summary: Isolates a single host with a case_id value of 1234
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Isolating as initial response
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/IsolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/IsolateRouteResponse'
description: OK
summary: Isolate an endpoint
tags:
@ -201,7 +288,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/KillProcessRouteResponse'
description: OK
summary: Terminate a process
tags:
@ -221,7 +308,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetProcessesRouteResponse'
description: OK
summary: Get running processes
tags:
@ -261,7 +348,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/ScanRouteResponse'
description: OK
summary: Scan a file or directory
tags:
@ -297,7 +384,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/SuspendProcessRouteResponse'
description: OK
summary: Suspend a process
tags:
@ -309,15 +396,55 @@ paths:
requestBody:
content:
application/json:
examples:
multipleHosts:
summary: 'Releases several hosts; includes a comment:'
value:
comment: Benign process identified, releasing group
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
singleHost:
summary: >-
Releases a single host with an endpoint_id value of
ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
withCaseId:
summary: Releases hosts with an associated case; includes a comment.
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Remediation complete, restoring network
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/UnisolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/UnisolateRouteResponse'
description: OK
summary: Release an isolated endpoint
tags:
@ -328,7 +455,7 @@ paths:
operationId: EndpointUploadAction
requestBody:
content:
application/json:
multipart/form-data:
schema:
$ref: '#/components/schemas/UploadRouteRequestBody'
required: true
@ -337,7 +464,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/UploadRouteResponse'
description: OK
summary: Upload a file
tags:
@ -515,6 +642,10 @@ components:
description: Agent ID
type: string
AgentIds:
description: A list of agent IDs. Max of 50.
example:
- agent-id-1
- agent-id-2
minLength: 1
oneOf:
- items:
@ -526,12 +657,13 @@ components:
- minLength: 1
type: string
AgentTypes:
description: The host agent type (optional). Defaults to endpoint.
description: List of agent types to retrieve. Defaults to `endpoint`.
enum:
- endpoint
- sentinel_one
- crowdstrike
- microsoft_defender_endpoint
example: endpoint
type: string
AlertIds:
description: A list of alerts `id`s.
@ -543,6 +675,9 @@ components:
type: array
CaseIds:
description: Case IDs to be updated (cannot contain empty strings)
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
@ -580,17 +715,26 @@ components:
minLength: 1
type: string
Commands:
description: A list of response action command names.
example:
- isolate
- unisolate
items:
$ref: '#/components/schemas/Command'
type: array
Comment:
description: Optional comment
example: This is a comment
type: string
EndDate:
description: End date
description: An end date in ISO format or Date Math format.
example: '2023-10-31T23:59:59.999Z'
type: string
EndpointIds:
description: List of endpoint IDs (cannot contain empty strings)
example:
- endpoint-id-1
- endpoint-id-2
items:
minLength: 1
type: string
@ -684,12 +828,6 @@ components:
revision: 2
type: object
properties: {}
EntityId:
type: object
properties:
entity_id:
minLength: 1
type: string
ExecuteRouteRequestBody:
allOf:
- type: object
@ -721,33 +859,128 @@ components:
- command
required:
- parameters
GetEndpointActionListRouteQuery:
example:
comment: Get list of all files
endpoint_ids:
- b3d6de74-36b0-4fa8-be46-c375bf1771bf
parameters:
command: ls -al
timeout: 600
ExecuteRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: execute
comment: Get list of all files
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 9f934028-2300-4927-b531-b26376793dc4
isCompleted: false
isExpired: false
outputs: {}
parameters:
command: ls -al
timeout: 600
startedAt: '2023-07-28T18:43:27.362Z'
status: pending
wasSuccessful: false
type: object
properties:
agentIds:
$ref: '#/components/schemas/AgentIds'
agentTypes:
$ref: '#/components/schemas/AgentTypes'
commands:
$ref: '#/components/schemas/Commands'
endDate:
$ref: '#/components/schemas/EndDate'
page:
$ref: '#/components/schemas/Page'
pageSize:
default: 10
description: Number of items per page
maximum: 10000
minimum: 1
type: integer
startDate:
$ref: '#/components/schemas/StartDate'
types:
$ref: '#/components/schemas/Types'
userIds:
$ref: '#/components/schemas/UserIds'
withOutputs:
$ref: '#/components/schemas/WithOutputs'
properties: {}
GetEndpointActionListResponse:
example:
data:
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: isolate
completedAt: '2022-08-08T10:41:57.352Z'
createdBy: elastic
id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:23:37.359Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: kill-process
comment: bad process - taking up too much cpu
completedAt: '2022-08-08T09:44:50.952Z'
createdBy: elastic
id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:44.125Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: unisolate
comment: Not a threat to the network
completedAt: '2022-08-08T09:40:47.398Z'
createdBy: elastic
id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:15.391Z'
wasSuccessful: true
elasticAgentIds:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
endDate: now
page: 1
pageSize: 10
startDate: now-24h/h
total: 4
type: object
properties: {}
GetEndpointActionResponse:
example:
data:
agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
outputs:
afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0:
content:
entries:
- command: /opt/cmd1
entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt
pid: '822'
user: Dexter
- command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3
entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt
pid: '984'
user: Jada
type: json
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
type: object
properties: {}
GetFileRouteRequestBody:
allOf:
- type: object
@ -777,7 +1010,42 @@ components:
- path
required:
- parameters
example:
comment: Get my file
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
GetFileRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: get-file
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
GetProcessesRouteRequestBody:
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
type: object
properties:
agent_type:
@ -794,6 +1062,30 @@ components:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
GetProcessesRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: running-processes
comment: ''
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters: {}
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
HostPathScriptParameters:
type: object
properties:
@ -825,23 +1117,32 @@ components:
- unenrolled
type: string
type: array
IsolateRouteRequestBody:
IsolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
properties: {}
KillProcessRouteRequestBody:
allOf:
- type: object
@ -864,16 +1165,62 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Pid'
- $ref: '#/components/schemas/EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to terminate.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to terminate.
example: abc123
minLength: 1
type: string
- type: object
properties:
process_name:
description: Valid for SentinelOne agent type only
description: >-
The name of the process to terminate. Valid for
SentinelOne agent type only.
example: Elastic
minLength: 1
type: string
required:
- parameters
example:
comment: terminate the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
KillProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: kill-process
comment: terminate the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Kuery:
description: A KQL string.
example: 'united.endpoint.host.os.name : ''Windows'''
@ -1100,12 +1447,6 @@ components:
$ref: '#/components/schemas/PendingActionDataType'
- additionalProperties: true
type: object
Pid:
type: object
properties:
pid:
minimum: 1
type: integer
ProtectionUpdatesNoteResponse:
type: object
properties:
@ -1165,11 +1506,45 @@ components:
type: object
properties:
path:
description: The folder or files full path (including the file name).
example: /usr/my-file.txt
type: string
required:
- path
required:
- parameters
example:
comment: Scan the file for malware
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
ScanRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: scan
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
SortDirection:
description: Determines the sort order.
enum:
@ -1192,7 +1567,8 @@ components:
example: enrolled_at
type: string
StartDate:
description: Start date
description: A start date in ISO 8601 format or Date Math format.
example: '2023-10-31T00:00:00.000Z'
type: string
SuccessResponse:
type: object
@ -1219,10 +1595,53 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Pid'
- $ref: '#/components/schemas/EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to suspend.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to suspend.
example: abc123
minLength: 1
type: string
required:
- parameters
example:
comment: suspend the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
SuspendProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Timeout:
description: The maximum timeout value in milliseconds (optional)
minimum: 1
@ -1235,28 +1654,40 @@ components:
type: string
Types:
description: List of types of response actions
example:
- automated
- manual
items:
$ref: '#/components/schemas/Type'
maxLength: 2
minLength: 1
type: array
UnisolateRouteRequestBody:
UnisolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
properties: {}
UploadRouteRequestBody:
allOf:
- type: object
@ -1278,6 +1709,8 @@ components:
- type: object
properties:
file:
description: The binary content of the file.
example: RWxhc3RpYw==
format: binary
type: string
parameters:
@ -1285,12 +1718,51 @@ components:
properties:
overwrite:
default: false
description: Overwrite the file on the host if it already exists.
example: false
type: boolean
required:
- parameters
- file
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
file: RWxhc3RpYw==
parameters: {}
UploadRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: upload
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: Host-5i6cuc8kdv
id: 9ff6aebc-2cb6-481e-8869-9b30036c9731
isCompleted: false
isExpired: false
outputs: {}
parameters:
file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280
file_name: fix-malware.sh
file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a
file_size: 69
startedAt: '2023-07-03T15:07:22.837Z'
status: pending
wasSuccessful: false
type: object
properties: {}
UserIds:
description: User IDs
description: A list of user IDs.
example:
- user-id-1
- user-id-2
oneOf:
- items:
minLength: 1
@ -1300,7 +1772,12 @@ components:
- minLength: 1
type: string
WithOutputs:
description: Shows detailed outputs for an action response
description: >-
A list of action IDs that should include the complete output of the
action.
example:
- action-id-1
- action-id-2
oneOf:
- items:
minLength: 1

671
x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml
View file

@ -17,16 +17,61 @@ paths:
operationId: EndpointGetActionsList
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/GetEndpointActionListRouteQuery'
$ref: '#/components/schemas/Page'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSize'
- in: query
name: commands
required: false
schema:
$ref: '#/components/schemas/Commands'
- in: query
name: agentIds
required: false
schema:
$ref: '#/components/schemas/AgentIds'
- in: query
name: userIds
required: false
schema:
$ref: '#/components/schemas/UserIds'
- in: query
name: startDate
required: false
schema:
$ref: '#/components/schemas/StartDate'
- in: query
name: endDate
required: false
schema:
$ref: '#/components/schemas/EndDate'
- in: query
name: agentTypes
required: false
schema:
$ref: '#/components/schemas/AgentTypes'
- in: query
name: withOutputs
required: false
schema:
$ref: '#/components/schemas/WithOutputs'
- in: query
name: types
required: false
schema:
$ref: '#/components/schemas/Types'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetEndpointActionListResponse'
description: OK
summary: Get response actions
tags:
@ -63,13 +108,15 @@ paths:
name: action_id
required: true
schema:
description: The ID of the action to retrieve.
example: fr518850-681a-4y60-aa98-e22640cae2b8
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetEndpointActionResponse'
description: OK
summary: Get action details
tags:
@ -139,7 +186,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/ExecuteRouteResponse'
description: OK
summary: Run a command
tags:
@ -159,7 +206,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetFileRouteResponse'
description: OK
summary: Get a file
tags:
@ -173,15 +220,55 @@ paths:
requestBody:
content:
application/json:
examples:
multiple_endpoints:
summary: Isolates several hosts; includes a comment
value:
comment: Locked down, pending further investigation
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
single_endpoint:
summary: >-
Isolates a single host with an endpoint_id value of
ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
with_case_id:
summary: Isolates a single host with a case_id value of 1234
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Isolating as initial response
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/IsolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/IsolateRouteResponse'
description: OK
summary: Isolate an endpoint
tags:
@ -201,7 +288,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/KillProcessRouteResponse'
description: OK
summary: Terminate a process
tags:
@ -221,7 +308,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetProcessesRouteResponse'
description: OK
summary: Get running processes
tags:
@ -261,7 +348,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/ScanRouteResponse'
description: OK
summary: Scan a file or directory
tags:
@ -297,7 +384,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/SuspendProcessRouteResponse'
description: OK
summary: Suspend a process
tags:
@ -309,15 +396,55 @@ paths:
requestBody:
content:
application/json:
examples:
multipleHosts:
summary: 'Releases several hosts; includes a comment:'
value:
comment: Benign process identified, releasing group
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
singleHost:
summary: >-
Releases a single host with an endpoint_id value of
ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
withCaseId:
summary: Releases hosts with an associated case; includes a comment.
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Remediation complete, restoring network
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/UnisolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/UnisolateRouteResponse'
description: OK
summary: Release an isolated endpoint
tags:
@ -328,7 +455,7 @@ paths:
operationId: EndpointUploadAction
requestBody:
content:
application/json:
multipart/form-data:
schema:
$ref: '#/components/schemas/UploadRouteRequestBody'
required: true
@ -337,7 +464,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/UploadRouteResponse'
description: OK
summary: Upload a file
tags:
@ -515,6 +642,10 @@ components:
description: Agent ID
type: string
AgentIds:
description: A list of agent IDs. Max of 50.
example:
- agent-id-1
- agent-id-2
minLength: 1
oneOf:
- items:
@ -526,12 +657,13 @@ components:
- minLength: 1
type: string
AgentTypes:
description: The host agent type (optional). Defaults to endpoint.
description: List of agent types to retrieve. Defaults to `endpoint`.
enum:
- endpoint
- sentinel_one
- crowdstrike
- microsoft_defender_endpoint
example: endpoint
type: string
AlertIds:
description: A list of alerts `id`s.
@ -543,6 +675,9 @@ components:
type: array
CaseIds:
description: Case IDs to be updated (cannot contain empty strings)
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
@ -580,17 +715,26 @@ components:
minLength: 1
type: string
Commands:
description: A list of response action command names.
example:
- isolate
- unisolate
items:
$ref: '#/components/schemas/Command'
type: array
Comment:
description: Optional comment
example: This is a comment
type: string
EndDate:
description: End date
description: An end date in ISO format or Date Math format.
example: '2023-10-31T23:59:59.999Z'
type: string
EndpointIds:
description: List of endpoint IDs (cannot contain empty strings)
example:
- endpoint-id-1
- endpoint-id-2
items:
minLength: 1
type: string
@ -684,12 +828,6 @@ components:
revision: 2
type: object
properties: {}
EntityId:
type: object
properties:
entity_id:
minLength: 1
type: string
ExecuteRouteRequestBody:
allOf:
- type: object
@ -721,33 +859,128 @@ components:
- command
required:
- parameters
GetEndpointActionListRouteQuery:
example:
comment: Get list of all files
endpoint_ids:
- b3d6de74-36b0-4fa8-be46-c375bf1771bf
parameters:
command: ls -al
timeout: 600
ExecuteRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: execute
comment: Get list of all files
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 9f934028-2300-4927-b531-b26376793dc4
isCompleted: false
isExpired: false
outputs: {}
parameters:
command: ls -al
timeout: 600
startedAt: '2023-07-28T18:43:27.362Z'
status: pending
wasSuccessful: false
type: object
properties:
agentIds:
$ref: '#/components/schemas/AgentIds'
agentTypes:
$ref: '#/components/schemas/AgentTypes'
commands:
$ref: '#/components/schemas/Commands'
endDate:
$ref: '#/components/schemas/EndDate'
page:
$ref: '#/components/schemas/Page'
pageSize:
default: 10
description: Number of items per page
maximum: 10000
minimum: 1
type: integer
startDate:
$ref: '#/components/schemas/StartDate'
types:
$ref: '#/components/schemas/Types'
userIds:
$ref: '#/components/schemas/UserIds'
withOutputs:
$ref: '#/components/schemas/WithOutputs'
properties: {}
GetEndpointActionListResponse:
example:
data:
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: isolate
completedAt: '2022-08-08T10:41:57.352Z'
createdBy: elastic
id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:23:37.359Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: kill-process
comment: bad process - taking up too much cpu
completedAt: '2022-08-08T09:44:50.952Z'
createdBy: elastic
id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:44.125Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: unisolate
comment: Not a threat to the network
completedAt: '2022-08-08T09:40:47.398Z'
createdBy: elastic
id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:15.391Z'
wasSuccessful: true
elasticAgentIds:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
endDate: now
page: 1
pageSize: 10
startDate: now-24h/h
total: 4
type: object
properties: {}
GetEndpointActionResponse:
example:
data:
agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
outputs:
afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0:
content:
entries:
- command: /opt/cmd1
entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt
pid: '822'
user: Dexter
- command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3
entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt
pid: '984'
user: Jada
type: json
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
type: object
properties: {}
GetFileRouteRequestBody:
allOf:
- type: object
@ -777,7 +1010,42 @@ components:
- path
required:
- parameters
example:
comment: Get my file
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
GetFileRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: get-file
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
GetProcessesRouteRequestBody:
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
type: object
properties:
agent_type:
@ -794,6 +1062,30 @@ components:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
GetProcessesRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: running-processes
comment: ''
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters: {}
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
HostPathScriptParameters:
type: object
properties:
@ -825,23 +1117,32 @@ components:
- unenrolled
type: string
type: array
IsolateRouteRequestBody:
IsolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
properties: {}
KillProcessRouteRequestBody:
allOf:
- type: object
@ -864,16 +1165,62 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Pid'
- $ref: '#/components/schemas/EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to terminate.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to terminate.
example: abc123
minLength: 1
type: string
- type: object
properties:
process_name:
description: Valid for SentinelOne agent type only
description: >-
The name of the process to terminate. Valid for
SentinelOne agent type only.
example: Elastic
minLength: 1
type: string
required:
- parameters
example:
comment: terminate the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
KillProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: kill-process
comment: terminate the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Kuery:
description: A KQL string.
example: 'united.endpoint.host.os.name : ''Windows'''
@ -1100,12 +1447,6 @@ components:
$ref: '#/components/schemas/PendingActionDataType'
- additionalProperties: true
type: object
Pid:
type: object
properties:
pid:
minimum: 1
type: integer
ProtectionUpdatesNoteResponse:
type: object
properties:
@ -1165,11 +1506,45 @@ components:
type: object
properties:
path:
description: The folder or files full path (including the file name).
example: /usr/my-file.txt
type: string
required:
- path
required:
- parameters
example:
comment: Scan the file for malware
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
ScanRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: scan
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
SortDirection:
description: Determines the sort order.
enum:
@ -1192,7 +1567,8 @@ components:
example: enrolled_at
type: string
StartDate:
description: Start date
description: A start date in ISO 8601 format or Date Math format.
example: '2023-10-31T00:00:00.000Z'
type: string
SuccessResponse:
type: object
@ -1219,10 +1595,53 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Pid'
- $ref: '#/components/schemas/EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to suspend.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to suspend.
example: abc123
minLength: 1
type: string
required:
- parameters
example:
comment: suspend the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
SuspendProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Timeout:
description: The maximum timeout value in milliseconds (optional)
minimum: 1
@ -1235,28 +1654,40 @@ components:
type: string
Types:
description: List of types of response actions
example:
- automated
- manual
items:
$ref: '#/components/schemas/Type'
maxLength: 2
minLength: 1
type: array
UnisolateRouteRequestBody:
UnisolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
properties: {}
UploadRouteRequestBody:
allOf:
- type: object
@ -1278,6 +1709,8 @@ components:
- type: object
properties:
file:
description: The binary content of the file.
example: RWxhc3RpYw==
format: binary
type: string
parameters:
@ -1285,12 +1718,51 @@ components:
properties:
overwrite:
default: false
description: Overwrite the file on the host if it already exists.
example: false
type: boolean
required:
- parameters
- file
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
file: RWxhc3RpYw==
parameters: {}
UploadRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: upload
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: Host-5i6cuc8kdv
id: 9ff6aebc-2cb6-481e-8869-9b30036c9731
isCompleted: false
isExpired: false
outputs: {}
parameters:
file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280
file_name: fix-malware.sh
file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a
file_size: 69
startedAt: '2023-07-03T15:07:22.837Z'
status: pending
wasSuccessful: false
type: object
properties: {}
UserIds:
description: User IDs
description: A list of user IDs.
example:
- user-id-1
- user-id-2
oneOf:
- items:
minLength: 1
@ -1300,7 +1772,12 @@ components:
- minLength: 1
type: string
WithOutputs:
description: Shows detailed outputs for an action response
description: >-
A list of action IDs that should include the complete output of the
action.
example:
- action-id-1
- action-id-2
oneOf:
- items:
minLength: 1

9
x-pack/test/api_integration/services/security_solution_api.gen.ts
View file

@ -64,7 +64,6 @@ import { EndpointKillProcessActionRequestBodyInput } from '@kbn/security-solutio
import { EndpointScanActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/scan/scan.gen';
import { EndpointSuspendProcessActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen';
import { EndpointUnisolateActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen';
import { EndpointUploadActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/upload/upload.gen';
import {
ExportRulesRequestQueryInput,
ExportRulesRequestBodyInput,
@ -716,13 +715,12 @@ If a record already exists for the specified entity, that record is overwritten
/**
* Upload a file to an endpoint.
*/
endpointUploadAction(props: EndpointUploadActionProps, kibanaSpace: string = 'default') {
endpointUploadAction(kibanaSpace: string = 'default') {
return supertest
.post(routeWithNamespace('/api/endpoint/action/upload', kibanaSpace))
.set('kbn-xsrf', 'true')
.set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
.set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
.send(props.body as object);
.set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
},
entityStoreGetPrivileges(kibanaSpace: string = 'default') {
return supertest
@ -1751,9 +1749,6 @@ export interface EndpointSuspendProcessActionProps {
export interface EndpointUnisolateActionProps {
body: EndpointUnisolateActionRequestBodyInput;
}
export interface EndpointUploadActionProps {
body: EndpointUploadActionRequestBodyInput;
}
export interface ExportRulesProps {
query: ExportRulesRequestQueryInput;
body: ExportRulesRequestBodyInput;