From a13b5925c6488729300f40e7b125622b7a145d95 Mon Sep 17 00:00:00 2001 From: Mark Hopkin Date: Mon, 5 Aug 2024 11:46:37 +0100 Subject: [PATCH 1/7] add asset criticality API docs --- ...asset-criticality-api-bulk-upsert.asciidoc | 77 ++++++ .../api/asset-criticality-api-delete.asciidoc | 64 +++++ .../api/asset-criticality-api-get.asciidoc | 48 ++++ .../api/asset-criticality-api-index.asciidoc | 11 + .../api/asset-criticality-api-list.asciidoc | 64 +++++ .../asset-criticality-api-overview.asciidoc | 5 + .../api/asset-criticality-api-upsert.asciidoc | 62 +++++ .../asset-crticiality-record-schema.asciidoc | 255 ++++++++++++++++++ docs/siem-apis.asciidoc | 2 + 9 files changed, 588 insertions(+) create mode 100644 docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc create mode 100644 docs/advanced-entity-analytics/api/asset-criticality-api-delete.asciidoc create mode 100644 docs/advanced-entity-analytics/api/asset-criticality-api-get.asciidoc create mode 100644 docs/advanced-entity-analytics/api/asset-criticality-api-index.asciidoc create mode 100644 docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc create mode 100644 docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc create mode 100644 docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc create mode 100644 docs/reference/asset-crticiality-record-schema.asciidoc diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc new file mode 100644 index 0000000000..2c716aefe1 --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc @@ -0,0 +1,77 @@ +[[asset-criticality-api-bulk-upsert]] +=== Bulk Upsert Asset Criticality Record + +Create or update multiple Asset Criticality Records. + +==== Request URL + +`POST :/api/asset_criticality/bulk` + +==== Request body + +A JSON object defining the Asset Criticality Records. + +[width="100%",options="header"] +|============================================== +|Name |Type |Description |Required +|`records` |Array |Array of records, cannot be longer than 1000 records. +|Yes +|`records[].id_field` |String |Which field contains the entity ID, must be either `user.name` or `host.name`. +|Yes +|`records[].id_value` |String |The ID of the entity contained in the specified ID field. +|Yes +|`records[].criticality_level` | The assigned criticality level, must be one of: + +* `low_impact` +* `medium_impact` +* `high_impact` +* `extreme_impact` + +For example, you can assign Extreme impact to business-critical entities, or Low impact to entities that pose minimal risk to your security posture. + +|Yes + +|============================================== + +===== Example requests + +[source,console] +-------------------------------------------------- +POST /api/asset_criticality/bulk +{ + "records": [ + { + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "medium_impact" + }, + { + "id_field": "host.name", + "id_value": "my_other_host", + "criticality_level": "high_impact" + } + ] +} + +-------------------------------------------------- + +==== Response code + +`200`:: + Indicates a successful call. + +==== Example response + +Successful response + +[source,json] +-------------------------------------------------- +{ + "errors": [], + "stats": { + "successful": 2, + "failed": 0, + "total": 2 + } +} +-------------------------------------------------- \ No newline at end of file diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-delete.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-delete.asciidoc new file mode 100644 index 0000000000..a6a440e7c1 --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-delete.asciidoc @@ -0,0 +1,64 @@ +[[delete-criticality-api-delete]] +=== Delete Asset Criticality Record + +Delete a single Asset Criticality record by ID field and ID value. + +==== Request URL + +`DELETE :/api/asset_criticality` + +==== URL query parameters + +[width="100%",options="header"] +|============================================== +|Name |Type |Description |Required + +|`id_field` |String |Which field contains the entity ID, must be either `user.name` or `host.name`. +|Yes +|`id_value` |String |The ID of the entity contained in the specified ID field. +|Yes + +|============================================== + +===== Example requests + +[source,console] +-------------------------------------------------- +DELETE /api/asset_criticality?id_field=host.name&id_value=my_host + +-------------------------------------------------- + +==== Response code + +`200`:: + Indicates a successful call. Check the response body to see if the record was deleted. + +==== Example responses + +*Example 1* + +If the record was deleted. + +[source,json] +-------------------------------------------------- +{ + "deleted": true, + "record": { + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "medium_impact", + "@timestamp": "2024-08-05T09:42:11.240Z" + } +} +-------------------------------------------------- + +*Example 2* + +If the record was not found so could not be deleted. + +[source,json] +-------------------------------------------------- +{ + "deleted": false, +} +-------------------------------------------------- diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-get.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-get.asciidoc new file mode 100644 index 0000000000..ff3c1166f9 --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-get.asciidoc @@ -0,0 +1,48 @@ +[[asset-criticality-api-get]] +=== Get Asset Criticality Record + +Retrieves a single Asset Criticality record by ID field and ID value. + +==== Request URL + +`GET :/api/asset_criticality` + +==== URL query parameters + +[width="100%",options="header"] +|============================================== +|Name |Type |Description |Required + +|`id_field` |String |Which field contains the entity ID, must be either `user.name` or `host.name`. +|Yes +|`id_value` |String |The ID of the entity contained in the specified ID field. +|Yes + +|============================================== + +===== Example requests + +[source,console] +-------------------------------------------------- +GET /api/asset_criticality?id_field=host.name&id_value=my_host + +-------------------------------------------------- + +==== Response code + +`200`:: + Indicates a successful call. +`404`:: + Indicates the Criticality Record was not found. + +==== Example response + +[source,json] +-------------------------------------------------- +{ + "@timestamp": "2024-08-02T11:15:34.290Z" + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "high_impact", +} +-------------------------------------------------- diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-index.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-index.asciidoc new file mode 100644 index 0000000000..8f6448e023 --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-index.asciidoc @@ -0,0 +1,11 @@ +include::asset-criticality-api-overview.asciidoc[] + +include::asset-criticality-api-upsert.asciidoc[] + +include::asset-criticality-api-bulk-upsert.asciidoc[] + +include::asset-criticality-api-get.asciidoc[] + +include::asset-criticality-api-list.asciidoc[] + +include::asset-criticality-api-delete.asciidoc[] diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc new file mode 100644 index 0000000000..68977c9c29 --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc @@ -0,0 +1,64 @@ +[[asset-criticality-api-list]] +=== List Asset Criticality Records + +List asset criticality data, filtering and sorting as needed + +==== Request URL + +`POST /api/asset_criticality/list` + +==== URL query parameters + +[width="100%",options="header"] +|============================================== +|Name |Type |Description |Required + +|`sort_field` |String |Which field to sort by, must be one of `id_value`, `id_field`, `criticality_level`, `@timestamp`. +|Yes +|`sort_direction` |String | Either `asc` or `desc`. +|Yes +|`page` |Number | Which page of results to return, must be at least 1. +|Yes +|`per_page` |Number | How many results per page, defaults to 10. Must be between 1 and 1000. +|Yes +|`kuery` |String | A KQL query to filter results by, for example `criticality_level:low_impact OR criticality_level:medium_impact` + +|============================================== + +===== Example requests + +[source,console] +-------------------------------------------------- +GET api/asset_criticality/list?kuery=criticality_level:high_impact%20OR%20criticality_level:medium_impact + +-------------------------------------------------- + +==== Response code + +`200`:: + Indicates a successful call. + +==== Example response + +[source,json] +-------------------------------------------------- +{ + "records": [ + { + "id_field": "host.name", + "id_value": "my_other_host", + "criticality_level": "medium_impact", + "@timestamp": "2024-08-02T14:40:35.705Z" + }, + { + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "high_impact", + "@timestamp": "2024-08-02T11:15:34.290Z" + } + ], + "total": 2, + "page": 1, + "per_page": 10 +} +-------------------------------------------------- diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc new file mode 100644 index 0000000000..2ec91aae32 --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc @@ -0,0 +1,5 @@ +[[asset-criticality-api-overview]] +[role="xpack"] +== Asset Criticality API + +You can manage Asset Criticality records through the API. The asset criticality advanced feature must be enabled first. \ No newline at end of file diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc new file mode 100644 index 0000000000..29a4058f58 --- /dev/null +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc @@ -0,0 +1,62 @@ +[[asset-criticality-api-upsert]] +=== Upsert Asset Criticality Record + +Create or update an Asset Criticality Record. + +==== Request URL + +`POST :/api/asset_criticality` + +==== Request body + +A JSON object defining the Asset Criticality Record. + +[width="100%",options="header"] +|============================================== +|Name |Type |Description |Required +|`id_field` |String |Which field contains the entity ID, must be either `user.name` or `host.name`. +|Yes +|`id_value` |String |The ID of the entity contained in the specified ID field. +|Yes +|`criticality_level` | The assigned criticality level, must be one of: + +* `low_impact` +* `medium_impact` +* `high_impact` +* `extreme_impact` + +For example, you can assign Extreme impact to business-critical entities, or Low impact to entities that pose minimal risk to your security posture. + +|Yes + +|============================================== + +===== Example requests + +[source,console] +-------------------------------------------------- +POST /api/asset_criticality +{ + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "high_impact" +} + +-------------------------------------------------- + +==== Response code + +`200`:: + Indicates a successful call. + +==== Example response + +[source,json] +-------------------------------------------------- +{ + "@timestamp": "2024-08-02T11:15:34.290Z" + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "high_impact", +} +-------------------------------------------------- \ No newline at end of file diff --git a/docs/reference/asset-crticiality-record-schema.asciidoc b/docs/reference/asset-crticiality-record-schema.asciidoc new file mode 100644 index 0000000000..12448c6628 --- /dev/null +++ b/docs/reference/asset-crticiality-record-schema.asciidoc @@ -0,0 +1,255 @@ +[[asset-criticality-record-schema]] +[role="xpack"] +== Timeline schema + +The Timeline schema lists all the JSON fields and objects required to create a +Timeline or a Timeline template using the Create Timeline API. + +IMPORTANT: All column, dropzone, and filter fields must be +{ecs-ref}[ECS fields]. + +This screenshot maps the Timeline UI components to their JSON objects: + +[role="screenshot"] +image::images/timeline-object-ui.png[] + +. <> (`title`) +. <> (`globalNotes`) +. <> (`dataViewId`) +. <> (`kqlQuery`) +. <> (`dateRange`) +. <> (`filters`) +. <> (`kqlMode`) +. <> (each clause is contained in +its own `dataProviders` object) +. <> (`columns`) +. <> (`eventNotes`) + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|[[timeline-object-columns]]`columns` |<> |The Timeline's +columns. +|`created` |Float |The time the Timeline was created, using a 13-digit Epoch +timestamp. +|`createdBy` |String |The user who created the Timeline. +|[[timeline-object-dropzone]]`dataProviders` +|<> |Object containing dropzone query +clauses. +|[[timeline-object-dataViewId]]`dataViewId` | String | ID of the Timeline's Data View, for example: `"dataViewId":"security-solution-default"`. +|[[timeline-object-daterange]]`dateRange` |dateRange a|The Timeline's search +period: + +* `end`: The time up to which events are searched, using a 13-digit Epoch +timestamp. +* `start`: The time from which events are searched, using a 13-digit Epoch +timestamp. + +|`description` |String |The Timeline's description. +|[[timeline-object-event-notes]]`eventNotes` |<> +|Notes added to specific events in the Timeline. +|`eventType` |String a|Event types displayed in +the Timeline, which can be: + +* `All data sources` +* `Events`: Event sources only +* `Detection Alerts`: Detection alerts only + +|`favorite` |<> |Indicates when and who marked a +Timeline as a favorite. +|[[timeline-object-filters]]`filters` |<> |Filters used +in addition to the dropzone query. +|[[timeline-object-global-notes]]`globalNotes` +|<> |Global notes added to the Timeline. +|[[timeline-object-kqlmode]]`kqlMode` |String a|Indicates whether the KQL bar +filters the dropzone query results or searches for additional results, where: + +* `filter`: filters dropzone query results +* `search`: displays additional search results + +|[[timeline-object-kqlquery]]`kqlQuery` |<> |KQL bar +query. +|`pinnedEventIds` |pinnedEventIds[] |IDs of events pinned to the Timeline's +search results. +|`savedObjectId` |String |The Timeline's saved object ID. +|`savedQueryId` |String |If used, the saved query ID used to filter or search +dropzone query results. +|`sort` |sort a|Object indicating how rows are sorted in the Timeline's grid: + +* `columnId` (string): The ID of the column used to sort results. +* `sortDirection` (string): The sort direction, which can be either `desc` or +`asc`. + +|`templateTimelineId` |String a| A unique ID (UUID) for Timeline templates. For +Timelines, the value is `null`. +|`templateTimelineVersion` |Integer |Timeline template version number. For +Timelines, the value is `null`. +// When creating timeline template via import, can just specify it to 1. +// We use this version to avoid template timeline to be overwrite when updating +// via import. +// We take every positive int given from user as long as it is grater than +// current value. +|[[timeline-object-typeField]]`timelineType` |String a|Indicates whether the +Timeline is a template or not, where: + +* `default`: Indicates a Timeline used to actively investigate events. +* `template`: Indicates a Timeline template used when detection rule alerts are +investigated in Timeline. + +|[[timeline-object-title]]`title` |String |The Timeline's title. +|`updated` |Float |The last time the Timeline was updated, using a +13-digit Epoch timestamp. +|`updatedBy` |String |The user who last updated the Timeline. +|`version` |String |The Timeline's version. +|============================================== + +[[col-obj]] +[discrete] +==== columns object + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|`aggregatable` |Boolean |Indicates whether the field can be aggregated across +all indices (used to sort columns in the UI). +|`category` |String |The ECS field set to which the field belongs. +|`description` |String |UI column field description tooltip. +|`example` |String |UI column field example tooltip. +|`indexes` |String |Security indices in which the field exists and has the same +{es} type. `null` when all the security indices have the field with the same +type. +|`id` |String |ECS field name, displayed as the column header in the UI. +// |`searchable` |Boolean |Indicates whether the field is indexed for search on +// all indices. +|`type` |String |The field's type. +|============================================== + +[[dataProvider-obj]] +[discrete] +==== dataProviders object + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|`and` |dataProviders[] |Array containing dropzone query clauses using `AND` +logic. +|`enabled` |Boolean |Indicates if the dropzone query clause is enabled. +|`excluded` |Boolean |Indicates if the dropzone query clause uses `NOT` logic. +|`id` |String |The dropzone query clause's unique ID. +|`name` |String |The dropzone query clause's name (the clause's value +when Timelines are exported from the UI). +|`queryMatch` |queryMatch a|The dropzone query clause: + +* `field` (string): The field used to search Security indices. +* `operator` (string): The clause's operator, which can be: +** `:` - The `field` has the specified `value`. +** `:*` - The field exists. + +* `value` (string): The field's value used to match results. + +|============================================== + +[[eventNotes-obj]] +[discrete] +==== eventNotes object + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|`created` |Float |The time the note was created, using a 13-digit Epoch +timestamp. +|`createdBy` |String |The user who added the note. +|`eventId` |String |The ID of the event to which the note was added. +|`note` |String |The note's text. +|`noteId` |String |The note's ID +|`timelineId` |String |The ID of the Timeline to which the note was added. +|`updated` |Float |The last time the note was updated, using a +13-digit Epoch timestamp. +|`updatedBy` |String |The user who last updated the note. +|`version` |String |The note's version. +|============================================== + +[[favorite-obj]] +[discrete] +==== favorite object + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|`favoriteDate` |Float |The time the Timeline was marked as a favorite, using a +13-digit Epoch timestamp. +|`fullName` |String |The full name of the user who marked the Timeline as +a favorite. +|`keySearch` |String |`userName` encoded in Base64. +|`userName` |String |The {kib} username of the user who marked the +Timeline as a favorite. +|============================================== + +[[filters-obj]] +[discrete] +==== filters object + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|`exists` |String |{ref}/query-dsl-exists-query.html[Exists term query] for the +specified field (`null` when undefined). For example, `{"field":"user.name"}`. +|`meta` |meta a|Filter details: + +* `alias` (string): UI filter name. +* `disabled` (boolean): Indicates if the filter is disabled. +* `key`(string): Field name or unique string ID. +* `negate` (boolean): Indicates if the filter query clause uses `NOT` logic. +* `params` (string): Value of `phrase` filter types. +* `type` (string): Type of filter. For example, `exists` and `range`. For more +information about filtering, see {ref}/query-dsl.html[Query DSL]. + +|`match_all` |String |{ref}/query-dsl-match-all-query.html[Match all term query] +for the specified field (`null` when undefined). +|`query` |String |{ref}/query-dsl.html[DSL query] (`null` when undefined). For +example, `{"match_phrase":{"ecs.version":"1.4.0"}}`. +|`range` |String |{ref}/query-dsl-range-query.html[Range query] (`null` when +undefined). For example, `{"@timestamp":{"gte":"now-1d","lt":"now"}}"`. +|============================================== + +[[globalNotes-obj]] +[discrete] +==== globalNotes object + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|`created` |Float |The time the note was created, using a 13-digit Epoch +timestamp. +|`createdBy` |String |The user who added the note. +|`note` |String |The note's text. +|`noteId` |String |The note's ID +|`timelineId` |String |The ID of the Timeline to which the note was added. +|`updated` |Float |The last time the note was updated, using a +13-digit Epoch timestamp. +|`updatedBy` |String |The user who last updated the note. +|`version` |String |The note's version. +|============================================== + +[[kqlQuery-obj]] +[discrete] +==== kqlQuery object + +[width="100%",options="header"] +|============================================== +|Name |Type |Description + +|`filterQuery` |filterQuery a|Object containing query details: + +* `kuery`: Object containing the query's clauses and type: +** `expression`(string): The query's clauses. +** `kind` (string): The type of query, which can be `kuery` or `lucene`. +* `serializedQuery` (string): The query represented in JSON format. +|============================================== diff --git a/docs/siem-apis.asciidoc b/docs/siem-apis.asciidoc index f5a0130079..0863ace6e2 100644 --- a/docs/siem-apis.asciidoc +++ b/docs/siem-apis.asciidoc @@ -103,5 +103,7 @@ include::cases/api/actions-api/cases-actions-api-index.asciidoc[] include::management/api/management-api-index.asciidoc[] +include::advanced-entity-analytics/api/asset-criticality-api-index.asciidoc[] + NOTE: For the {fleet} APIs, see the {fleet-guide}/fleet-api-docs.html[Fleet API Documentation]. From 806d622d57af165a99febea0245265722f14729e Mon Sep 17 00:00:00 2001 From: Mark Hopkin Date: Mon, 5 Aug 2024 14:33:58 +0100 Subject: [PATCH 2/7] fix crititcality_level --- .../api/asset-criticality-api-bulk-upsert.asciidoc | 4 +--- .../api/asset-criticality-api-upsert.asciidoc | 4 +--- 2 files changed, 2 insertions(+), 6 deletions(-) diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc index 2c716aefe1..e780c0d23f 100644 --- a/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc @@ -20,7 +20,7 @@ A JSON object defining the Asset Criticality Records. |Yes |`records[].id_value` |String |The ID of the entity contained in the specified ID field. |Yes -|`records[].criticality_level` | The assigned criticality level, must be one of: +|`records[].criticality_level` |String |The assigned criticality level, must be one of: * `low_impact` * `medium_impact` @@ -28,9 +28,7 @@ A JSON object defining the Asset Criticality Records. * `extreme_impact` For example, you can assign Extreme impact to business-critical entities, or Low impact to entities that pose minimal risk to your security posture. - |Yes - |============================================== ===== Example requests diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc index 29a4058f58..927f1605f0 100644 --- a/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc @@ -18,7 +18,7 @@ A JSON object defining the Asset Criticality Record. |Yes |`id_value` |String |The ID of the entity contained in the specified ID field. |Yes -|`criticality_level` | The assigned criticality level, must be one of: +|`criticality_level` |String |The assigned criticality level, must be one of: * `low_impact` * `medium_impact` @@ -26,9 +26,7 @@ A JSON object defining the Asset Criticality Record. * `extreme_impact` For example, you can assign Extreme impact to business-critical entities, or Low impact to entities that pose minimal risk to your security posture. - |Yes - |============================================== ===== Example requests From 21305c1d1887bce47def3677b32ea917511ed950 Mon Sep 17 00:00:00 2001 From: Mark Hopkin Date: Mon, 5 Aug 2024 15:48:18 +0100 Subject: [PATCH 3/7] remove unused schema --- .../asset-crticiality-record-schema.asciidoc | 255 ------------------ 1 file changed, 255 deletions(-) delete mode 100644 docs/reference/asset-crticiality-record-schema.asciidoc diff --git a/docs/reference/asset-crticiality-record-schema.asciidoc b/docs/reference/asset-crticiality-record-schema.asciidoc deleted file mode 100644 index 12448c6628..0000000000 --- a/docs/reference/asset-crticiality-record-schema.asciidoc +++ /dev/null @@ -1,255 +0,0 @@ -[[asset-criticality-record-schema]] -[role="xpack"] -== Timeline schema - -The Timeline schema lists all the JSON fields and objects required to create a -Timeline or a Timeline template using the Create Timeline API. - -IMPORTANT: All column, dropzone, and filter fields must be -{ecs-ref}[ECS fields]. - -This screenshot maps the Timeline UI components to their JSON objects: - -[role="screenshot"] -image::images/timeline-object-ui.png[] - -. <> (`title`) -. <> (`globalNotes`) -. <> (`dataViewId`) -. <> (`kqlQuery`) -. <> (`dateRange`) -. <> (`filters`) -. <> (`kqlMode`) -. <> (each clause is contained in -its own `dataProviders` object) -. <> (`columns`) -. <> (`eventNotes`) - -[width="100%",options="header"] -|============================================== -|Name |Type |Description - -|[[timeline-object-columns]]`columns` |<> |The Timeline's -columns. -|`created` |Float |The time the Timeline was created, using a 13-digit Epoch -timestamp. -|`createdBy` |String |The user who created the Timeline. -|[[timeline-object-dropzone]]`dataProviders` -|<> |Object containing dropzone query -clauses. -|[[timeline-object-dataViewId]]`dataViewId` | String | ID of the Timeline's Data View, for example: `"dataViewId":"security-solution-default"`. -|[[timeline-object-daterange]]`dateRange` |dateRange a|The Timeline's search -period: - -* `end`: The time up to which events are searched, using a 13-digit Epoch -timestamp. -* `start`: The time from which events are searched, using a 13-digit Epoch -timestamp. - -|`description` |String |The Timeline's description. -|[[timeline-object-event-notes]]`eventNotes` |<> -|Notes added to specific events in the Timeline. -|`eventType` |String a|Event types displayed in -the Timeline, which can be: - -* `All data sources` -* `Events`: Event sources only -* `Detection Alerts`: Detection alerts only - -|`favorite` |<> |Indicates when and who marked a -Timeline as a favorite. -|[[timeline-object-filters]]`filters` |<> |Filters used -in addition to the dropzone query. -|[[timeline-object-global-notes]]`globalNotes` -|<> |Global notes added to the Timeline. -|[[timeline-object-kqlmode]]`kqlMode` |String a|Indicates whether the KQL bar -filters the dropzone query results or searches for additional results, where: - -* `filter`: filters dropzone query results -* `search`: displays additional search results - -|[[timeline-object-kqlquery]]`kqlQuery` |<> |KQL bar -query. -|`pinnedEventIds` |pinnedEventIds[] |IDs of events pinned to the Timeline's -search results. -|`savedObjectId` |String |The Timeline's saved object ID. -|`savedQueryId` |String |If used, the saved query ID used to filter or search -dropzone query results. -|`sort` |sort a|Object indicating how rows are sorted in the Timeline's grid: - -* `columnId` (string): The ID of the column used to sort results. -* `sortDirection` (string): The sort direction, which can be either `desc` or -`asc`. - -|`templateTimelineId` |String a| A unique ID (UUID) for Timeline templates. For -Timelines, the value is `null`. -|`templateTimelineVersion` |Integer |Timeline template version number. For -Timelines, the value is `null`. -// When creating timeline template via import, can just specify it to 1. -// We use this version to avoid template timeline to be overwrite when updating -// via import. -// We take every positive int given from user as long as it is grater than -// current value. -|[[timeline-object-typeField]]`timelineType` |String a|Indicates whether the -Timeline is a template or not, where: - -* `default`: Indicates a Timeline used to actively investigate events. -* `template`: Indicates a Timeline template used when detection rule alerts are -investigated in Timeline. - -|[[timeline-object-title]]`title` |String |The Timeline's title. -|`updated` |Float |The last time the Timeline was updated, using a -13-digit Epoch timestamp. -|`updatedBy` |String |The user who last updated the Timeline. -|`version` |String |The Timeline's version. -|============================================== - -[[col-obj]] -[discrete] -==== columns object - -[width="100%",options="header"] -|============================================== -|Name |Type |Description - -|`aggregatable` |Boolean |Indicates whether the field can be aggregated across -all indices (used to sort columns in the UI). -|`category` |String |The ECS field set to which the field belongs. -|`description` |String |UI column field description tooltip. -|`example` |String |UI column field example tooltip. -|`indexes` |String |Security indices in which the field exists and has the same -{es} type. `null` when all the security indices have the field with the same -type. -|`id` |String |ECS field name, displayed as the column header in the UI. -// |`searchable` |Boolean |Indicates whether the field is indexed for search on -// all indices. -|`type` |String |The field's type. -|============================================== - -[[dataProvider-obj]] -[discrete] -==== dataProviders object - -[width="100%",options="header"] -|============================================== -|Name |Type |Description - -|`and` |dataProviders[] |Array containing dropzone query clauses using `AND` -logic. -|`enabled` |Boolean |Indicates if the dropzone query clause is enabled. -|`excluded` |Boolean |Indicates if the dropzone query clause uses `NOT` logic. -|`id` |String |The dropzone query clause's unique ID. -|`name` |String |The dropzone query clause's name (the clause's value -when Timelines are exported from the UI). -|`queryMatch` |queryMatch a|The dropzone query clause: - -* `field` (string): The field used to search Security indices. -* `operator` (string): The clause's operator, which can be: -** `:` - The `field` has the specified `value`. -** `:*` - The field exists. - -* `value` (string): The field's value used to match results. - -|============================================== - -[[eventNotes-obj]] -[discrete] -==== eventNotes object - -[width="100%",options="header"] -|============================================== -|Name |Type |Description - -|`created` |Float |The time the note was created, using a 13-digit Epoch -timestamp. -|`createdBy` |String |The user who added the note. -|`eventId` |String |The ID of the event to which the note was added. -|`note` |String |The note's text. -|`noteId` |String |The note's ID -|`timelineId` |String |The ID of the Timeline to which the note was added. -|`updated` |Float |The last time the note was updated, using a -13-digit Epoch timestamp. -|`updatedBy` |String |The user who last updated the note. -|`version` |String |The note's version. -|============================================== - -[[favorite-obj]] -[discrete] -==== favorite object - -[width="100%",options="header"] -|============================================== -|Name |Type |Description - -|`favoriteDate` |Float |The time the Timeline was marked as a favorite, using a -13-digit Epoch timestamp. -|`fullName` |String |The full name of the user who marked the Timeline as -a favorite. -|`keySearch` |String |`userName` encoded in Base64. -|`userName` |String |The {kib} username of the user who marked the -Timeline as a favorite. -|============================================== - -[[filters-obj]] -[discrete] -==== filters object - -[width="100%",options="header"] -|============================================== -|Name |Type |Description - -|`exists` |String |{ref}/query-dsl-exists-query.html[Exists term query] for the -specified field (`null` when undefined). For example, `{"field":"user.name"}`. -|`meta` |meta a|Filter details: - -* `alias` (string): UI filter name. -* `disabled` (boolean): Indicates if the filter is disabled. -* `key`(string): Field name or unique string ID. -* `negate` (boolean): Indicates if the filter query clause uses `NOT` logic. -* `params` (string): Value of `phrase` filter types. -* `type` (string): Type of filter. For example, `exists` and `range`. For more -information about filtering, see {ref}/query-dsl.html[Query DSL]. - -|`match_all` |String |{ref}/query-dsl-match-all-query.html[Match all term query] -for the specified field (`null` when undefined). -|`query` |String |{ref}/query-dsl.html[DSL query] (`null` when undefined). For -example, `{"match_phrase":{"ecs.version":"1.4.0"}}`. -|`range` |String |{ref}/query-dsl-range-query.html[Range query] (`null` when -undefined). For example, `{"@timestamp":{"gte":"now-1d","lt":"now"}}"`. -|============================================== - -[[globalNotes-obj]] -[discrete] -==== globalNotes object - -[width="100%",options="header"] -|============================================== -|Name |Type |Description - -|`created` |Float |The time the note was created, using a 13-digit Epoch -timestamp. -|`createdBy` |String |The user who added the note. -|`note` |String |The note's text. -|`noteId` |String |The note's ID -|`timelineId` |String |The ID of the Timeline to which the note was added. -|`updated` |Float |The last time the note was updated, using a -13-digit Epoch timestamp. -|`updatedBy` |String |The user who last updated the note. -|`version` |String |The note's version. -|============================================== - -[[kqlQuery-obj]] -[discrete] -==== kqlQuery object - -[width="100%",options="header"] -|============================================== -|Name |Type |Description - -|`filterQuery` |filterQuery a|Object containing query details: - -* `kuery`: Object containing the query's clauses and type: -** `expression`(string): The query's clauses. -** `kind` (string): The type of query, which can be `kuery` or `lucene`. -* `serializedQuery` (string): The query represented in JSON format. -|============================================== From 3724005d04137943e5aef1eb52dc82aaa7237bd4 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Wed, 7 Aug 2024 12:11:44 +0100 Subject: [PATCH 4/7] Editorial review --- ...asset-criticality-api-bulk-upsert.asciidoc | 57 ++++++++-------- .../api/asset-criticality-api-delete.asciidoc | 26 ++++---- .../api/asset-criticality-api-get.asciidoc | 18 ++--- .../api/asset-criticality-api-list.asciidoc | 66 +++++++++++-------- .../asset-criticality-api-overview.asciidoc | 4 +- .../api/asset-criticality-api-upsert.asciidoc | 27 ++++---- .../asset-criticality.asciidoc | 2 +- docs/siem-apis.asciidoc | 1 + 8 files changed, 108 insertions(+), 93 deletions(-) diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc index e780c0d23f..ff31befcec 100644 --- a/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc @@ -1,7 +1,11 @@ [[asset-criticality-api-bulk-upsert]] -=== Bulk Upsert Asset Criticality Record +=== Bulk upsert (create or update) asset criticality records -Create or update multiple Asset Criticality Records. +Create or update asset criticality records for multiple entities. + +If asset criticality records already exist for the entities specified in the request, this API overwrites those records with the specified values. + +If asset criticality records don't exist for the specified entities, new records are created. ==== Request URL @@ -9,25 +13,25 @@ Create or update multiple Asset Criticality Records. ==== Request body -A JSON object defining the Asset Criticality Records. +A JSON object defining the asset criticality records. [width="100%",options="header"] |============================================== |Name |Type |Description |Required -|`records` |Array |Array of records, cannot be longer than 1000 records. +|`records` |Array |Array of asset criticality records to be created or updated. The maximum number of records is 1000. |Yes -|`records[].id_field` |String |Which field contains the entity ID, must be either `user.name` or `host.name`. +|`records.id_field` |String |The field that contains the entity ID. This must be either `user.name` or `host.name`. |Yes -|`records[].id_value` |String |The ID of the entity contained in the specified ID field. +|`records.id_value` |String |The ID (host name or user name) of the entity specified in the `records.id_field` field. |Yes -|`records[].criticality_level` |String |The assigned criticality level, must be one of: +|`records.criticality_level` |String a|The asset criticality level to assign, which must be one of the following: * `low_impact` * `medium_impact` * `high_impact` * `extreme_impact` -For example, you can assign Extreme impact to business-critical entities, or Low impact to entities that pose minimal risk to your security posture. +For example, you can assign `extreme_impact` to business-critical entities, or `low_impact` to entities that pose minimal risk to your security posture. |Yes |============================================== @@ -37,20 +41,19 @@ For example, you can assign Extreme impact to business-critical entities, or Low -------------------------------------------------- POST /api/asset_criticality/bulk { - "records": [ - { - "id_field": "host.name", - "id_value": "my_host", - "criticality_level": "medium_impact" - }, - { - "id_field": "host.name", - "id_value": "my_other_host", - "criticality_level": "high_impact" - } - ] + "records": [ + { + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "medium_impact" + }, + { + "id_field": "host.name", + "id_value": "my_other_host", + "criticality_level": "high_impact" + } + ] } - -------------------------------------------------- ==== Response code @@ -65,11 +68,11 @@ Successful response [source,json] -------------------------------------------------- { - "errors": [], - "stats": { - "successful": 2, - "failed": 0, - "total": 2 - } + "errors": [], + "stats": { + "successful": 2, + "failed": 0, + "total": 2 + } } -------------------------------------------------- \ No newline at end of file diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-delete.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-delete.asciidoc index a6a440e7c1..6604b2db28 100644 --- a/docs/advanced-entity-analytics/api/asset-criticality-api-delete.asciidoc +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-delete.asciidoc @@ -1,7 +1,7 @@ [[delete-criticality-api-delete]] -=== Delete Asset Criticality Record +=== Delete asset criticality record -Delete a single Asset Criticality record by ID field and ID value. +Delete a single asset criticality record by ID field and ID value. ==== Request URL @@ -13,9 +13,9 @@ Delete a single Asset Criticality record by ID field and ID value. |============================================== |Name |Type |Description |Required -|`id_field` |String |Which field contains the entity ID, must be either `user.name` or `host.name`. +|`id_field` |String |The field that contains the entity ID. This must be either `user.name` or `host.name`. |Yes -|`id_value` |String |The ID of the entity contained in the specified ID field. +|`id_value` |String |The ID (host name or user name) of the entity specified in the `id_field` field. |Yes |============================================== @@ -42,23 +42,23 @@ If the record was deleted. [source,json] -------------------------------------------------- { - "deleted": true, - "record": { - "id_field": "host.name", - "id_value": "my_host", - "criticality_level": "medium_impact", - "@timestamp": "2024-08-05T09:42:11.240Z" - } + "deleted": true, + "record": { + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "medium_impact", + "@timestamp": "2024-08-05T09:42:11.240Z" + } } -------------------------------------------------- *Example 2* -If the record was not found so could not be deleted. +If the record was not found and could not be deleted. [source,json] -------------------------------------------------- { - "deleted": false, + "deleted": false } -------------------------------------------------- diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-get.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-get.asciidoc index ff3c1166f9..1cb4752b7f 100644 --- a/docs/advanced-entity-analytics/api/asset-criticality-api-get.asciidoc +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-get.asciidoc @@ -1,7 +1,7 @@ [[asset-criticality-api-get]] -=== Get Asset Criticality Record +=== Get asset criticality record -Retrieves a single Asset Criticality record by ID field and ID value. +Retrieve a single asset criticality record by ID field and ID value. ==== Request URL @@ -13,9 +13,9 @@ Retrieves a single Asset Criticality record by ID field and ID value. |============================================== |Name |Type |Description |Required -|`id_field` |String |Which field contains the entity ID, must be either `user.name` or `host.name`. +|`id_field` |String |The field that contains the entity ID. This must be either `user.name` or `host.name`. |Yes -|`id_value` |String |The ID of the entity contained in the specified ID field. +|`id_value` |String |The ID (host name or user name) of the entity specified in the `id_field` field. |Yes |============================================== @@ -33,16 +33,16 @@ GET /api/asset_criticality?id_field=host.name&id_value=my_host `200`:: Indicates a successful call. `404`:: - Indicates the Criticality Record was not found. + Indicates the criticality record was not found. ==== Example response [source,json] -------------------------------------------------- { - "@timestamp": "2024-08-02T11:15:34.290Z" - "id_field": "host.name", - "id_value": "my_host", - "criticality_level": "high_impact", + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "high_impact", + "@timestamp": "2024-08-02T11:15:34.290Z" } -------------------------------------------------- diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc index 68977c9c29..3189612f11 100644 --- a/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc @@ -1,11 +1,13 @@ [[asset-criticality-api-list]] -=== List Asset Criticality Records +=== List asset criticality records -List asset criticality data, filtering and sorting as needed +Retrieve a list of asset criticality records. + +Use the query parameters to filter and sort the results as needed. By default, the first page is returned, with 10 results per page. ==== Request URL -`POST /api/asset_criticality/list` +`POST :/api/asset_criticality/list` ==== URL query parameters @@ -13,16 +15,22 @@ List asset criticality data, filtering and sorting as needed |============================================== |Name |Type |Description |Required -|`sort_field` |String |Which field to sort by, must be one of `id_value`, `id_field`, `criticality_level`, `@timestamp`. -|Yes -|`sort_direction` |String | Either `asc` or `desc`. -|Yes -|`page` |Number | Which page of results to return, must be at least 1. -|Yes -|`per_page` |Number | How many results per page, defaults to 10. Must be between 1 and 1000. -|Yes -|`kuery` |String | A KQL query to filter results by, for example `criticality_level:low_impact OR criticality_level:medium_impact` +|`sort_field` |String a|The field to sort the results by, which must be one of the following: + +* `id_value` +* `id_field` +* `criticality_level` +* `@timestamp` +|No +|`sort_direction` |String |The order to sort the results in, which must be either `asc` or `desc`. +|No +|`page` |Number | The page number to return, which must be at least 1. Defaults to `1`. +|No +|`per_page` |Number |The number of results to return per page., which must be between 1 and 1000. Defaults to `10`. +|No +|`kuery` |String a|A KQL query to filter results by, for example `criticality_level:low_impact OR criticality_level:medium_impact` +|No |============================================== ===== Example requests @@ -43,22 +51,22 @@ GET api/asset_criticality/list?kuery=criticality_level:high_impact%20OR%20critic [source,json] -------------------------------------------------- { - "records": [ - { - "id_field": "host.name", - "id_value": "my_other_host", - "criticality_level": "medium_impact", - "@timestamp": "2024-08-02T14:40:35.705Z" - }, - { - "id_field": "host.name", - "id_value": "my_host", - "criticality_level": "high_impact", - "@timestamp": "2024-08-02T11:15:34.290Z" - } - ], - "total": 2, - "page": 1, - "per_page": 10 + "records": [ + { + "id_field": "host.name", + "id_value": "my_other_host", + "criticality_level": "medium_impact", + "@timestamp": "2024-08-02T14:40:35.705Z" + }, + { + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "high_impact", + "@timestamp": "2024-08-02T11:15:34.290Z" + } + ], + "total": 2, + "page": 1, + "per_page": 10 } -------------------------------------------------- diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc index 2ec91aae32..22c657b031 100644 --- a/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-overview.asciidoc @@ -1,5 +1,5 @@ [[asset-criticality-api-overview]] [role="xpack"] -== Asset Criticality API +== Asset criticality API -You can manage Asset Criticality records through the API. The asset criticality advanced feature must be enabled first. \ No newline at end of file +You can manage <> records through the API. To use this API, you must first turn on the `securitySolution:enableAssetCriticality` <>. \ No newline at end of file diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc index 927f1605f0..17e248da5a 100644 --- a/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-upsert.asciidoc @@ -1,7 +1,11 @@ [[asset-criticality-api-upsert]] -=== Upsert Asset Criticality Record +=== Upsert (create or update) asset criticality record -Create or update an Asset Criticality Record. +Create or update an asset criticality record. + +If an asset criticality record already exists for the entity specified in the request, this API overwrites that record with the specified value. + +If an asset criticality record doesn't exist for the specified entity, a new record is created. ==== Request URL @@ -9,23 +13,23 @@ Create or update an Asset Criticality Record. ==== Request body -A JSON object defining the Asset Criticality Record. +A JSON object defining the asset criticality record. [width="100%",options="header"] |============================================== |Name |Type |Description |Required -|`id_field` |String |Which field contains the entity ID, must be either `user.name` or `host.name`. +|`id_field` |String |The field that contains the entity ID. This must be either `user.name` or `host.name`. |Yes -|`id_value` |String |The ID of the entity contained in the specified ID field. +|`id_value` |String |The ID (host name or user name) of the entity specified in the `id_field` field. |Yes -|`criticality_level` |String |The assigned criticality level, must be one of: +|`criticality_level` |String a|The asset criticality level to assign, which must be one of the following: * `low_impact` * `medium_impact` * `high_impact` * `extreme_impact` -For example, you can assign Extreme impact to business-critical entities, or Low impact to entities that pose minimal risk to your security posture. +For example, you can assign `extreme_impact` to business-critical entities, or `low_impact` to entities that pose minimal risk to your security posture. |Yes |============================================== @@ -39,7 +43,6 @@ POST /api/asset_criticality "id_value": "my_host", "criticality_level": "high_impact" } - -------------------------------------------------- ==== Response code @@ -52,9 +55,9 @@ POST /api/asset_criticality [source,json] -------------------------------------------------- { - "@timestamp": "2024-08-02T11:15:34.290Z" - "id_field": "host.name", - "id_value": "my_host", - "criticality_level": "high_impact", + "id_field": "host.name", + "id_value": "my_host", + "criticality_level": "high_impact", + "@timestamp": "2024-08-02T11:15:34.290Z" } -------------------------------------------------- \ No newline at end of file diff --git a/docs/advanced-entity-analytics/asset-criticality.asciidoc b/docs/advanced-entity-analytics/asset-criticality.asciidoc index 40f52656e7..111b0d5561 100644 --- a/docs/advanced-entity-analytics/asset-criticality.asciidoc +++ b/docs/advanced-entity-analytics/asset-criticality.asciidoc @@ -26,7 +26,7 @@ For example, you can assign **Extreme impact** to business-critical entities, or [discrete] == View and assign asset criticality -Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or <> it to multiple entities by importing a text file. +Entities do not have a default asset criticality level. You can either assign asset criticality to your entities individually, or <> it to multiple entities by importing a text file. Alternatively, you can assign and manage asset criticality records through the <>. When you assign, change, or unassign an individual entity's asset criticality level, that entity's risk score is immediately recalculated. diff --git a/docs/siem-apis.asciidoc b/docs/siem-apis.asciidoc index 0863ace6e2..e1fbaefd9c 100644 --- a/docs/siem-apis.asciidoc +++ b/docs/siem-apis.asciidoc @@ -13,6 +13,7 @@ NOTE: Console supports sending requests to {kib} APIs. Prepend any {kib} API end * <>: Create source event value lists for use with rule exceptions * <>: Import and export timelines * <>: Open and manage cases +* <>: Create and manage asset criticality records Additionally, the {kib} <> is partially documented to enable opening and updating cases in external ticketing systems. From 4f8e94040abb3095011d684764348fa3b1aaf705 Mon Sep 17 00:00:00 2001 From: Mark Hopkin Date: Wed, 7 Aug 2024 16:46:15 +0100 Subject: [PATCH 5/7] change list API to GET --- .../api/asset-criticality-api-list.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc index 3189612f11..b27433b6dc 100644 --- a/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc @@ -7,7 +7,7 @@ Use the query parameters to filter and sort the results as needed. By default, t ==== Request URL -`POST :/api/asset_criticality/list` +`GET :/api/asset_criticality/list` ==== URL query parameters From c9e75270135da393fa99465299c15bb20db0df5a Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Thu, 8 Aug 2024 09:55:24 +0100 Subject: [PATCH 6/7] Update docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc --- .../api/asset-criticality-api-list.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc index b27433b6dc..67dc37f549 100644 --- a/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-list.asciidoc @@ -27,7 +27,7 @@ Use the query parameters to filter and sort the results as needed. By default, t |No |`page` |Number | The page number to return, which must be at least 1. Defaults to `1`. |No -|`per_page` |Number |The number of results to return per page., which must be between 1 and 1000. Defaults to `10`. +|`per_page` |Number |The number of results to return per page, which must be between 1 and 1000. Defaults to `10`. |No |`kuery` |String a|A KQL query to filter results by, for example `criticality_level:low_impact OR criticality_level:medium_impact` |No From 14942b3cae8bfb81e645db3d9fb7751dbea8670b Mon Sep 17 00:00:00 2001 From: Mark Hopkin Date: Thu, 8 Aug 2024 11:00:42 +0100 Subject: [PATCH 7/7] Update asset-criticality-api-bulk-upsert.asciidoc --- .../api/asset-criticality-api-bulk-upsert.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc b/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc index ff31befcec..d1d86c9688 100644 --- a/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc +++ b/docs/advanced-entity-analytics/api/asset-criticality-api-bulk-upsert.asciidoc @@ -50,7 +50,7 @@ POST /api/asset_criticality/bulk { "id_field": "host.name", "id_value": "my_other_host", - "criticality_level": "high_impact" + "criticality_level": "low_impact" } ] } @@ -75,4 +75,4 @@ Successful response "total": 2 } } --------------------------------------------------- \ No newline at end of file +--------------------------------------------------