github-mirrors/kibana
1
0
Fork 0
mirror of https://github.com/elastic/kibana.git synced 2025-04-23 17:28:26 -04:00
Code Issues Projects Releases Packages Wiki Activity

[8.x] [EDR Workflows] OpenApi Missing Content - Response Actions (#212510) (#212867)

Browse source 
# Backport

This will backport the following commits from `main` to `8.x`:
- [[EDR Workflows] OpenApi Missing Content - Response Actions
(#212510)](https://github.com/elastic/kibana/pull/212510)

<!--- Backport version: 9.6.6 -->

### Questions ?
Please refer to the [Backport tool
documentation](https://github.com/sorenlouv/backport)

<!--BACKPORT [{"author":{"name":"Konrad
Szwarc","email":"konrad.szwarc@elastic.co"},"sourceCommit":{"committedDate":"2025-02-28T16:44:00Z","message":"[EDR
Workflows] OpenApi Missing Content - Response Actions (#212510)\n\n##
For reviewers:\nOnly `*.schema.yml` files were edited
(excluding\n`*.bundled.schema.yml`). Rest of the changes comes from auto
generation\nand can be ignored.\n\n## Description\n\nPart of DW team
effort - elastic/security-team#11804\n\nThis PR aligns the
property/schema descriptions and examples in\nAsciiDocs with OpenAPI
schemas. The primary goal of this PR was not to\nextend or enhance the
documentation but to migrate from one system to\nanother.\n\nAscii docs
-\nhttps://www.elastic.co/guide/en/security/8.17/management-api-overview.html\nOpenApi
generated docs
-\nhttps://www.elastic.co/docs/api/doc/kibana/operation/operation-endpointgetactionslist\n\nChanges:\n\nCopied
missing property descriptions from AsciiDoc to OpenApi
properties\nCopied existing AsciiDoc examples for both requests and
responses\nFixed falsy query object in some GET requests - in OpenApi it
was\ndefined as an object, not as path query
params.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Paul
Tavares
<56442535+paul-tavares@users.noreply.github.com>\nCo-authored-by:
natasha-moore-elastic
<137783811+natasha-moore-elastic@users.noreply.github.com>","sha":"2700a2a95158dc5d5a77ff074119b1b61f949310","branchLabelMapping":{"^v9.1.0$":"main","^v8.19.0$":"8.x","^v(\\d+).(\\d+).\\d+$":"$1.$2"}},"sourcePullRequest":{"labels":["release_note:skip","v9.0.0","Team:Defend
Workflows","backport:prev-minor","backport:prev-major","v8.16.0","v8.17.0","v8.18.0","v9.1.0"],"title":"[EDR
Workflows] OpenApi Missing Content - Response
Actions","number":212510,"url":"https://github.com/elastic/kibana/pull/212510","mergeCommit":{"message":"[EDR
Workflows] OpenApi Missing Content - Response Actions (#212510)\n\n##
For reviewers:\nOnly `*.schema.yml` files were edited
(excluding\n`*.bundled.schema.yml`). Rest of the changes comes from auto
generation\nand can be ignored.\n\n## Description\n\nPart of DW team
effort - elastic/security-team#11804\n\nThis PR aligns the
property/schema descriptions and examples in\nAsciiDocs with OpenAPI
schemas. The primary goal of this PR was not to\nextend or enhance the
documentation but to migrate from one system to\nanother.\n\nAscii docs
-\nhttps://www.elastic.co/guide/en/security/8.17/management-api-overview.html\nOpenApi
generated docs
-\nhttps://www.elastic.co/docs/api/doc/kibana/operation/operation-endpointgetactionslist\n\nChanges:\n\nCopied
missing property descriptions from AsciiDoc to OpenApi
properties\nCopied existing AsciiDoc examples for both requests and
responses\nFixed falsy query object in some GET requests - in OpenApi it
was\ndefined as an object, not as path query
params.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Paul
Tavares
<56442535+paul-tavares@users.noreply.github.com>\nCo-authored-by:
natasha-moore-elastic
<137783811+natasha-moore-elastic@users.noreply.github.com>","sha":"2700a2a95158dc5d5a77ff074119b1b61f949310"}},"sourceBranch":"main","suggestedTargetBranches":["8.16","8.17","8.18"],"targetPullRequestStates":[{"branch":"9.0","label":"v9.0.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"url":"https://github.com/elastic/kibana/pull/212794","number":212794,"state":"MERGED","mergeCommit":{"sha":"3ceba17cbd76f89b72986190b8c77f5079706282","message":"[9.0]
[EDR Workflows] OpenApi Missing Content - Response Actions (#212510)
(#212794)\n\n# Backport\n\nThis will backport the following commits from
`main` to `9.0`:\n- [[EDR Workflows] OpenApi Missing Content - Response
Actions\n(#212510)](https://github.com/elastic/kibana/pull/212510)\n\n\n\n###
Questions ?\nPlease refer to the [Backport
tool\ndocumentation](https://github.com/sorenlouv/backport)\n\n\n\nCo-authored-by:
Konrad Szwarc
<konrad.szwarc@elastic.co>"}},{"branch":"8.16","label":"v8.16.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.17","label":"v8.17.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"8.18","label":"v8.18.0","branchLabelMappingKey":"^v(\\d+).(\\d+).\\d+$","isSourceBranch":false,"state":"NOT_CREATED"},{"branch":"main","label":"v9.1.0","branchLabelMappingKey":"^v9.1.0$","isSourceBranch":true,"state":"MERGED","url":"https://github.com/elastic/kibana/pull/212510","number":212510,"mergeCommit":{"message":"[EDR
Workflows] OpenApi Missing Content - Response Actions (#212510)\n\n##
For reviewers:\nOnly `*.schema.yml` files were edited
(excluding\n`*.bundled.schema.yml`). Rest of the changes comes from auto
generation\nand can be ignored.\n\n## Description\n\nPart of DW team
effort - elastic/security-team#11804\n\nThis PR aligns the
property/schema descriptions and examples in\nAsciiDocs with OpenAPI
schemas. The primary goal of this PR was not to\nextend or enhance the
documentation but to migrate from one system to\nanother.\n\nAscii docs
-\nhttps://www.elastic.co/guide/en/security/8.17/management-api-overview.html\nOpenApi
generated docs
-\nhttps://www.elastic.co/docs/api/doc/kibana/operation/operation-endpointgetactionslist\n\nChanges:\n\nCopied
missing property descriptions from AsciiDoc to OpenApi
properties\nCopied existing AsciiDoc examples for both requests and
responses\nFixed falsy query object in some GET requests - in OpenApi it
was\ndefined as an object, not as path query
params.\n\n---------\n\nCo-authored-by: kibanamachine
<42973632+kibanamachine@users.noreply.github.com>\nCo-authored-by: Paul
Tavares
<56442535+paul-tavares@users.noreply.github.com>\nCo-authored-by:
natasha-moore-elastic
<137783811+natasha-moore-elastic@users.noreply.github.com>","sha":"2700a2a95158dc5d5a77ff074119b1b61f949310"}}]}]
BACKPORT-->

---------

Co-authored-by: kibanamachine <42973632+kibanamachine@users.noreply.github.com>
This commit is contained in:
Konrad Szwarc 2025-03-03 16:37:58 +01:00 committed by GitHub
parent 471b442707
commit fb354b22cf
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
30 changed files with 2938 additions and 557 deletions
Download patch file Download diff file Expand all files Collapse all files

663
oas_docs/output/kibana.serverless.yaml
View file

@ -7063,16 +7063,61 @@ paths:
operationId: EndpointGetActionsList
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListRouteQuery'
$ref: '#/components/schemas/Security_Endpoint_Management_API_Page'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize'
- in: query
name: commands
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Commands'
- in: query
name: agentIds
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds'
- in: query
name: userIds
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds'
- in: query
name: startDate
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate'
- in: query
name: endDate
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate'
- in: query
name: agentTypes
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
- in: query
name: withOutputs
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs'
- in: query
name: types
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Types'
responses:
'200':
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse'
description: OK
summary: Get response actions
tags:
@ -7111,13 +7156,15 @@ paths:
name: action_id
required: true
schema:
description: The ID of the action to retrieve.
example: fr518850-681a-4y60-aa98-e22640cae2b8
type: string
responses:
'200':
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionResponse'
description: OK
summary: Get action details
tags:
@ -7190,7 +7237,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse'
description: OK
summary: Run a command
tags:
@ -7211,7 +7258,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse'
description: OK
summary: Get a file
tags:
@ -7224,15 +7271,53 @@ paths:
requestBody:
content:
application/json; Elastic-Api-Version=2023-10-31:
examples:
multiple_endpoints:
summary: Isolates several hosts; includes a comment
value:
comment: Locked down, pending further investigation
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
single_endpoint:
summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
with_case_id:
summary: Isolates a single host with a case_id value of 1234
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Isolating as initial response
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse'
description: OK
summary: Isolate an endpoint
tags:
@ -7253,7 +7338,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse'
description: OK
summary: Terminate a process
tags:
@ -7274,7 +7359,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse'
description: OK
summary: Get running processes
tags:
@ -7316,7 +7401,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse'
description: OK
summary: Scan a file or directory
tags:
@ -7352,7 +7437,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse'
description: OK
summary: Suspend a process
tags:
@ -7365,15 +7450,53 @@ paths:
requestBody:
content:
application/json; Elastic-Api-Version=2023-10-31:
examples:
multipleHosts:
summary: 'Releases several hosts; includes a comment:'
value:
comment: Benign process identified, releasing group
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
singleHost:
summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
withCaseId:
summary: Releases hosts with an associated case; includes a comment.
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Remediation complete, restoring network
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse'
description: OK
summary: Release an isolated endpoint
tags:
@ -7385,7 +7508,7 @@ paths:
operationId: EndpointUploadAction
requestBody:
content:
application/json; Elastic-Api-Version=2023-10-31:
multipart/form-data; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody'
required: true
@ -7394,7 +7517,7 @@ paths:
content:
application/json; Elastic-Api-Version=2023-10-31:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse'
description: OK
summary: Upload a file
tags:
@ -47225,6 +47348,10 @@ components:
description: Agent ID
type: string
Security_Endpoint_Management_API_AgentIds:
description: A list of agent IDs. Max of 50.
example:
- agent-id-1
- agent-id-2
minLength: 1
oneOf:
- items:
@ -47236,12 +47363,13 @@ components:
- minLength: 1
type: string
Security_Endpoint_Management_API_AgentTypes:
description: The host agent type (optional). Defaults to endpoint.
description: List of agent types to retrieve. Defaults to `endpoint`.
enum:
- endpoint
- sentinel_one
- crowdstrike
- microsoft_defender_endpoint
example: endpoint
type: string
Security_Endpoint_Management_API_AlertIds:
description: A list of alerts ids.
@ -47251,6 +47379,9 @@ components:
type: array
Security_Endpoint_Management_API_CaseIds:
description: Case IDs to be updated (cannot contain empty strings)
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
@ -47288,17 +47419,26 @@ components:
minLength: 1
type: string
Security_Endpoint_Management_API_Commands:
description: A list of response action command names.
example:
- isolate
- unisolate
items:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Command'
type: array
Security_Endpoint_Management_API_Comment:
description: Optional comment
example: This is a comment
type: string
Security_Endpoint_Management_API_EndDate:
description: End date
description: An end date in ISO format or Date Math format.
example: '2023-10-31T23:59:59.999Z'
type: string
Security_Endpoint_Management_API_EndpointIds:
description: List of endpoint IDs (cannot contain empty strings)
example:
- endpoint-id-1
- endpoint-id-2
items:
minLength: 1
type: string
@ -47390,12 +47530,6 @@ components:
revision: 2
type: object
properties: {}
Security_Endpoint_Management_API_EntityId:
type: object
properties:
entity_id:
minLength: 1
type: string
Security_Endpoint_Management_API_ExecuteRouteRequestBody:
allOf:
- type: object
@ -47427,33 +47561,128 @@ components:
- command
required:
- parameters
Security_Endpoint_Management_API_GetEndpointActionListRouteQuery:
example:
comment: Get list of all files
endpoint_ids:
- b3d6de74-36b0-4fa8-be46-c375bf1771bf
parameters:
command: ls -al
timeout: 600
Security_Endpoint_Management_API_ExecuteRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: execute
comment: Get list of all files
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 9f934028-2300-4927-b531-b26376793dc4
isCompleted: false
isExpired: false
outputs: {}
parameters:
command: ls -al
timeout: 600
startedAt: '2023-07-28T18:43:27.362Z'
status: pending
wasSuccessful: false
type: object
properties:
agentIds:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds'
agentTypes:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
commands:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Commands'
endDate:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate'
page:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Page'
pageSize:
default: 10
description: Number of items per page
maximum: 10000
minimum: 1
type: integer
startDate:
$ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate'
types:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Types'
userIds:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds'
withOutputs:
$ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs'
properties: {}
Security_Endpoint_Management_API_GetEndpointActionListResponse:
example:
data:
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: isolate
completedAt: '2022-08-08T10:41:57.352Z'
createdBy: elastic
id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:23:37.359Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: kill-process
comment: bad process - taking up too much cpu
completedAt: '2022-08-08T09:44:50.952Z'
createdBy: elastic
id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:44.125Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: unisolate
comment: Not a threat to the network
completedAt: '2022-08-08T09:40:47.398Z'
createdBy: elastic
id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:15.391Z'
wasSuccessful: true
elasticAgentIds:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
endDate: now
page: 1
pageSize: 10
startDate: now-24h/h
total: 4
type: object
properties: {}
Security_Endpoint_Management_API_GetEndpointActionResponse:
example:
data:
agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
outputs:
afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0:
content:
entries:
- command: /opt/cmd1
entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt
pid: '822'
user: Dexter
- command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3
entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt
pid: '984'
user: Jada
type: json
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_GetFileRouteRequestBody:
allOf:
- type: object
@ -47483,7 +47712,42 @@ components:
- path
required:
- parameters
example:
comment: Get my file
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
Security_Endpoint_Management_API_GetFileRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: get-file
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
Security_Endpoint_Management_API_GetProcessesRouteRequestBody:
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
type: object
properties:
agent_type:
@ -47500,6 +47764,30 @@ components:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
Security_Endpoint_Management_API_GetProcessesRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: running-processes
comment: ''
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters: {}
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_HostPathScriptParameters:
type: object
properties:
@ -47531,23 +47819,32 @@ components:
- unenrolled
type: string
type: array
Security_Endpoint_Management_API_IsolateRouteRequestBody:
Security_Endpoint_Management_API_IsolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
properties: {}
Security_Endpoint_Management_API_KillProcessRouteRequestBody:
allOf:
- type: object
@ -47570,16 +47867,60 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to terminate.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to terminate.
example: abc123
minLength: 1
type: string
- type: object
properties:
process_name:
description: Valid for SentinelOne agent type only
description: The name of the process to terminate. Valid for SentinelOne agent type only.
example: Elastic
minLength: 1
type: string
required:
- parameters
example:
comment: terminate the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
Security_Endpoint_Management_API_KillProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: kill-process
comment: terminate the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_Kuery:
description: A KQL string.
example: 'united.endpoint.host.os.name : ''Windows'''
@ -47800,12 +48141,6 @@ components:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
- additionalProperties: true
type: object
Security_Endpoint_Management_API_Pid:
type: object
properties:
pid:
minimum: 1
type: integer
Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse:
type: object
properties:
@ -47863,11 +48198,45 @@ components:
type: object
properties:
path:
description: The folder or files full path (including the file name).
example: /usr/my-file.txt
type: string
required:
- path
required:
- parameters
example:
comment: Scan the file for malware
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
Security_Endpoint_Management_API_ScanRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: scan
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
Security_Endpoint_Management_API_SortDirection:
description: Determines the sort order.
enum:
@ -47890,7 +48259,8 @@ components:
example: enrolled_at
type: string
Security_Endpoint_Management_API_StartDate:
description: Start date
description: A start date in ISO 8601 format or Date Math format.
example: '2023-10-31T00:00:00.000Z'
type: string
Security_Endpoint_Management_API_SuccessResponse:
type: object
@ -47917,10 +48287,53 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to suspend.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to suspend.
example: abc123
minLength: 1
type: string
required:
- parameters
example:
comment: suspend the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
Security_Endpoint_Management_API_SuspendProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_Timeout:
description: The maximum timeout value in milliseconds (optional)
minimum: 1
@ -47933,28 +48346,40 @@ components:
type: string
Security_Endpoint_Management_API_Types:
description: List of types of response actions
example:
- automated
- manual
items:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Type'
maxLength: 2
minLength: 1
type: array
Security_Endpoint_Management_API_UnisolateRouteRequestBody:
Security_Endpoint_Management_API_UnisolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
properties: {}
Security_Endpoint_Management_API_UploadRouteRequestBody:
allOf:
- type: object
@ -47976,6 +48401,8 @@ components:
- type: object
properties:
file:
description: The binary content of the file.
example: RWxhc3RpYw==
format: binary
type: string
parameters:
@ -47983,12 +48410,51 @@ components:
properties:
overwrite:
default: false
description: Overwrite the file on the host if it already exists.
example: false
type: boolean
required:
- parameters
- file
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
file: RWxhc3RpYw==
parameters: {}
Security_Endpoint_Management_API_UploadRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: upload
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: Host-5i6cuc8kdv
id: 9ff6aebc-2cb6-481e-8869-9b30036c9731
isCompleted: false
isExpired: false
outputs: {}
parameters:
file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280
file_name: fix-malware.sh
file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a
file_size: 69
startedAt: '2023-07-03T15:07:22.837Z'
status: pending
wasSuccessful: false
type: object
properties: {}
Security_Endpoint_Management_API_UserIds:
description: User IDs
description: A list of user IDs.
example:
- user-id-1
- user-id-2
oneOf:
- items:
minLength: 1
@ -47998,7 +48464,10 @@ components:
- minLength: 1
type: string
Security_Endpoint_Management_API_WithOutputs:
description: Shows detailed outputs for an action response
description: A list of action IDs that should include the complete output of the action.
example:
- action-id-1
- action-id-2
oneOf:
- items:
minLength: 1

663
oas_docs/output/kibana.yaml
View file

@ -12468,16 +12468,61 @@ paths:
operationId: EndpointGetActionsList
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListRouteQuery'
$ref: '#/components/schemas/Security_Endpoint_Management_API_Page'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PageSize'
- in: query
name: commands
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Commands'
- in: query
name: agentIds
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds'
- in: query
name: userIds
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds'
- in: query
name: startDate
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate'
- in: query
name: endDate
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate'
- in: query
name: agentTypes
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
- in: query
name: withOutputs
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs'
- in: query
name: types
required: false
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Types'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionListResponse'
description: OK
summary: Get response actions
tags:
@ -12540,13 +12585,15 @@ paths:
name: action_id
required: true
schema:
description: The ID of the action to retrieve.
example: fr518850-681a-4y60-aa98-e22640cae2b8
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetEndpointActionResponse'
description: OK
summary: Get action details
tags:
@ -12616,7 +12663,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_ExecuteRouteResponse'
description: OK
summary: Run a command
tags:
@ -12636,7 +12683,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetFileRouteResponse'
description: OK
summary: Get a file
tags:
@ -12648,15 +12695,53 @@ paths:
requestBody:
content:
application/json:
examples:
multiple_endpoints:
summary: Isolates several hosts; includes a comment
value:
comment: Locked down, pending further investigation
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
single_endpoint:
summary: Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
with_case_id:
summary: Isolates a single host with a case_id value of 1234
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Isolating as initial response
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_IsolateRouteResponse'
description: OK
summary: Isolate an endpoint
tags:
@ -12676,7 +12761,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_KillProcessRouteResponse'
description: OK
summary: Terminate a process
tags:
@ -12696,7 +12781,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_GetProcessesRouteResponse'
description: OK
summary: Get running processes
tags:
@ -12736,7 +12821,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_ScanRouteResponse'
description: OK
summary: Scan a file or directory
tags:
@ -12770,7 +12855,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuspendProcessRouteResponse'
description: OK
summary: Suspend a process
tags:
@ -12782,15 +12867,53 @@ paths:
requestBody:
content:
application/json:
examples:
multipleHosts:
summary: 'Releases several hosts; includes a comment:'
value:
comment: Benign process identified, releasing group
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
singleHost:
summary: Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
withCaseId:
summary: Releases hosts with an associated case; includes a comment.
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Remediation complete, restoring network
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_UnisolateRouteResponse'
description: OK
summary: Release an isolated endpoint
tags:
@ -12801,7 +12924,7 @@ paths:
operationId: EndpointUploadAction
requestBody:
content:
application/json:
multipart/form-data:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteRequestBody'
required: true
@ -12810,7 +12933,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/Security_Endpoint_Management_API_SuccessResponse'
$ref: '#/components/schemas/Security_Endpoint_Management_API_UploadRouteResponse'
description: OK
summary: Upload a file
tags:
@ -35609,6 +35732,10 @@ components:
description: Agent ID
type: string
Security_Endpoint_Management_API_AgentIds:
description: A list of agent IDs. Max of 50.
example:
- agent-id-1
- agent-id-2
minLength: 1
oneOf:
- items:
@ -35620,12 +35747,13 @@ components:
- minLength: 1
type: string
Security_Endpoint_Management_API_AgentTypes:
description: The host agent type (optional). Defaults to endpoint.
description: List of agent types to retrieve. Defaults to `endpoint`.
enum:
- endpoint
- sentinel_one
- crowdstrike
- microsoft_defender_endpoint
example: endpoint
type: string
Security_Endpoint_Management_API_AlertIds:
description: A list of alerts ids.
@ -35635,6 +35763,9 @@ components:
type: array
Security_Endpoint_Management_API_CaseIds:
description: Case IDs to be updated (cannot contain empty strings)
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
@ -35672,17 +35803,26 @@ components:
minLength: 1
type: string
Security_Endpoint_Management_API_Commands:
description: A list of response action command names.
example:
- isolate
- unisolate
items:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Command'
type: array
Security_Endpoint_Management_API_Comment:
description: Optional comment
example: This is a comment
type: string
Security_Endpoint_Management_API_EndDate:
description: End date
description: An end date in ISO format or Date Math format.
example: '2023-10-31T23:59:59.999Z'
type: string
Security_Endpoint_Management_API_EndpointIds:
description: List of endpoint IDs (cannot contain empty strings)
example:
- endpoint-id-1
- endpoint-id-2
items:
minLength: 1
type: string
@ -35774,12 +35914,6 @@ components:
revision: 2
type: object
properties: {}
Security_Endpoint_Management_API_EntityId:
type: object
properties:
entity_id:
minLength: 1
type: string
Security_Endpoint_Management_API_ExecuteRouteRequestBody:
allOf:
- type: object
@ -35811,33 +35945,128 @@ components:
- command
required:
- parameters
Security_Endpoint_Management_API_GetEndpointActionListRouteQuery:
example:
comment: Get list of all files
endpoint_ids:
- b3d6de74-36b0-4fa8-be46-c375bf1771bf
parameters:
command: ls -al
timeout: 600
Security_Endpoint_Management_API_ExecuteRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: execute
comment: Get list of all files
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 9f934028-2300-4927-b531-b26376793dc4
isCompleted: false
isExpired: false
outputs: {}
parameters:
command: ls -al
timeout: 600
startedAt: '2023-07-28T18:43:27.362Z'
status: pending
wasSuccessful: false
type: object
properties:
agentIds:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentIds'
agentTypes:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
commands:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Commands'
endDate:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndDate'
page:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Page'
pageSize:
default: 10
description: Number of items per page
maximum: 10000
minimum: 1
type: integer
startDate:
$ref: '#/components/schemas/Security_Endpoint_Management_API_StartDate'
types:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Types'
userIds:
$ref: '#/components/schemas/Security_Endpoint_Management_API_UserIds'
withOutputs:
$ref: '#/components/schemas/Security_Endpoint_Management_API_WithOutputs'
properties: {}
Security_Endpoint_Management_API_GetEndpointActionListResponse:
example:
data:
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: isolate
completedAt: '2022-08-08T10:41:57.352Z'
createdBy: elastic
id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:23:37.359Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: kill-process
comment: bad process - taking up too much cpu
completedAt: '2022-08-08T09:44:50.952Z'
createdBy: elastic
id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:44.125Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: unisolate
comment: Not a threat to the network
completedAt: '2022-08-08T09:40:47.398Z'
createdBy: elastic
id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:15.391Z'
wasSuccessful: true
elasticAgentIds:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
endDate: now
page: 1
pageSize: 10
startDate: now-24h/h
total: 4
type: object
properties: {}
Security_Endpoint_Management_API_GetEndpointActionResponse:
example:
data:
agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
outputs:
afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0:
content:
entries:
- command: /opt/cmd1
entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt
pid: '822'
user: Dexter
- command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3
entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt
pid: '984'
user: Jada
type: json
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_GetFileRouteRequestBody:
allOf:
- type: object
@ -35867,7 +36096,42 @@ components:
- path
required:
- parameters
example:
comment: Get my file
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
Security_Endpoint_Management_API_GetFileRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: get-file
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
Security_Endpoint_Management_API_GetProcessesRouteRequestBody:
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
type: object
properties:
agent_type:
@ -35884,6 +36148,30 @@ components:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
Security_Endpoint_Management_API_GetProcessesRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: running-processes
comment: ''
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters: {}
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_HostPathScriptParameters:
type: object
properties:
@ -35915,23 +36203,32 @@ components:
- unenrolled
type: string
type: array
Security_Endpoint_Management_API_IsolateRouteRequestBody:
Security_Endpoint_Management_API_IsolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
properties: {}
Security_Endpoint_Management_API_KillProcessRouteRequestBody:
allOf:
- type: object
@ -35954,16 +36251,60 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to terminate.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to terminate.
example: abc123
minLength: 1
type: string
- type: object
properties:
process_name:
description: Valid for SentinelOne agent type only
description: The name of the process to terminate. Valid for SentinelOne agent type only.
example: Elastic
minLength: 1
type: string
required:
- parameters
example:
comment: terminate the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
Security_Endpoint_Management_API_KillProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: kill-process
comment: terminate the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_Kuery:
description: A KQL string.
example: 'united.endpoint.host.os.name : ''Windows'''
@ -36189,12 +36530,6 @@ components:
$ref: '#/components/schemas/Security_Endpoint_Management_API_PendingActionDataType'
- additionalProperties: true
type: object
Security_Endpoint_Management_API_Pid:
type: object
properties:
pid:
minimum: 1
type: integer
Security_Endpoint_Management_API_ProtectionUpdatesNoteResponse:
type: object
properties:
@ -36252,11 +36587,45 @@ components:
type: object
properties:
path:
description: The folder or files full path (including the file name).
example: /usr/my-file.txt
type: string
required:
- path
required:
- parameters
example:
comment: Scan the file for malware
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
Security_Endpoint_Management_API_ScanRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: scan
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
Security_Endpoint_Management_API_SortDirection:
description: Determines the sort order.
enum:
@ -36279,7 +36648,8 @@ components:
example: enrolled_at
type: string
Security_Endpoint_Management_API_StartDate:
description: Start date
description: A start date in ISO 8601 format or Date Math format.
example: '2023-10-31T00:00:00.000Z'
type: string
Security_Endpoint_Management_API_SuccessResponse:
type: object
@ -36306,10 +36676,53 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Security_Endpoint_Management_API_Pid'
- $ref: '#/components/schemas/Security_Endpoint_Management_API_EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to suspend.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to suspend.
example: abc123
minLength: 1
type: string
required:
- parameters
example:
comment: suspend the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
Security_Endpoint_Management_API_SuspendProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Security_Endpoint_Management_API_Timeout:
description: The maximum timeout value in milliseconds (optional)
minimum: 1
@ -36322,28 +36735,40 @@ components:
type: string
Security_Endpoint_Management_API_Types:
description: List of types of response actions
example:
- automated
- manual
items:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Type'
maxLength: 2
minLength: 1
type: array
Security_Endpoint_Management_API_UnisolateRouteRequestBody:
Security_Endpoint_Management_API_UnisolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AgentTypes'
alert_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_AlertIds'
case_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_CaseIds'
comment:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Comment'
endpoint_ids:
$ref: '#/components/schemas/Security_Endpoint_Management_API_EndpointIds'
parameters:
$ref: '#/components/schemas/Security_Endpoint_Management_API_Parameters'
required:
- endpoint_ids
properties: {}
Security_Endpoint_Management_API_UploadRouteRequestBody:
allOf:
- type: object
@ -36365,6 +36790,8 @@ components:
- type: object
properties:
file:
description: The binary content of the file.
example: RWxhc3RpYw==
format: binary
type: string
parameters:
@ -36372,12 +36799,51 @@ components:
properties:
overwrite:
default: false
description: Overwrite the file on the host if it already exists.
example: false
type: boolean
required:
- parameters
- file
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
file: RWxhc3RpYw==
parameters: {}
Security_Endpoint_Management_API_UploadRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: upload
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: Host-5i6cuc8kdv
id: 9ff6aebc-2cb6-481e-8869-9b30036c9731
isCompleted: false
isExpired: false
outputs: {}
parameters:
file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280
file_name: fix-malware.sh
file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a
file_size: 69
startedAt: '2023-07-03T15:07:22.837Z'
status: pending
wasSuccessful: false
type: object
properties: {}
Security_Endpoint_Management_API_UserIds:
description: User IDs
description: A list of user IDs.
example:
- user-id-1
- user-id-2
oneOf:
- items:
minLength: 1
@ -36387,7 +36853,10 @@ components:
- minLength: 1
type: string
Security_Endpoint_Management_API_WithOutputs:
description: Shows detailed outputs for an action response
description: A list of action IDs that should include the complete output of the action.
example:
- action-id-1
- action-id-2
oneOf:
- items:
minLength: 1

5
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.gen.ts
View file

@ -16,7 +16,8 @@
import { z } from '@kbn/zod';
import { SuccessResponse } from '../../model/schema/common.gen';
export type GetEndpointActionResponse = z.infer<typeof GetEndpointActionResponse>;
export const GetEndpointActionResponse = z.object({});
export type EndpointGetActionsDetailsRequestParams = z.infer<
typeof EndpointGetActionsDetailsRequestParams
@ -29,4 +30,4 @@ export type EndpointGetActionsDetailsRequestParamsInput = z.input<
>;
export type EndpointGetActionsDetailsResponse = z.infer<typeof EndpointGetActionsDetailsResponse>;
export const EndpointGetActionsDetailsResponse = SuccessResponse;
export const EndpointGetActionsDetailsResponse = GetEndpointActionResponse;

36
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/details/details.schema.yaml
View file

@ -16,12 +16,46 @@ paths:
required: true
schema:
type: string
description: The ID of the action to retrieve.
example: 'fr518850-681a-4y60-aa98-e22640cae2b8'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetEndpointActionResponse'
components:
schemas:
GetEndpointActionResponse:
type: object
properties: { }
example:
data:
id: "b3d6de74-36b0-4fa8-be46-c375bf1771bf"
agents:
- "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
agentType: "endpoint"
command: "running-processes"
startedAt: "2022-08-08T15:24:57.402Z"
completedAt: "2022-08-08T09:50:47.672Z"
createdBy: "elastic"
isCompleted: true
wasSuccessful: true
isExpired: false
outputs:
afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0:
type: "json"
content:
entries:
- pid: "822"
entity_id: "fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt"
user: "Dexter"
command: "/opt/cmd1"
- pid: "984"
entity_id: "pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt"
user: "Jada"
command: "/opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3"

43
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.gen.ts
View file

@ -17,42 +17,37 @@
import { z } from '@kbn/zod';
import {
SuccessResponse,
AgentIds,
AgentTypes,
Commands,
Page,
PageSize,
Commands,
AgentIds,
UserIds,
StartDate,
EndDate,
UserIds,
Types,
AgentTypes,
WithOutputs,
Types,
} from '../../model/schema/common.gen';
export type GetEndpointActionListRouteQuery = z.infer<typeof GetEndpointActionListRouteQuery>;
export const GetEndpointActionListRouteQuery = z.object({
agentIds: AgentIds.optional(),
agentTypes: AgentTypes.optional(),
commands: Commands.optional(),
page: Page.optional(),
/**
* Number of items per page
*/
pageSize: z.number().int().min(1).max(10000).optional().default(10),
startDate: StartDate.optional(),
endDate: EndDate.optional(),
userIds: UserIds.optional(),
types: Types.optional(),
withOutputs: WithOutputs.optional(),
});
export type GetEndpointActionListResponse = z.infer<typeof GetEndpointActionListResponse>;
export const GetEndpointActionListResponse = z.object({});
export type EndpointGetActionsListRequestQuery = z.infer<typeof EndpointGetActionsListRequestQuery>;
export const EndpointGetActionsListRequestQuery = z.object({
query: GetEndpointActionListRouteQuery,
page: Page.optional(),
pageSize: PageSize.optional(),
commands: Commands.optional(),
agentIds: AgentIds.optional(),
userIds: UserIds.optional(),
startDate: StartDate.optional(),
endDate: EndDate.optional(),
agentTypes: AgentTypes.optional(),
withOutputs: WithOutputs.optional(),
types: Types.optional(),
});
export type EndpointGetActionsListRequestQueryInput = z.input<
typeof EndpointGetActionsListRequestQuery
>;
export type EndpointGetActionsListResponse = z.infer<typeof EndpointGetActionsListResponse>;
export const EndpointGetActionsListResponse = SuccessResponse;
export const EndpointGetActionsListResponse = GetEndpointActionListResponse;

137
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/list/list.schema.yaml
View file

@ -11,44 +11,121 @@ paths:
x-codegen-enabled: true
x-labels: [ess, serverless]
parameters:
- name: query
- name: page
in: query
required: true
required: false
schema:
$ref: '#/components/schemas/GetEndpointActionListRouteQuery'
$ref: '../../model/schema/common.schema.yaml#/components/schemas/Page'
- name: pageSize
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/PageSize'
- name: commands
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/Commands'
- name: agentIds
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentIds'
- name: userIds
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/UserIds'
- name: startDate
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/StartDate'
- name: endDate
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/EndDate'
- name: agentTypes
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentTypes'
- name: withOutputs
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/WithOutputs'
- name: types
in: query
required: false
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/Types'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetEndpointActionListResponse'
components:
schemas:
GetEndpointActionListRouteQuery:
GetEndpointActionListResponse:
type: object
properties:
agentIds:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentIds'
agentTypes:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/AgentTypes'
commands:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/Commands'
page:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/Page'
pageSize:
type: integer
default: 10
minimum: 1
maximum: 10000
description: Number of items per page
startDate:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/StartDate'
endDate:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/EndDate'
userIds:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/UserIds'
types:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/Types'
withOutputs:
$ref: '../../model/schema/common.schema.yaml#/components/schemas/WithOutputs'
properties: { }
example:
page: 1
pageSize: 10
total: 4
startDate: "now-24h/h"
endDate: "now"
elasticAgentIds:
- "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
data:
- id: "b3d6de74-36b0-4fa8-be46-c375bf1771bf"
agents:
- "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
command: "running-processes"
agentType: "endpoint"
startedAt: "2022-08-08T15:24:57.402Z"
isCompleted: true
completedAt: "2022-08-08T09:50:47.672Z"
wasSuccessful: true
isExpired: false
createdBy: "elastic"
- id: "43b4098b-8752-4fbb-a7a7-6df7c74d0ee3"
agents:
- "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
command: "isolate"
agentType: "endpoint"
startedAt: "2022-08-08T15:23:37.359Z"
isCompleted: true
completedAt: "2022-08-08T10:41:57.352Z"
wasSuccessful: true
isExpired: false
createdBy: "elastic"
- id: "5bc92c86-b8e6-42dd-837f-12ad29e09caa"
agents:
- "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
command: "kill-process"
agentType: "endpoint"
startedAt: "2022-08-08T14:38:44.125Z"
isCompleted: true
completedAt: "2022-08-08T09:44:50.952Z"
wasSuccessful: true
isExpired: false
createdBy: "elastic"
comment: "bad process - taking up too much cpu"
- id: "790d54e0-3aa3-4e5b-8255-3ce9d851246a"
agents:
- "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
command: "unisolate"
agentType: "endpoint"
startedAt: "2022-08-08T14:38:15.391Z"
isCompleted: true
completedAt: "2022-08-08T09:40:47.398Z"
wasSuccessful: true
isExpired: false
createdBy: "elastic"
comment: "Not a threat to the network"

12
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.gen.ts
View file

@ -16,12 +16,7 @@
import { z } from '@kbn/zod';
import {
SuccessResponse,
BaseActionSchema,
Command,
Timeout,
} from '../../../model/schema/common.gen';
import { BaseActionSchema, Command, Timeout } from '../../../model/schema/common.gen';
export type ExecuteRouteRequestBody = z.infer<typeof ExecuteRouteRequestBody>;
export const ExecuteRouteRequestBody = BaseActionSchema.merge(
@ -33,6 +28,9 @@ export const ExecuteRouteRequestBody = BaseActionSchema.merge(
})
);
export type ExecuteRouteResponse = z.infer<typeof ExecuteRouteResponse>;
export const ExecuteRouteResponse = z.object({});
export type EndpointExecuteActionRequestBody = z.infer<typeof EndpointExecuteActionRequestBody>;
export const EndpointExecuteActionRequestBody = ExecuteRouteRequestBody;
export type EndpointExecuteActionRequestBodyInput = z.input<
@ -40,4 +38,4 @@ export type EndpointExecuteActionRequestBodyInput = z.input<
>;
export type EndpointExecuteActionResponse = z.infer<typeof EndpointExecuteActionResponse>;
export const EndpointExecuteActionResponse = SuccessResponse;
export const EndpointExecuteActionResponse = ExecuteRouteResponse;

37
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/execute/execute.schema.yaml
View file

@ -22,11 +22,18 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/ExecuteRouteResponse'
components:
schemas:
ExecuteRouteRequestBody:
example:
parameters:
command: "ls -al"
timeout: 600
endpoint_ids:
- "b3d6de74-36b0-4fa8-be46-c375bf1771bf"
comment: "Get list of all files"
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
- type: object
@ -42,3 +49,31 @@ components:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/Command'
timeout:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/Timeout'
ExecuteRouteResponse:
type: object
properties: { }
example:
data:
id: "9f934028-2300-4927-b531-b26376793dc4"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"
agentType: "endpoint"
command: "execute"
startedAt: "2023-07-28T18:43:27.362Z"
isCompleted: false
wasSuccessful: false
isExpired: false
status: "pending"
outputs: { }
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
createdBy: "myuser"
comment: "Get list of all files"
parameters:
command: "ls -al"
timeout: 600

7
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.gen.ts
View file

@ -16,7 +16,7 @@
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type GetFileRouteRequestBody = z.infer<typeof GetFileRouteRequestBody>;
export const GetFileRouteRequestBody = BaseActionSchema.merge(
@ -27,6 +27,9 @@ export const GetFileRouteRequestBody = BaseActionSchema.merge(
})
);
export type GetFileRouteResponse = z.infer<typeof GetFileRouteResponse>;
export const GetFileRouteResponse = z.object({});
export type EndpointGetFileActionRequestBody = z.infer<typeof EndpointGetFileActionRequestBody>;
export const EndpointGetFileActionRequestBody = GetFileRouteRequestBody;
export type EndpointGetFileActionRequestBodyInput = z.input<
@ -34,4 +37,4 @@ export type EndpointGetFileActionRequestBodyInput = z.input<
>;
export type EndpointGetFileActionResponse = z.infer<typeof EndpointGetFileActionResponse>;
export const EndpointGetFileActionResponse = SuccessResponse;
export const EndpointGetFileActionResponse = GetFileRouteResponse;

35
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/get_file/get_file.schema.yaml
View file

@ -23,11 +23,17 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetFileRouteResponse'
components:
schemas:
GetFileRouteRequestBody:
example:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
parameters:
path: "/usr/my-file.txt"
comment: "Get my file"
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
- type: object
@ -41,4 +47,31 @@ components:
properties:
path:
type: string
GetFileRouteResponse:
type: object
properties: { }
example:
data:
id: "27ba1b42-7cc6-4e53-86ce-675c876092b2"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"
agentType: "endpoint"
command: "get-file"
startedAt: "2023-07-28T19:00:03.911Z"
isCompleted: false
wasSuccessful: false
isExpired: false
status: "pending"
outputs: { }
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
createdBy: "myuser"
parameters:
path: "/usr/my-file.txt"

12
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.gen.ts
View file

@ -14,18 +14,18 @@
* version: 2023-10-31
*/
import type { z } from '@kbn/zod';
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type IsolateRouteRequestBody = z.infer<typeof IsolateRouteRequestBody>;
export const IsolateRouteRequestBody = BaseActionSchema;
export type IsolateRouteResponse = z.infer<typeof IsolateRouteResponse>;
export const IsolateRouteResponse = z.object({});
export type EndpointIsolateActionRequestBody = z.infer<typeof EndpointIsolateActionRequestBody>;
export const EndpointIsolateActionRequestBody = IsolateRouteRequestBody;
export const EndpointIsolateActionRequestBody = BaseActionSchema;
export type EndpointIsolateActionRequestBodyInput = z.input<
typeof EndpointIsolateActionRequestBody
>;
export type EndpointIsolateActionResponse = z.infer<typeof EndpointIsolateActionResponse>;
export const EndpointIsolateActionResponse = SuccessResponse;
export const EndpointIsolateActionResponse = IsolateRouteResponse;

56
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/isolate/isolate.schema.yaml
View file

@ -15,16 +15,62 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/IsolateRouteRequestBody'
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
examples:
single_endpoint:
summary: "Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8"
value:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
multiple_endpoints:
summary: "Isolates several hosts; includes a comment"
value:
endpoint_ids:
- "9972d10e-4b9e-41aa-a534-a85e2a28ea42"
- "bc0e4f0c-3bca-4633-9fee-156c0b505d16"
- "fa89271b-b9d4-43f2-a684-307cffddeb5a"
comment: "Locked down, pending further investigation"
with_case_id:
summary: "Isolates a single host with a case_id value of 1234"
value:
endpoint_ids:
- "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0"
- "b30a11bf-1395-4707-b508-fbb45ef9793e"
case_ids:
- "4976be38-c134-4554-bd5e-0fd89ce63667"
comment: "Isolating as initial response"
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/IsolateRouteResponse'
components:
schemas:
IsolateRouteRequestBody:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
IsolateRouteResponse:
type: object
properties: { }
example:
action: "233db9ea-6733-4849-9226-5a7039c7161d"
data:
id: "233db9ea-6733-4849-9226-5a7039c7161d"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
command: "suspend-process"
agentType: "endpoint"
isExpired: false
isCompleted: true
wasSuccessful: true
errors: [ ]
startedAt: "2022-07-29T19:08:49.126Z"
completedAt: "2022-07-29T19:09:44.961Z"
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
type: "json"
content:
key: "value"
createdBy: "myuser"
comment: "suspend the process"
parameters:
entity_id: "abc123"

23
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.gen.ts
View file

@ -16,17 +16,27 @@
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema, Pid, EntityId } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type KillProcessRouteRequestBody = z.infer<typeof KillProcessRouteRequestBody>;
export const KillProcessRouteRequestBody = BaseActionSchema.merge(
z.object({
parameters: z.union([
Pid,
EntityId,
z.object({
/**
* Valid for SentinelOne agent type only
* The process ID (PID) of the process to terminate.
*/
pid: z.number().int().min(1).optional(),
}),
z.object({
/**
* The entity ID of the process to terminate.
*/
entity_id: z.string().min(1).optional(),
}),
z.object({
/**
* The name of the process to terminate. Valid for SentinelOne agent type only.
*/
process_name: z.string().min(1).optional(),
}),
@ -34,6 +44,9 @@ export const KillProcessRouteRequestBody = BaseActionSchema.merge(
})
);
export type KillProcessRouteResponse = z.infer<typeof KillProcessRouteResponse>;
export const KillProcessRouteResponse = z.object({});
export type EndpointKillProcessActionRequestBody = z.infer<
typeof EndpointKillProcessActionRequestBody
>;
@ -43,4 +56,4 @@ export type EndpointKillProcessActionRequestBodyInput = z.input<
>;
export type EndpointKillProcessActionResponse = z.infer<typeof EndpointKillProcessActionResponse>;
export const EndpointKillProcessActionResponse = SuccessResponse;
export const EndpointKillProcessActionResponse = KillProcessRouteResponse;

52
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/kill_process/kill_process.schema.yaml
View file

@ -22,11 +22,17 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/KillProcessRouteResponse'
components:
schemas:
KillProcessRouteRequestBody:
example:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
parameters:
entity_id: "abc123"
comment: "terminate the process"
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
- type: object
@ -35,11 +41,49 @@ components:
properties:
parameters:
oneOf:
- $ref: "../../../model/schema/common.schema.yaml#/components/schemas/Pid"
- $ref: "../../../model/schema/common.schema.yaml#/components/schemas/EntityId"
- type: object
properties:
pid:
type: integer
description: "The process ID (PID) of the process to terminate."
example: 123
minimum: 1
- type: object
properties:
entity_id:
type: string
description: "The entity ID of the process to terminate."
example: "abc123"
minLength: 1
- type: object
properties:
process_name:
type: string
description: "The name of the process to terminate. Valid for SentinelOne agent type only."
example: "Elastic"
minLength: 1
description: Valid for SentinelOne agent type only
KillProcessRouteResponse:
type: object
properties: { }
example:
data:
id: "233db9ea-6733-4849-9226-5a7039c7161d"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
command: "kill-process"
agentType: "endpoint"
isExpired: false
isCompleted: true
wasSuccessful: true
errors: [ ]
startedAt: "2022-07-29T19:08:49.126Z"
completedAt: "2022-07-29T19:09:44.961Z"
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
type: "json"
content:
key: "value"
createdBy: "myuser"
comment: "terminate the process"
parameters:
entity_id: "abc123"

9
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.gen.ts
View file

@ -14,13 +14,16 @@
* version: 2023-10-31
*/
import type { z } from '@kbn/zod';
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type GetProcessesRouteRequestBody = z.infer<typeof GetProcessesRouteRequestBody>;
export const GetProcessesRouteRequestBody = BaseActionSchema;
export type GetProcessesRouteResponse = z.infer<typeof GetProcessesRouteResponse>;
export const GetProcessesRouteResponse = z.object({});
export type EndpointGetProcessesActionRequestBody = z.infer<
typeof EndpointGetProcessesActionRequestBody
>;
@ -30,4 +33,4 @@ export type EndpointGetProcessesActionRequestBodyInput = z.input<
>;
export type EndpointGetProcessesActionResponse = z.infer<typeof EndpointGetProcessesActionResponse>;
export const EndpointGetProcessesActionResponse = SuccessResponse;
export const EndpointGetProcessesActionResponse = GetProcessesRouteResponse;

29
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/running_procs/running_procs.schema.yaml
View file

@ -22,10 +22,37 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetProcessesRouteResponse'
components:
schemas:
GetProcessesRouteRequestBody:
example:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
GetProcessesRouteResponse:
type: object
properties: { }
example:
data:
id: "233db9ea-6733-4849-9226-5a7039c7161d"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
command: "running-processes"
agentType: "endpoint"
isExpired: false
isCompleted: true
wasSuccessful: true
errors: [ ]
startedAt: "2022-07-29T19:08:49.126Z"
completedAt: "2022-07-29T19:09:44.961Z"
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
type: "json"
content:
key: "value"
createdBy: "myuser"
comment: ""
parameters: { }

10
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.gen.ts
View file

@ -16,20 +16,26 @@
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type ScanRouteRequestBody = z.infer<typeof ScanRouteRequestBody>;
export const ScanRouteRequestBody = BaseActionSchema.merge(
z.object({
parameters: z.object({
/**
* The folder or files full path (including the file name).
*/
path: z.string(),
}),
})
);
export type ScanRouteResponse = z.infer<typeof ScanRouteResponse>;
export const ScanRouteResponse = z.object({});
export type EndpointScanActionRequestBody = z.infer<typeof EndpointScanActionRequestBody>;
export const EndpointScanActionRequestBody = ScanRouteRequestBody;
export type EndpointScanActionRequestBodyInput = z.input<typeof EndpointScanActionRequestBody>;
export type EndpointScanActionResponse = z.infer<typeof EndpointScanActionResponse>;
export const EndpointScanActionResponse = SuccessResponse;
export const EndpointScanActionResponse = ScanRouteResponse;

39
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/scan/scan.schema.yaml
View file

@ -22,11 +22,16 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/ScanRouteResponse'
components:
schemas:
ScanRouteRequestBody:
example:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
parameters:
path: "/usr/my-file.txt"
comment: "Scan the file for malware"
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
- type: object
@ -40,4 +45,34 @@ components:
properties:
path:
type: string
description: "The folder or files full path (including the file name)."
example: "/usr/my-file.txt"
ScanRouteResponse:
type: object
properties: { }
example:
data:
id: "27ba1b42-7cc6-4e53-86ce-675c876092b2"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"
agentType: "endpoint"
command: "scan"
startedAt: "2023-07-28T19:00:03.911Z"
isCompleted: false
wasSuccessful: false
isExpired: false
status: "pending"
outputs: { }
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
createdBy: "myuser"
parameters:
path: "/usr/my-file.txt"

22
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen.ts
View file

@ -16,15 +16,31 @@
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema, Pid, EntityId } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type SuspendProcessRouteRequestBody = z.infer<typeof SuspendProcessRouteRequestBody>;
export const SuspendProcessRouteRequestBody = BaseActionSchema.merge(
z.object({
parameters: z.union([Pid, EntityId]),
parameters: z.union([
z.object({
/**
* The process ID (PID) of the process to suspend.
*/
pid: z.number().int().min(1).optional(),
}),
z.object({
/**
* The entity ID of the process to suspend.
*/
entity_id: z.string().min(1).optional(),
}),
]),
})
);
export type SuspendProcessRouteResponse = z.infer<typeof SuspendProcessRouteResponse>;
export const SuspendProcessRouteResponse = z.object({});
export type EndpointSuspendProcessActionRequestBody = z.infer<
typeof EndpointSuspendProcessActionRequestBody
>;
@ -36,4 +52,4 @@ export type EndpointSuspendProcessActionRequestBodyInput = z.input<
export type EndpointSuspendProcessActionResponse = z.infer<
typeof EndpointSuspendProcessActionResponse
>;
export const EndpointSuspendProcessActionResponse = SuccessResponse;
export const EndpointSuspendProcessActionResponse = SuspendProcessRouteResponse;

49
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.schema.yaml
View file

@ -22,11 +22,17 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/SuspendProcessRouteResponse'
components:
schemas:
SuspendProcessRouteRequestBody:
example:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
parameters:
entity_id: "abc123"
comment: "suspend the process"
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
- type: object
@ -35,5 +41,42 @@ components:
properties:
parameters:
oneOf:
- $ref: "../../../model/schema/common.schema.yaml#/components/schemas/Pid"
- $ref: "../../../model/schema/common.schema.yaml#/components/schemas/EntityId"
- type: object
properties:
pid:
type: integer
description: "The process ID (PID) of the process to suspend."
example: 123
minimum: 1
- type: object
properties:
entity_id:
type: string
description: "The entity ID of the process to suspend."
example: "abc123"
minLength: 1
SuspendProcessRouteResponse:
type: object
properties: { }
example:
data:
id: "233db9ea-6733-4849-9226-5a7039c7161d"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
command: "suspend-process"
agentType: "endpoint"
isExpired: false
isCompleted: true
wasSuccessful: true
errors: [ ]
startedAt: "2022-07-29T19:08:49.126Z"
completedAt: "2022-07-29T19:09:44.961Z"
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
type: "json"
content:
key: "value"
createdBy: "myuser"
comment: "suspend the process"
parameters:
entity_id: "abc123"

12
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen.ts
View file

@ -14,18 +14,18 @@
* version: 2023-10-31
*/
import type { z } from '@kbn/zod';
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type UnisolateRouteRequestBody = z.infer<typeof UnisolateRouteRequestBody>;
export const UnisolateRouteRequestBody = BaseActionSchema;
export type UnisolateRouteResponse = z.infer<typeof UnisolateRouteResponse>;
export const UnisolateRouteResponse = z.object({});
export type EndpointUnisolateActionRequestBody = z.infer<typeof EndpointUnisolateActionRequestBody>;
export const EndpointUnisolateActionRequestBody = UnisolateRouteRequestBody;
export const EndpointUnisolateActionRequestBody = BaseActionSchema;
export type EndpointUnisolateActionRequestBodyInput = z.input<
typeof EndpointUnisolateActionRequestBody
>;
export type EndpointUnisolateActionResponse = z.infer<typeof EndpointUnisolateActionResponse>;
export const EndpointUnisolateActionResponse = SuccessResponse;
export const EndpointUnisolateActionResponse = UnisolateRouteResponse;

56
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/unisolate/unisolate.schema.yaml
View file

@ -14,17 +14,63 @@ paths:
required: true
content:
application/json:
examples:
singleHost:
summary: "Releases a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8"
value:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
multipleHosts:
summary: "Releases several hosts; includes a comment:"
value:
endpoint_ids:
- "9972d10e-4b9e-41aa-a534-a85e2a28ea42"
- "bc0e4f0c-3bca-4633-9fee-156c0b505d16"
- "fa89271b-b9d4-43f2-a684-307cffddeb5a"
comment: "Benign process identified, releasing group"
withCaseId:
summary: "Releases hosts with an associated case; includes a comment."
value:
endpoint_ids:
- "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0"
- "b30a11bf-1395-4707-b508-fbb45ef9793e"
case_ids:
- "4976be38-c134-4554-bd5e-0fd89ce63667"
comment: "Remediation complete, restoring network"
schema:
$ref: '#/components/schemas/UnisolateRouteRequestBody'
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
responses:
'200':
description: OK
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/UnisolateRouteResponse'
components:
schemas:
UnisolateRouteRequestBody:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
UnisolateRouteResponse:
type: object
properties: {}
example:
action: "233db9ea-6733-4849-9226-5a7039c7161d"
data:
id: "233db9ea-6733-4849-9226-5a7039c7161d"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
command: "suspend-process"
agentType: "endpoint"
isExpired: false
isCompleted: true
wasSuccessful: true
errors: [ ]
startedAt: "2022-07-29T19:08:49.126Z"
completedAt: "2022-07-29T19:09:44.961Z"
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
type: "json"
content:
key: "value"
createdBy: "myuser"
comment: "suspend the process"
parameters:
entity_id: "abc123"

15
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.gen.ts
View file

@ -16,21 +16,26 @@
import { z } from '@kbn/zod';
import { SuccessResponse, BaseActionSchema } from '../../../model/schema/common.gen';
import { BaseActionSchema } from '../../../model/schema/common.gen';
export type UploadRouteRequestBody = z.infer<typeof UploadRouteRequestBody>;
export const UploadRouteRequestBody = BaseActionSchema.merge(
z.object({
parameters: z.object({
/**
* Overwrite the file on the host if it already exists.
*/
overwrite: z.boolean().optional().default(false),
}),
/**
* The binary content of the file.
*/
file: z.string(),
})
);
export type EndpointUploadActionRequestBody = z.infer<typeof EndpointUploadActionRequestBody>;
export const EndpointUploadActionRequestBody = UploadRouteRequestBody;
export type EndpointUploadActionRequestBodyInput = z.input<typeof EndpointUploadActionRequestBody>;
export type UploadRouteResponse = z.infer<typeof UploadRouteResponse>;
export const UploadRouteResponse = z.object({});
export type EndpointUploadActionResponse = z.infer<typeof EndpointUploadActionResponse>;
export const EndpointUploadActionResponse = SuccessResponse;
export const EndpointUploadActionResponse = UploadRouteResponse;

42
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/actions/response_actions/upload/upload.schema.yaml
View file

@ -13,7 +13,7 @@ paths:
requestBody:
required: true
content:
application/json:
multipart/form-data:
schema:
$ref: '#/components/schemas/UploadRouteRequestBody'
responses:
@ -22,11 +22,16 @@ paths:
content:
application/json:
schema:
$ref: '../../../model/schema/common.schema.yaml#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/UploadRouteResponse'
components:
schemas:
UploadRouteRequestBody:
example:
endpoint_ids:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
file: "RWxhc3RpYw=="
parameters: { }
allOf:
- $ref: '../../../model/schema/common.schema.yaml#/components/schemas/BaseActionSchema'
- type: object
@ -39,8 +44,41 @@ components:
properties:
overwrite:
type: boolean
description: "Overwrite the file on the host if it already exists."
example: false
default: false
# File extends Blob - any binary data will be base-64 encoded
file:
type: string
description: "The binary content of the file."
example: "RWxhc3RpYw=="
format: binary
UploadRouteResponse:
type: object
properties: { }
example:
data:
id: "9ff6aebc-2cb6-481e-8869-9b30036c9731"
agents:
- "ed518850-681a-4d60-bb98-e22640cae2a8"
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: "Host-5i6cuc8kdv"
command: "upload"
agentType: "endpoint"
startedAt: "2023-07-03T15:07:22.837Z"
isCompleted: false
wasSuccessful: false
isExpired: false
status: "pending"
outputs: { }
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
createdBy: "elastic"
parameters:
file_name: "fix-malware.sh"
file_id: "10e4ce3d-4abb-4f93-a0cd-eaf63a489280"
file_sha256: "a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a"
file_size: 69

26
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.gen.ts
View file

@ -37,13 +37,13 @@ export type PageSize = z.infer<typeof PageSize>;
export const PageSize = z.number().int().min(1).max(100).default(10);
/**
* Start date
* A start date in ISO 8601 format or Date Math format.
*/
export type StartDate = z.infer<typeof StartDate>;
export const StartDate = z.string();
/**
* End date
* An end date in ISO format or Date Math format.
*/
export type EndDate = z.infer<typeof EndDate>;
export const EndDate = z.string();
@ -94,6 +94,9 @@ export const SortField = z.enum([
export type SortFieldEnum = typeof SortField.enum;
export const SortFieldEnum = SortField.enum;
/**
* A list of agent IDs. Max of 50.
*/
export type AgentIds = z.infer<typeof AgentIds>;
export const AgentIds = z.union([z.array(z.string().min(1)).min(1).max(50), z.string().min(1)]);
@ -115,6 +118,9 @@ export const Command = z.enum([
export type CommandEnum = typeof Command.enum;
export const CommandEnum = Command.enum;
/**
* A list of response action command names.
*/
export type Commands = z.infer<typeof Commands>;
export const Commands = z.array(Command);
@ -133,13 +139,13 @@ export type Statuses = z.infer<typeof Statuses>;
export const Statuses = z.array(Status);
/**
* User IDs
* A list of user IDs.
*/
export type UserIds = z.infer<typeof UserIds>;
export const UserIds = z.union([z.array(z.string().min(1)).min(1), z.string().min(1)]);
/**
* Shows detailed outputs for an action response
* A list of action IDs that should include the complete output of the action.
*/
export type WithOutputs = z.infer<typeof WithOutputs>;
export const WithOutputs = z.union([z.array(z.string().min(1)).min(1), z.string().min(1)]);
@ -183,7 +189,7 @@ export type Parameters = z.infer<typeof Parameters>;
export const Parameters = z.object({});
/**
* The host agent type (optional). Defaults to endpoint.
* List of agent types to retrieve. Defaults to `endpoint`.
*/
export type AgentTypes = z.infer<typeof AgentTypes>;
export const AgentTypes = z.enum([
@ -210,16 +216,6 @@ export const NoParametersRequestSchema = z.object({
body: BaseActionSchema,
});
export type Pid = z.infer<typeof Pid>;
export const Pid = z.object({
pid: z.number().int().min(1).optional(),
});
export type EntityId = z.infer<typeof EntityId>;
export const EntityId = z.object({
entity_id: z.string().min(1).optional(),
});
export type ProtectionUpdatesNoteResponse = z.infer<typeof ProtectionUpdatesNoteResponse>;
export const ProtectionUpdatesNoteResponse = z.object({
note: z.string().optional(),

45
x-pack/solutions/security/plugins/security_solution/common/api/endpoint/model/schema/common.schema.yaml
View file

@ -25,10 +25,12 @@ components:
example: 10
StartDate:
type: string
description: Start date
description: A start date in ISO 8601 format or Date Math format.
example: "2023-10-31T00:00:00.000Z"
EndDate:
type: string
description: End date
description: An end date in ISO format or Date Math format.
example: "2023-10-31T23:59:59.999Z"
AgentId:
type: string
description: Agent ID
@ -80,6 +82,8 @@ components:
maxItems: 50
- type: string
minLength: 1
description: A list of agent IDs. Max of 50.
example: [ "agent-id-1", "agent-id-2" ]
minLength: 1
Command:
@ -99,6 +103,8 @@ components:
Commands:
type: array
description: A list of response action command names.
example: [ "isolate", "unisolate" ]
items:
$ref: '#/components/schemas/Command'
@ -130,7 +136,8 @@ components:
minItems: 1
- type: string
minLength: 1
description: User IDs
description: A list of user IDs.
example: [ "user-id-1", "user-id-2" ]
WithOutputs:
oneOf:
@ -141,7 +148,8 @@ components:
minItems: 1
- type: string
minLength: 1
description: Shows detailed outputs for an action response
description: A list of action IDs that should include the complete output of the action.
example: [ "action-id-1", "action-id-2" ]
Type:
type: string
@ -153,6 +161,7 @@ components:
Types:
type: array
description: List of types of response actions
example: [ "automated", "manual" ]
items:
$ref: '#/components/schemas/Type'
minLength: 1
@ -160,27 +169,35 @@ components:
EndpointIds:
type: array
description: List of endpoint IDs (cannot contain empty strings)
example: [ "endpoint-id-1", "endpoint-id-2" ]
items:
type: string
minLength: 1
minItems: 1
description: List of endpoint IDs (cannot contain empty strings)
CaseIds:
type: array
description: Case IDs to be updated (cannot contain empty strings)
example: [ "case-id-1", "case-id-2" ]
items:
type: string
minLength: 1
minItems: 1
description: Case IDs to be updated (cannot contain empty strings)
Comment:
type: string
description: Optional comment
example: "This is a comment"
Parameters:
type: object
description: Optional parameters object
AgentTypes:
type: string
description: The host agent type (optional). Defaults to endpoint.
description: List of agent types to retrieve. Defaults to `endpoint`.
example: endpoint
enum:
- endpoint
- sentinel_one
@ -214,20 +231,6 @@ components:
body:
$ref: '#/components/schemas/BaseActionSchema'
Pid:
type: object
properties:
pid:
type: integer
minimum: 1
EntityId:
type: object
properties:
entity_id:
type: string
minLength: 1
ProtectionUpdatesNoteResponse:
type: object
properties:

9
x-pack/solutions/security/plugins/security_solution/common/api/quickstart_client.gen.ts
View file

@ -188,10 +188,7 @@ import type {
EndpointUnisolateActionRequestBodyInput,
EndpointUnisolateActionResponse,
} from './endpoint/actions/response_actions/unisolate/unisolate.gen';
import type {
EndpointUploadActionRequestBodyInput,
EndpointUploadActionResponse,
} from './endpoint/actions/response_actions/upload/upload.gen';
import type { EndpointUploadActionResponse } from './endpoint/actions/response_actions/upload/upload.gen';
import type { EndpointGetActionsStateResponse } from './endpoint/actions/state/state.gen';
import type {
EndpointGetActionsStatusRequestQueryInput,
@ -1182,7 +1179,7 @@ If a record already exists for the specified entity, that record is overwritten
[ELASTIC_HTTP_VERSION_HEADER]: '2023-10-31',
},
method: 'POST',
body: props.body,
body: props.attachment,
})
.catch(catchAxiosErrorFormatAndThrow);
}
@ -2509,7 +2506,7 @@ export interface EndpointUnisolateRedirectProps {
body: EndpointUnisolateRedirectRequestBodyInput;
}
export interface EndpointUploadActionProps {
body: EndpointUploadActionRequestBodyInput;
attachment: FormData;
}
export interface ExportRulesProps {
query: ExportRulesRequestQueryInput;

671
x-pack/solutions/security/plugins/security_solution/docs/openapi/ess/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml
View file

@ -17,16 +17,61 @@ paths:
operationId: EndpointGetActionsList
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/GetEndpointActionListRouteQuery'
$ref: '#/components/schemas/Page'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSize'
- in: query
name: commands
required: false
schema:
$ref: '#/components/schemas/Commands'
- in: query
name: agentIds
required: false
schema:
$ref: '#/components/schemas/AgentIds'
- in: query
name: userIds
required: false
schema:
$ref: '#/components/schemas/UserIds'
- in: query
name: startDate
required: false
schema:
$ref: '#/components/schemas/StartDate'
- in: query
name: endDate
required: false
schema:
$ref: '#/components/schemas/EndDate'
- in: query
name: agentTypes
required: false
schema:
$ref: '#/components/schemas/AgentTypes'
- in: query
name: withOutputs
required: false
schema:
$ref: '#/components/schemas/WithOutputs'
- in: query
name: types
required: false
schema:
$ref: '#/components/schemas/Types'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetEndpointActionListResponse'
description: OK
summary: Get response actions
tags:
@ -89,13 +134,15 @@ paths:
name: action_id
required: true
schema:
description: The ID of the action to retrieve.
example: fr518850-681a-4y60-aa98-e22640cae2b8
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetEndpointActionResponse'
description: OK
summary: Get action details
tags:
@ -165,7 +212,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/ExecuteRouteResponse'
description: OK
summary: Run a command
tags:
@ -185,7 +232,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetFileRouteResponse'
description: OK
summary: Get a file
tags:
@ -199,15 +246,55 @@ paths:
requestBody:
content:
application/json:
examples:
multiple_endpoints:
summary: Isolates several hosts; includes a comment
value:
comment: 'Locked down, pending further investigation'
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
single_endpoint:
summary: >-
Isolates a single host with an endpoint_id value of
ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
with_case_id:
summary: Isolates a single host with a case_id value of 1234
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Isolating as initial response
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/IsolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/IsolateRouteResponse'
description: OK
summary: Isolate an endpoint
tags:
@ -227,7 +314,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/KillProcessRouteResponse'
description: OK
summary: Terminate a process
tags:
@ -247,7 +334,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetProcessesRouteResponse'
description: OK
summary: Get running processes
tags:
@ -287,7 +374,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/ScanRouteResponse'
description: OK
summary: Scan a file or directory
tags:
@ -323,7 +410,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/SuspendProcessRouteResponse'
description: OK
summary: Suspend a process
tags:
@ -335,15 +422,55 @@ paths:
requestBody:
content:
application/json:
examples:
multipleHosts:
summary: 'Releases several hosts; includes a comment:'
value:
comment: 'Benign process identified, releasing group'
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
singleHost:
summary: >-
Releases a single host with an endpoint_id value of
ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
withCaseId:
summary: Releases hosts with an associated case; includes a comment.
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: 'Remediation complete, restoring network'
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/UnisolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/UnisolateRouteResponse'
description: OK
summary: Release an isolated endpoint
tags:
@ -354,7 +481,7 @@ paths:
operationId: EndpointUploadAction
requestBody:
content:
application/json:
multipart/form-data:
schema:
$ref: '#/components/schemas/UploadRouteRequestBody'
required: true
@ -363,7 +490,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/UploadRouteResponse'
description: OK
summary: Upload a file
tags:
@ -729,6 +856,10 @@ components:
description: Agent ID
type: string
AgentIds:
description: A list of agent IDs. Max of 50.
example:
- agent-id-1
- agent-id-2
minLength: 1
oneOf:
- items:
@ -740,12 +871,13 @@ components:
- minLength: 1
type: string
AgentTypes:
description: The host agent type (optional). Defaults to endpoint.
description: List of agent types to retrieve. Defaults to `endpoint`.
enum:
- endpoint
- sentinel_one
- crowdstrike
- microsoft_defender_endpoint
example: endpoint
type: string
AlertIds:
description: A list of alerts ids.
@ -755,6 +887,9 @@ components:
type: array
CaseIds:
description: Case IDs to be updated (cannot contain empty strings)
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
@ -792,17 +927,26 @@ components:
minLength: 1
type: string
Commands:
description: A list of response action command names.
example:
- isolate
- unisolate
items:
$ref: '#/components/schemas/Command'
type: array
Comment:
description: Optional comment
example: This is a comment
type: string
EndDate:
description: End date
description: An end date in ISO format or Date Math format.
example: '2023-10-31T23:59:59.999Z'
type: string
EndpointIds:
description: List of endpoint IDs (cannot contain empty strings)
example:
- endpoint-id-1
- endpoint-id-2
items:
minLength: 1
type: string
@ -896,12 +1040,6 @@ components:
revision: 2
type: object
properties: {}
EntityId:
type: object
properties:
entity_id:
minLength: 1
type: string
ExecuteRouteRequestBody:
allOf:
- type: object
@ -933,33 +1071,128 @@ components:
- command
required:
- parameters
GetEndpointActionListRouteQuery:
example:
comment: Get list of all files
endpoint_ids:
- b3d6de74-36b0-4fa8-be46-c375bf1771bf
parameters:
command: ls -al
timeout: 600
ExecuteRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: execute
comment: Get list of all files
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 9f934028-2300-4927-b531-b26376793dc4
isCompleted: false
isExpired: false
outputs: {}
parameters:
command: ls -al
timeout: 600
startedAt: '2023-07-28T18:43:27.362Z'
status: pending
wasSuccessful: false
type: object
properties:
agentIds:
$ref: '#/components/schemas/AgentIds'
agentTypes:
$ref: '#/components/schemas/AgentTypes'
commands:
$ref: '#/components/schemas/Commands'
endDate:
$ref: '#/components/schemas/EndDate'
page:
$ref: '#/components/schemas/Page'
pageSize:
default: 10
description: Number of items per page
maximum: 10000
minimum: 1
type: integer
startDate:
$ref: '#/components/schemas/StartDate'
types:
$ref: '#/components/schemas/Types'
userIds:
$ref: '#/components/schemas/UserIds'
withOutputs:
$ref: '#/components/schemas/WithOutputs'
properties: {}
GetEndpointActionListResponse:
example:
data:
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: isolate
completedAt: '2022-08-08T10:41:57.352Z'
createdBy: elastic
id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:23:37.359Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: kill-process
comment: bad process - taking up too much cpu
completedAt: '2022-08-08T09:44:50.952Z'
createdBy: elastic
id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:44.125Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: unisolate
comment: Not a threat to the network
completedAt: '2022-08-08T09:40:47.398Z'
createdBy: elastic
id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:15.391Z'
wasSuccessful: true
elasticAgentIds:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
endDate: now
page: 1
pageSize: 10
startDate: now-24h/h
total: 4
type: object
properties: {}
GetEndpointActionResponse:
example:
data:
agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
outputs:
afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0:
content:
entries:
- command: /opt/cmd1
entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt
pid: '822'
user: Dexter
- command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3
entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt
pid: '984'
user: Jada
type: json
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
type: object
properties: {}
GetFileRouteRequestBody:
allOf:
- type: object
@ -989,7 +1222,42 @@ components:
- path
required:
- parameters
example:
comment: Get my file
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
GetFileRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: get-file
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
GetProcessesRouteRequestBody:
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
type: object
properties:
agent_type:
@ -1006,6 +1274,30 @@ components:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
GetProcessesRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: running-processes
comment: ''
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters: {}
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
HostPathScriptParameters:
type: object
properties:
@ -1037,23 +1329,32 @@ components:
- unenrolled
type: string
type: array
IsolateRouteRequestBody:
IsolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
properties: {}
KillProcessRouteRequestBody:
allOf:
- type: object
@ -1076,16 +1377,62 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Pid'
- $ref: '#/components/schemas/EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to terminate.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to terminate.
example: abc123
minLength: 1
type: string
- type: object
properties:
process_name:
description: Valid for SentinelOne agent type only
description: >-
The name of the process to terminate. Valid for
SentinelOne agent type only.
example: Elastic
minLength: 1
type: string
required:
- parameters
example:
comment: terminate the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
KillProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: kill-process
comment: terminate the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Kuery:
description: A KQL string.
example: 'united.endpoint.host.os.name : ''Windows'''
@ -1317,12 +1664,6 @@ components:
$ref: '#/components/schemas/PendingActionDataType'
- additionalProperties: true
type: object
Pid:
type: object
properties:
pid:
minimum: 1
type: integer
ProtectionUpdatesNoteResponse:
type: object
properties:
@ -1382,11 +1723,45 @@ components:
type: object
properties:
path:
description: The folder or files full path (including the file name).
example: /usr/my-file.txt
type: string
required:
- path
required:
- parameters
example:
comment: Scan the file for malware
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
ScanRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: scan
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
SortDirection:
description: Determines the sort order.
enum:
@ -1409,7 +1784,8 @@ components:
example: enrolled_at
type: string
StartDate:
description: Start date
description: A start date in ISO 8601 format or Date Math format.
example: '2023-10-31T00:00:00.000Z'
type: string
SuccessResponse:
type: object
@ -1436,10 +1812,53 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Pid'
- $ref: '#/components/schemas/EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to suspend.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to suspend.
example: abc123
minLength: 1
type: string
required:
- parameters
example:
comment: suspend the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
SuspendProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Timeout:
description: The maximum timeout value in milliseconds (optional)
minimum: 1
@ -1452,28 +1871,40 @@ components:
type: string
Types:
description: List of types of response actions
example:
- automated
- manual
items:
$ref: '#/components/schemas/Type'
maxLength: 2
minLength: 1
type: array
UnisolateRouteRequestBody:
UnisolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
properties: {}
UploadRouteRequestBody:
allOf:
- type: object
@ -1495,6 +1926,8 @@ components:
- type: object
properties:
file:
description: The binary content of the file.
example: RWxhc3RpYw==
format: binary
type: string
parameters:
@ -1502,12 +1935,51 @@ components:
properties:
overwrite:
default: false
description: Overwrite the file on the host if it already exists.
example: false
type: boolean
required:
- parameters
- file
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
file: RWxhc3RpYw==
parameters: {}
UploadRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: upload
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: Host-5i6cuc8kdv
id: 9ff6aebc-2cb6-481e-8869-9b30036c9731
isCompleted: false
isExpired: false
outputs: {}
parameters:
file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280
file_name: fix-malware.sh
file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a
file_size: 69
startedAt: '2023-07-03T15:07:22.837Z'
status: pending
wasSuccessful: false
type: object
properties: {}
UserIds:
description: User IDs
description: A list of user IDs.
example:
- user-id-1
- user-id-2
oneOf:
- items:
minLength: 1
@ -1517,7 +1989,12 @@ components:
- minLength: 1
type: string
WithOutputs:
description: Shows detailed outputs for an action response
description: >-
A list of action IDs that should include the complete output of the
action.
example:
- action-id-1
- action-id-2
oneOf:
- items:
minLength: 1

671
x-pack/solutions/security/plugins/security_solution/docs/openapi/serverless/security_solution_endpoint_management_api_2023_10_31.bundled.schema.yaml
View file

@ -17,16 +17,61 @@ paths:
operationId: EndpointGetActionsList
parameters:
- in: query
name: query
required: true
name: page
required: false
schema:
$ref: '#/components/schemas/GetEndpointActionListRouteQuery'
$ref: '#/components/schemas/Page'
- in: query
name: pageSize
required: false
schema:
$ref: '#/components/schemas/PageSize'
- in: query
name: commands
required: false
schema:
$ref: '#/components/schemas/Commands'
- in: query
name: agentIds
required: false
schema:
$ref: '#/components/schemas/AgentIds'
- in: query
name: userIds
required: false
schema:
$ref: '#/components/schemas/UserIds'
- in: query
name: startDate
required: false
schema:
$ref: '#/components/schemas/StartDate'
- in: query
name: endDate
required: false
schema:
$ref: '#/components/schemas/EndDate'
- in: query
name: agentTypes
required: false
schema:
$ref: '#/components/schemas/AgentTypes'
- in: query
name: withOutputs
required: false
schema:
$ref: '#/components/schemas/WithOutputs'
- in: query
name: types
required: false
schema:
$ref: '#/components/schemas/Types'
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetEndpointActionListResponse'
description: OK
summary: Get response actions
tags:
@ -89,13 +134,15 @@ paths:
name: action_id
required: true
schema:
description: The ID of the action to retrieve.
example: fr518850-681a-4y60-aa98-e22640cae2b8
type: string
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetEndpointActionResponse'
description: OK
summary: Get action details
tags:
@ -165,7 +212,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/ExecuteRouteResponse'
description: OK
summary: Run a command
tags:
@ -185,7 +232,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetFileRouteResponse'
description: OK
summary: Get a file
tags:
@ -199,15 +246,55 @@ paths:
requestBody:
content:
application/json:
examples:
multiple_endpoints:
summary: Isolates several hosts; includes a comment
value:
comment: 'Locked down, pending further investigation'
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
single_endpoint:
summary: >-
Isolates a single host with an endpoint_id value of
ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
with_case_id:
summary: Isolates a single host with a case_id value of 1234
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: Isolating as initial response
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/IsolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/IsolateRouteResponse'
description: OK
summary: Isolate an endpoint
tags:
@ -227,7 +314,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/KillProcessRouteResponse'
description: OK
summary: Terminate a process
tags:
@ -247,7 +334,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/GetProcessesRouteResponse'
description: OK
summary: Get running processes
tags:
@ -287,7 +374,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/ScanRouteResponse'
description: OK
summary: Scan a file or directory
tags:
@ -323,7 +410,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/SuspendProcessRouteResponse'
description: OK
summary: Suspend a process
tags:
@ -335,15 +422,55 @@ paths:
requestBody:
content:
application/json:
examples:
multipleHosts:
summary: 'Releases several hosts; includes a comment:'
value:
comment: 'Benign process identified, releasing group'
endpoint_ids:
- 9972d10e-4b9e-41aa-a534-a85e2a28ea42
- bc0e4f0c-3bca-4633-9fee-156c0b505d16
- fa89271b-b9d4-43f2-a684-307cffddeb5a
singleHost:
summary: >-
Releases a single host with an endpoint_id value of
ed518850-681a-4d60-bb98-e22640cae2a8
value:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
withCaseId:
summary: Releases hosts with an associated case; includes a comment.
value:
case_ids:
- 4976be38-c134-4554-bd5e-0fd89ce63667
comment: 'Remediation complete, restoring network'
endpoint_ids:
- 1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0
- b30a11bf-1395-4707-b508-fbb45ef9793e
schema:
$ref: '#/components/schemas/UnisolateRouteRequestBody'
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
required: true
responses:
'200':
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/UnisolateRouteResponse'
description: OK
summary: Release an isolated endpoint
tags:
@ -354,7 +481,7 @@ paths:
operationId: EndpointUploadAction
requestBody:
content:
application/json:
multipart/form-data:
schema:
$ref: '#/components/schemas/UploadRouteRequestBody'
required: true
@ -363,7 +490,7 @@ paths:
content:
application/json:
schema:
$ref: '#/components/schemas/SuccessResponse'
$ref: '#/components/schemas/UploadRouteResponse'
description: OK
summary: Upload a file
tags:
@ -629,6 +756,10 @@ components:
description: Agent ID
type: string
AgentIds:
description: A list of agent IDs. Max of 50.
example:
- agent-id-1
- agent-id-2
minLength: 1
oneOf:
- items:
@ -640,12 +771,13 @@ components:
- minLength: 1
type: string
AgentTypes:
description: The host agent type (optional). Defaults to endpoint.
description: List of agent types to retrieve. Defaults to `endpoint`.
enum:
- endpoint
- sentinel_one
- crowdstrike
- microsoft_defender_endpoint
example: endpoint
type: string
AlertIds:
description: A list of alerts ids.
@ -655,6 +787,9 @@ components:
type: array
CaseIds:
description: Case IDs to be updated (cannot contain empty strings)
example:
- case-id-1
- case-id-2
items:
minLength: 1
type: string
@ -692,17 +827,26 @@ components:
minLength: 1
type: string
Commands:
description: A list of response action command names.
example:
- isolate
- unisolate
items:
$ref: '#/components/schemas/Command'
type: array
Comment:
description: Optional comment
example: This is a comment
type: string
EndDate:
description: End date
description: An end date in ISO format or Date Math format.
example: '2023-10-31T23:59:59.999Z'
type: string
EndpointIds:
description: List of endpoint IDs (cannot contain empty strings)
example:
- endpoint-id-1
- endpoint-id-2
items:
minLength: 1
type: string
@ -796,12 +940,6 @@ components:
revision: 2
type: object
properties: {}
EntityId:
type: object
properties:
entity_id:
minLength: 1
type: string
ExecuteRouteRequestBody:
allOf:
- type: object
@ -833,33 +971,128 @@ components:
- command
required:
- parameters
GetEndpointActionListRouteQuery:
example:
comment: Get list of all files
endpoint_ids:
- b3d6de74-36b0-4fa8-be46-c375bf1771bf
parameters:
command: ls -al
timeout: 600
ExecuteRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: execute
comment: Get list of all files
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 9f934028-2300-4927-b531-b26376793dc4
isCompleted: false
isExpired: false
outputs: {}
parameters:
command: ls -al
timeout: 600
startedAt: '2023-07-28T18:43:27.362Z'
status: pending
wasSuccessful: false
type: object
properties:
agentIds:
$ref: '#/components/schemas/AgentIds'
agentTypes:
$ref: '#/components/schemas/AgentTypes'
commands:
$ref: '#/components/schemas/Commands'
endDate:
$ref: '#/components/schemas/EndDate'
page:
$ref: '#/components/schemas/Page'
pageSize:
default: 10
description: Number of items per page
maximum: 10000
minimum: 1
type: integer
startDate:
$ref: '#/components/schemas/StartDate'
types:
$ref: '#/components/schemas/Types'
userIds:
$ref: '#/components/schemas/UserIds'
withOutputs:
$ref: '#/components/schemas/WithOutputs'
properties: {}
GetEndpointActionListResponse:
example:
data:
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: isolate
completedAt: '2022-08-08T10:41:57.352Z'
createdBy: elastic
id: 43b4098b-8752-4fbb-a7a7-6df7c74d0ee3
isCompleted: true
isExpired: false
startedAt: '2022-08-08T15:23:37.359Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: kill-process
comment: bad process - taking up too much cpu
completedAt: '2022-08-08T09:44:50.952Z'
createdBy: elastic
id: 5bc92c86-b8e6-42dd-837f-12ad29e09caa
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:44.125Z'
wasSuccessful: true
- agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: unisolate
comment: Not a threat to the network
completedAt: '2022-08-08T09:40:47.398Z'
createdBy: elastic
id: 790d54e0-3aa3-4e5b-8255-3ce9d851246a
isCompleted: true
isExpired: false
startedAt: '2022-08-08T14:38:15.391Z'
wasSuccessful: true
elasticAgentIds:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
endDate: now
page: 1
pageSize: 10
startDate: now-24h/h
total: 4
type: object
properties: {}
GetEndpointActionResponse:
example:
data:
agents:
- afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0
agentType: endpoint
command: running-processes
completedAt: '2022-08-08T09:50:47.672Z'
createdBy: elastic
id: b3d6de74-36b0-4fa8-be46-c375bf1771bf
isCompleted: true
isExpired: false
outputs:
afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0:
content:
entries:
- command: /opt/cmd1
entity_id: fk2ym7bl3oiu3okjcik0xosc0i0m75x3eh49nu3uaqt4dqanjt
pid: '822'
user: Dexter
- command: /opt/cmd3/opt/cmd3/opt/cmd3/opt/cmd3
entity_id: pwvz91m48wpj9j7ov9gtw8fp7u2rat4eu5ipte37hnhdcbi2pt
pid: '984'
user: Jada
type: json
startedAt: '2022-08-08T15:24:57.402Z'
wasSuccessful: true
type: object
properties: {}
GetFileRouteRequestBody:
allOf:
- type: object
@ -889,7 +1122,42 @@ components:
- path
required:
- parameters
example:
comment: Get my file
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
GetFileRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: get-file
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
GetProcessesRouteRequestBody:
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
type: object
properties:
agent_type:
@ -906,6 +1174,30 @@ components:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
GetProcessesRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: running-processes
comment: ''
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters: {}
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
HostPathScriptParameters:
type: object
properties:
@ -937,23 +1229,32 @@ components:
- unenrolled
type: string
type: array
IsolateRouteRequestBody:
IsolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
properties: {}
KillProcessRouteRequestBody:
allOf:
- type: object
@ -976,16 +1277,62 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Pid'
- $ref: '#/components/schemas/EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to terminate.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to terminate.
example: abc123
minLength: 1
type: string
- type: object
properties:
process_name:
description: Valid for SentinelOne agent type only
description: >-
The name of the process to terminate. Valid for
SentinelOne agent type only.
example: Elastic
minLength: 1
type: string
required:
- parameters
example:
comment: terminate the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
KillProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: kill-process
comment: terminate the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Kuery:
description: A KQL string.
example: 'united.endpoint.host.os.name : ''Windows'''
@ -1217,12 +1564,6 @@ components:
$ref: '#/components/schemas/PendingActionDataType'
- additionalProperties: true
type: object
Pid:
type: object
properties:
pid:
minimum: 1
type: integer
ProtectionUpdatesNoteResponse:
type: object
properties:
@ -1282,11 +1623,45 @@ components:
type: object
properties:
path:
description: The folder or files full path (including the file name).
example: /usr/my-file.txt
type: string
required:
- path
required:
- parameters
example:
comment: Scan the file for malware
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
path: /usr/my-file.txt
ScanRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: scan
createdBy: myuser
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r
id: 27ba1b42-7cc6-4e53-86ce-675c876092b2
isCompleted: false
isExpired: false
outputs: {}
parameters:
path: /usr/my-file.txt
startedAt: '2023-07-28T19:00:03.911Z'
status: pending
wasSuccessful: false
type: object
properties: {}
SortDirection:
description: Determines the sort order.
enum:
@ -1309,7 +1684,8 @@ components:
example: enrolled_at
type: string
StartDate:
description: Start date
description: A start date in ISO 8601 format or Date Math format.
example: '2023-10-31T00:00:00.000Z'
type: string
SuccessResponse:
type: object
@ -1336,10 +1712,53 @@ components:
properties:
parameters:
oneOf:
- $ref: '#/components/schemas/Pid'
- $ref: '#/components/schemas/EntityId'
- type: object
properties:
pid:
description: The process ID (PID) of the process to suspend.
example: 123
minimum: 1
type: integer
- type: object
properties:
entity_id:
description: The entity ID of the process to suspend.
example: abc123
minLength: 1
type: string
required:
- parameters
example:
comment: suspend the process
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
parameters:
entity_id: abc123
SuspendProcessRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties: {}
Timeout:
description: The maximum timeout value in milliseconds (optional)
minimum: 1
@ -1352,28 +1771,40 @@ components:
type: string
Types:
description: List of types of response actions
example:
- automated
- manual
items:
$ref: '#/components/schemas/Type'
maxLength: 2
minLength: 1
type: array
UnisolateRouteRequestBody:
UnisolateRouteResponse:
example:
action: 233db9ea-6733-4849-9226-5a7039c7161d
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentType: endpoint
command: suspend-process
comment: suspend the process
completedAt: '2022-07-29T19:09:44.961Z'
createdBy: myuser
errors: []
id: 233db9ea-6733-4849-9226-5a7039c7161d
isCompleted: true
isExpired: false
outputs:
ed518850-681a-4d60-bb98-e22640cae2a8:
content:
key: value
type: json
parameters:
entity_id: abc123
startedAt: '2022-07-29T19:08:49.126Z'
wasSuccessful: true
type: object
properties:
agent_type:
$ref: '#/components/schemas/AgentTypes'
alert_ids:
$ref: '#/components/schemas/AlertIds'
case_ids:
$ref: '#/components/schemas/CaseIds'
comment:
$ref: '#/components/schemas/Comment'
endpoint_ids:
$ref: '#/components/schemas/EndpointIds'
parameters:
$ref: '#/components/schemas/Parameters'
required:
- endpoint_ids
properties: {}
UploadRouteRequestBody:
allOf:
- type: object
@ -1395,6 +1826,8 @@ components:
- type: object
properties:
file:
description: The binary content of the file.
example: RWxhc3RpYw==
format: binary
type: string
parameters:
@ -1402,12 +1835,51 @@ components:
properties:
overwrite:
default: false
description: Overwrite the file on the host if it already exists.
example: false
type: boolean
required:
- parameters
- file
example:
endpoint_ids:
- ed518850-681a-4d60-bb98-e22640cae2a8
file: RWxhc3RpYw==
parameters: {}
UploadRouteResponse:
example:
data:
agents:
- ed518850-681a-4d60-bb98-e22640cae2a8
agentState:
ed518850-681a-4d60-bb98-e22640cae2a8:
isCompleted: false
wasSuccessful: false
agentType: endpoint
command: upload
createdBy: elastic
hosts:
ed518850-681a-4d60-bb98-e22640cae2a8:
name: Host-5i6cuc8kdv
id: 9ff6aebc-2cb6-481e-8869-9b30036c9731
isCompleted: false
isExpired: false
outputs: {}
parameters:
file_id: 10e4ce3d-4abb-4f93-a0cd-eaf63a489280
file_name: fix-malware.sh
file_sha256: a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a
file_size: 69
startedAt: '2023-07-03T15:07:22.837Z'
status: pending
wasSuccessful: false
type: object
properties: {}
UserIds:
description: User IDs
description: A list of user IDs.
example:
- user-id-1
- user-id-2
oneOf:
- items:
minLength: 1
@ -1417,7 +1889,12 @@ components:
- minLength: 1
type: string
WithOutputs:
description: Shows detailed outputs for an action response
description: >-
A list of action IDs that should include the complete output of the
action.
example:
- action-id-1
- action-id-2
oneOf:
- items:
minLength: 1

9
x-pack/test/api_integration/services/security_solution_api.gen.ts
View file

@ -66,7 +66,6 @@ import { EndpointScanActionRequestBodyInput } from '@kbn/security-solution-plugi
import { EndpointSuspendProcessActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/suspend_process/suspend_process.gen';
import { EndpointUnisolateActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/unisolate/unisolate.gen';
import { EndpointUnisolateRedirectRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/unisolate/deprecated_unisolate.gen';
import { EndpointUploadActionRequestBodyInput } from '@kbn/security-solution-plugin/common/api/endpoint/actions/response_actions/upload/upload.gen';
import {
ExportRulesRequestQueryInput,
ExportRulesRequestBodyInput,
@ -750,13 +749,12 @@ If a record already exists for the specified entity, that record is overwritten
/**
* Upload a file to an endpoint.
*/
endpointUploadAction(props: EndpointUploadActionProps, kibanaSpace: string = 'default') {
endpointUploadAction(kibanaSpace: string = 'default') {
return supertest
.post(routeWithNamespace('/api/endpoint/action/upload', kibanaSpace))
.set('kbn-xsrf', 'true')
.set(ELASTIC_HTTP_VERSION_HEADER, '2023-10-31')
.set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana')
.send(props.body as object);
.set(X_ELASTIC_INTERNAL_ORIGIN_REQUEST, 'kibana');
},
entityStoreGetPrivileges(kibanaSpace: string = 'default') {
return supertest
@ -1799,9 +1797,6 @@ export interface EndpointUnisolateActionProps {
export interface EndpointUnisolateRedirectProps {
body: EndpointUnisolateRedirectRequestBodyInput;
}
export interface EndpointUploadActionProps {
body: EndpointUploadActionRequestBodyInput;
}
export interface ExportRulesProps {
query: ExportRulesRequestQueryInput;
body: ExportRulesRequestBodyInput;