diff --git a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml index 67ad59c35dc5957..b9c1ac658fd906a 100644 --- a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -891,6 +891,15 @@ paths: /api/detection_engine/rules/preview: post: operationId: RulePreview + parameters: + - description: >- + Enables logging and returning in response ES queries, performed + during rule execution + in: query + name: enable_logged_requests + required: false + schema: + type: boolean requestBody: content: application/json: @@ -2042,6 +2051,10 @@ components: $ref: '#/components/schemas/RuleFilterArray' index: $ref: '#/components/schemas/IndexPatternArray' + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array tiebreaker_field: $ref: '#/components/schemas/TiebreakerField' timestamp_field: @@ -2729,6 +2742,10 @@ components: properties: alert_suppression: $ref: '#/components/schemas/AlertSuppression' + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array EsqlRulePatchProps: allOf: - type: object @@ -3873,6 +3890,10 @@ components: $ref: '#/components/schemas/RuleFilterArray' index: $ref: '#/components/schemas/IndexPatternArray' + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array NewTermsRulePatchFields: allOf: - type: object @@ -5166,6 +5187,17 @@ components: - $ref: '#/components/schemas/MachineLearningRulePatchProps' - $ref: '#/components/schemas/NewTermsRulePatchProps' - $ref: '#/components/schemas/EsqlRulePatchProps' + RulePreviewLoggedRequest: + type: object + properties: + description: + $ref: '#/components/schemas/NonEmptyString' + duration: + type: integer + request: + $ref: '#/components/schemas/NonEmptyString' + required: + - request RulePreviewLogs: type: object properties: @@ -5176,6 +5208,10 @@ components: items: $ref: '#/components/schemas/NonEmptyString' type: array + requests: + items: + $ref: '#/components/schemas/RulePreviewLoggedRequest' + type: array startedAt: $ref: '#/components/schemas/NonEmptyString' warnings: diff --git a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml index b1f7e444371f77e..42e8db13d78a495 100644 --- a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_entity_analytics_api_2023_10_31.bundled.schema.yaml @@ -437,6 +437,82 @@ paths: summary: Stop the Entity Store engine tags: - Security Solution Entity Analytics API + /api/entity_store/entities/list: + get: + description: List entities records, paging, sorting and filtering as needed. + operationId: ListEntities + parameters: + - in: query + name: sort_field + required: false + schema: + type: string + - in: query + name: sort_order + required: false + schema: + enum: + - asc + - desc + type: string + - in: query + name: page + required: false + schema: + minimum: 1 + type: integer + - in: query + name: per_page + required: false + schema: + maximum: 10000 + minimum: 1 + type: integer + - description: An ES query to filter by. + in: query + name: filterQuery + required: false + schema: + type: string + - in: query + name: entities_types + required: true + schema: + items: + $ref: '#/components/schemas/EntityType' + type: array + responses: + '200': + content: + application/json: + schema: + type: object + properties: + inspect: + $ref: '#/components/schemas/InspectQuery' + page: + minimum: 1 + type: integer + per_page: + maximum: 1000 + minimum: 1 + type: integer + records: + items: + $ref: '#/components/schemas/Entity' + type: array + total: + minimum: 0 + type: integer + required: + - records + - page + - per_page + - total + description: Entities returned successfully + summary: List Entity Store Entities + tags: + - Security Solution Entity Analytics API /api/risk_score/engine/schedule_now: post: operationId: ScheduleRiskEngineNow @@ -549,11 +625,90 @@ components: - started - stopped type: string + Entity: + oneOf: + - $ref: '#/components/schemas/UserEntity' + - $ref: '#/components/schemas/HostEntity' EntityType: enum: - user - host type: string + HostEntity: + type: object + properties: + entity: + type: object + properties: + definitionId: + type: string + definitionVersion: + type: string + displayName: + type: string + firstSeenTimestamp: + format: date-time + type: string + id: + type: string + identityFields: + items: + type: string + type: array + lastSeenTimestamp: + format: date-time + type: string + schemaVersion: + type: string + type: + enum: + - node + type: string + required: + - lastSeenTimestamp + - schemaVersion + - definitionVersion + - displayName + - identityFields + - id + - type + - firstSeenTimestamp + - definitionId + host: + type: object + properties: + architecture: + items: + type: string + type: array + domain: + items: + type: string + type: array + hostname: + items: + type: string + type: array + id: + items: + type: string + type: array + ip: + items: + type: string + type: array + mac: + items: + type: string + type: array + name: + type: string + type: + items: + type: string + type: array + required: + - name IdField: enum: - host.name @@ -561,6 +716,20 @@ components: type: string IndexPattern: type: string + InspectQuery: + type: object + properties: + dsl: + items: + type: string + type: array + response: + items: + type: string + type: array + required: + - dsl + - response RiskEngineScheduleNowErrorResponse: type: object properties: @@ -588,6 +757,77 @@ components: required: - status_code - message + UserEntity: + type: object + properties: + entity: + type: object + properties: + definitionId: + type: string + definitionVersion: + type: string + displayName: + type: string + firstSeenTimestamp: + format: date-time + type: string + id: + type: string + identityFields: + items: + type: string + type: array + lastSeenTimestamp: + format: date-time + type: string + schemaVersion: + type: string + type: + enum: + - node + type: string + required: + - lastSeenTimestamp + - schemaVersion + - definitionVersion + - displayName + - identityFields + - id + - type + - firstSeenTimestamp + - definitionId + user: + type: object + properties: + domain: + items: + type: string + type: array + email: + items: + type: string + type: array + full_name: + items: + type: string + type: array + hash: + items: + type: string + type: array + id: + items: + type: string + type: array + name: + type: string + roles: + items: + type: string + type: array + required: + - name securitySchemes: BasicAuth: scheme: basic diff --git a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml index 55dc1f0e75d1d79..e3a294c9f92a563 100644 --- a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -7,7 +7,7 @@ info: title: Security Solution Detections API (Elastic Cloud Serverless) version: '2023-10-31' servers: - - url: http://{kibana_host}:{port} + - url: 'http://{kibana_host}:{port}' variables: kibana_host: default: localhost @@ -962,12 +962,12 @@ components: Interval in which the rule runs. For example, `"1h"` means the rule runs every hour. example: 1h - pattern: ^[1-9]\d*[smh]$ + pattern: '^[1-9]\d*[smh]$' type: string lookback: description: Lookback time for the rule example: 1h - pattern: ^[1-9]\d*[smh]$ + pattern: '^[1-9]\d*[smh]$' type: string required: - interval @@ -4131,9 +4131,9 @@ components: - no_actions - rule type: string - - description: Time interval in seconds, minutes, hours, or days. + - description: 'Time interval in seconds, minutes, hours, or days.' example: 1h - pattern: ^[1-9]\d*[smhd]$ + pattern: '^[1-9]\d*[smhd]$' type: string RuleAuthorArray: items: @@ -4369,7 +4369,7 @@ components: discriminator: propertyName: type RuleSignatureId: - description: Could be any string, not necessarily a UUID + description: 'Could be any string, not necessarily a UUID' type: string RuleSource: description: >- diff --git a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_timeline_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_timeline_api_2023_10_31.bundled.schema.yaml index d8536c1703ed72d..d3b079e0551abce 100644 --- a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_timeline_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_timeline_api_2023_10_31.bundled.schema.yaml @@ -6,7 +6,7 @@ info: title: Security Solution Timeline API (Elastic Cloud Serverless) version: '2023-10-31' servers: - - url: http://{kibana_host}:{port} + - url: 'http://{kibana_host}:{port}' variables: kibana_host: default: localhost @@ -15,7 +15,6 @@ servers: paths: /api/note: delete: - description: Delete a note from a Timeline using the note ID. operationId: DeleteNote requestBody: content: @@ -38,7 +37,7 @@ paths: type: array required: - noteIds - description: The ID of the note to delete. + description: The id of the note to delete. required: true responses: '200': @@ -50,12 +49,12 @@ paths: data: type: object description: Indicates the note was successfully deleted. - summary: Delete a note + summary: Deletes a note from a timeline. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' get: - description: Get all notes for a given document. + description: Gets notes operationId: GetNotes parameters: - in: query @@ -96,12 +95,11 @@ paths: responses: '200': description: Indicates the requested notes were returned. - summary: Get notes + summary: Get all notes for a given document. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' patch: - description: Add a note to a Timeline or update an existing note. operationId: PersistNoteRoute requestBody: content: @@ -131,7 +129,7 @@ paths: type: string required: - note - description: The note to add or update, along with additional metadata. + description: The note to persist or update along with additional metadata. required: true responses: '200': @@ -161,13 +159,12 @@ paths: required: - data description: Indicates the note was successfully created. - summary: Add or update a note + summary: Persists a note to a timeline. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' /api/pinned_event: patch: - description: Pin an event to an existing Timeline. operationId: PersistPinnedEventRoute requestBody: content: @@ -185,7 +182,7 @@ paths: required: - eventId - timelineId - description: The pinned event to add or update, along with additional metadata. + description: The pinned event to persist or update along with additional metadata. required: true responses: '200': @@ -210,14 +207,13 @@ paths: - persistPinnedEventOnTimeline required: - data - description: Indicates the event was successfully pinned to the Timeline. - summary: Pin an event + description: Indicate the event was successfully pinned in the timeline. + summary: Persists a pinned event to a timeline. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' /api/timeline: delete: - description: Delete one or more Timelines or Timeline templates. operationId: DeleteTimelines requestBody: content: @@ -238,7 +234,7 @@ paths: type: array required: - savedObjectIds - description: The IDs of the Timelines or Timeline templates to delete. + description: The ids of the timelines or timeline templates to delete. required: true responses: '200': @@ -256,13 +252,12 @@ paths: - deleteTimeline required: - data - description: Indicates the Timeline was successfully deleted. - summary: Delete Timelines or Timeline templates + description: Indicates the timeline was successfully deleted. + summary: Deletes one or more timelines or timeline templates. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' get: - description: Get the details of an existing saved Timeline or Timeline template. operationId: GetTimeline parameters: - description: The ID of the template timeline to retrieve @@ -270,7 +265,7 @@ paths: name: template_timeline_id schema: type: string - - description: The ID of the Timeline to retrieve. + - description: The ID of the timeline to retrieve in: query name: id schema: @@ -292,16 +287,18 @@ paths: - getOneTimeline required: - data - description: Indicates that the (template) Timeline was found and returned. - summary: Get Timeline or Timeline template details + description: Indicates that the (template) timeline was found and returned. + summary: >- + Get an existing saved timeline or timeline template. This API is used to + retrieve an existing saved timeline or timeline template. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' patch: description: >- - Update an existing Timeline. You can update the title, description, date - range, pinned events, pinned queries, and/or pinned saved queries of an - existing Timeline. + Updates an existing timeline. This API is used to update the title, + description, date range, pinned events, pinned queries, and/or pinned + saved queries of an existing timeline. operationId: PatchTimeline requestBody: content: @@ -321,7 +318,7 @@ paths: - timelineId - version - timeline - description: The Timeline updates, along with the Timeline ID and version. + description: The timeline updates along with the timeline ID and version. required: true responses: '200': @@ -345,9 +342,9 @@ paths: required: - data description: >- - Indicates that the draft Timeline was successfully created. In the - event the user already has a draft Timeline, the existing draft - Timeline is cleared and returned. + Indicates that the draft timeline was successfully created. In the + event the user already has a draft timeline, the existing draft + timeline is cleared and returned. '405': content: application/json: @@ -360,13 +357,12 @@ paths: type: number description: >- Indicates that the user does not have the required access to create - a draft Timeline. - summary: Update a Timeline + a draft timeline. + summary: Updates an existing timeline. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' post: - description: Create a new Timeline or Timeline template. operationId: CreateTimelines requestBody: content: @@ -397,7 +393,7 @@ paths: required: - timeline description: >- - The required Timeline fields used to create a new Timeline, along with + The required timeline fields used to create a new timeline along with optional fields that will be created if not provided. required: true responses: @@ -419,7 +415,7 @@ paths: - persistTimeline required: - data - description: Indicates the Timeline was successfully created. + description: Indicates the timeline was successfully created. '405': content: application/json: @@ -430,17 +426,13 @@ paths: type: string statusCode: type: number - description: Indicates that there was an error in the Timeline creation. - summary: Create a Timeline or Timeline template + description: Indicates that there was an error in the timeline creation. + summary: Creates a new timeline. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' /api/timeline/_draft: get: - description: >- - Get the details of the draft Timeline or Timeline template for the - current user. If the user doesn't have a draft Timeline, an empty - Timeline is returned. operationId: GetDraftTimelines parameters: - in: query @@ -469,10 +461,10 @@ paths: - persistTimeline required: - data - description: Indicates that the draft Timeline was successfully retrieved. + description: Indicates that the draft timeline was successfully retrieved. '403': content: - application:json: + 'application:json': schema: type: object properties: @@ -481,12 +473,12 @@ paths: status_code: type: number description: >- - If a draft Timeline was not found and we attempted to create one, it + If a draft timeline was not found and we attempted to create one, it indicates that the user does not have the required permissions to - create a draft Timeline. + create a draft timeline. '409': content: - application:json: + 'application:json': schema: type: object properties: @@ -495,21 +487,19 @@ paths: status_code: type: number description: >- - This should never happen, but if a draft Timeline was not found and + This should never happen, but if a draft timeline was not found and we attempted to create one, it indicates that there is already a - draft Timeline with the given `timelineId`. - summary: Get draft Timeline or Timeline template details + draft timeline with the given timelineId. + summary: >- + Retrieves the draft timeline for the current user. If the user does not + have a draft timeline, an empty timeline is returned. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' post: description: > - Create a clean draft Timeline or Timeline template for the current user. - - > info - - > If the user already has a draft Timeline, the existing draft Timeline - is cleared and returned. + Retrieves a clean draft timeline. If a draft timeline does not exist, it + is created and returned. operationId: CleanDraftTimelines requestBody: content: @@ -522,7 +512,7 @@ paths: required: - timelineType description: >- - The type of Timeline to create. Valid values are `default` and + The type of timeline to create. Valid values are `default` and `template`. required: true responses: @@ -547,12 +537,12 @@ paths: required: - data description: >- - Indicates that the draft Timeline was successfully created. In the - event the user already has a draft Timeline, the existing draft - Timeline is cleared and returned. + Indicates that the draft timeline was successfully created. In the + event the user already has a draft timeline, the existing draft + timeline is cleared and returned. '403': content: - application:json: + 'application:json': schema: type: object properties: @@ -562,10 +552,10 @@ paths: type: number description: >- Indicates that the user does not have the required permissions to - create a draft Timeline. + create a draft timeline. '409': content: - application:json: + 'application:json': schema: type: object properties: @@ -574,15 +564,14 @@ paths: status_code: type: number description: >- - Indicates that there is already a draft Timeline with the given - `timelineId`. - summary: Create a clean draft Timeline or Timeline template + Indicates that there is already a draft timeline with the given + timelineId. + summary: Retrieves a draft timeline or timeline template. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' /api/timeline/_export: post: - description: Export Timelines as an NDJSON file. operationId: ExportTimelines parameters: - description: The name of the file to export @@ -602,16 +591,16 @@ paths: type: string nullable: true type: array - description: The IDs of the Timelines to export. + description: The ids of the timelines to export required: true responses: '200': content: application/ndjson: schema: - description: NDJSON of the exported Timelines + description: NDJSON of the exported timelines type: string - description: Indicates the Timelines were successfully exported. + description: Indicates the timelines were successfully exported '400': content: application/ndjson: @@ -622,14 +611,13 @@ paths: type: string statusCode: type: number - description: Indicates that the export size limit was exceeded. - summary: Export Timelines + description: Indicates that the export size limit was exceeded + summary: Exports timelines as an NDJSON file tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' /api/timeline/_favorite: patch: - description: Favorite a Timeline or Timeline template for the current user. operationId: PersistFavoriteRoute requestBody: content: @@ -654,7 +642,7 @@ paths: - templateTimelineId - templateTimelineVersion - timelineType - description: The required fields used to favorite a (template) Timeline. + description: The required fields used to favorite a (template) timeline. required: true responses: '200': @@ -675,7 +663,7 @@ paths: description: Indicates the favorite status was successfully updated. '403': content: - application:json: + 'application:json': schema: type: object properties: @@ -686,13 +674,12 @@ paths: description: >- Indicates the user does not have the required permissions to persist the favorite status. - summary: Favorite a Timeline or Timeline template + summary: Persists a given users favorite status of a timeline. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' /api/timeline/_import: post: - description: Import Timelines. operationId: ImportTimelines requestBody: content: @@ -722,7 +709,7 @@ paths: - headers required: - hapi - description: The Timelines to import as a readable stream. + description: The timelines to import as a readable stream. required: true responses: '200': @@ -735,7 +722,7 @@ paths: $ref: '#/components/schemas/ImportTimelineResult' required: - data - description: Indicates the import of Timelines was successful. + description: Indicates the import of timelines was successful. '400': content: application/json: @@ -749,7 +736,7 @@ paths: statusCode: type: number description: >- - Indicates the import of Timelines was unsuccessful because of an + Indicates the import of timelines was unsuccessful because of an invalid file extension. '404': content: @@ -776,14 +763,13 @@ paths: type: string statusCode: type: number - description: Indicates the import of Timelines was unsuccessful. - summary: Import Timelines + description: Indicates the import of timelines was unsuccessful. + summary: Imports timelines. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' /api/timeline/_prepackaged: post: - description: Install or update prepackaged Timelines. operationId: InstallPrepackedTimelines requestBody: content: @@ -809,7 +795,7 @@ paths: - timelinesToInstall - timelinesToUpdate - prepackagedTimelines - description: The Timelines to install or update. + description: The timelines to install or update. required: true responses: '200': @@ -822,10 +808,10 @@ paths: $ref: '#/components/schemas/ImportTimelineResult' required: - data - description: Indicates the installation of prepackaged Timelines was successful. + description: Indicates the installation of prepackaged timelines was successful. '500': content: - application:json: + 'application:json': schema: type: object properties: @@ -834,12 +820,12 @@ paths: statusCode: type: number description: >- - Indicates the installation of prepackaged Timelines was + Indicates the installation of prepackaged timelines was unsuccessful. - summary: Install prepackaged Timelines + summary: Installs prepackaged timelines. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' /api/timeline/resolve: get: operationId: ResolveTimeline @@ -871,18 +857,17 @@ paths: - getOneTimeline required: - data - description: The (template) Timeline has been found + description: The (template) timeline has been found '400': description: The request is missing parameters '404': - description: The (template) Timeline was not found - summary: Get an existing saved Timeline or Timeline template + description: The (template) timeline was not found + summary: Get an existing saved timeline or timeline template. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' /api/timelines: get: - description: Get a list of all saved Timelines or Timeline templates. operationId: GetTimelines parameters: - description: >- @@ -968,10 +953,10 @@ paths: - customTemplateTimelineCount required: - data - description: Indicates that the (template) Timelines were found and returned. + description: Indicates that the (template) timelines were found and returned. '400': content: - application:json: + 'application:json': schema: type: object properties: @@ -980,10 +965,12 @@ paths: statusCode: type: number description: Bad request. The user supplied invalid data. - summary: Get Timelines or Timeline templates + summary: >- + This API is used to retrieve a list of existing saved timelines or + timeline templates. tags: - Security Solution Timeline API - - access:securitySolution + - 'access:securitySolution' components: schemas: BareNote: