From fb61d48d98a9a55ac95bfb91003e0b25191c00d7 Mon Sep 17 00:00:00 2001 From: Ben Skelker Date: Thu, 27 Feb 2020 12:39:47 +0200 Subject: [PATCH] updates --- docs/en/siem/cases-api-add-comment.asciidoc | 6 +- docs/en/siem/cases-api-create.asciidoc | 4 +- docs/en/siem/cases-api-get-all-cases.asciidoc | 9 +-- .../siem/cases-api-get-case-comments.asciidoc | 64 +++++++------------ docs/en/siem/cases-api-get-case.asciidoc | 54 ++++++---------- docs/en/siem/cases-api-get-comment.asciidoc | 35 ++++------ .../en/siem/cases-api-update-comment.asciidoc | 24 +++---- docs/en/siem/cases-api-update.asciidoc | 2 +- 8 files changed, 81 insertions(+), 117 deletions(-) diff --git a/docs/en/siem/cases-api-add-comment.asciidoc b/docs/en/siem/cases-api-add-comment.asciidoc index bbacea8f42..6c387fa73f 100644 --- a/docs/en/siem/cases-api-add-comment.asciidoc +++ b/docs/en/siem/cases-api-add-comment.asciidoc @@ -44,8 +44,8 @@ POST api/cases/c2ffcea0-57d0-11ea-95da-cb9f4a010e31/comment ==== Response payload -A JSON object that includes the time the comment ID, the time it was created, -the user who created it, and its version. +A JSON object that includes the user who created the comment and the comment's +ID, version, and creation time. ===== Example response @@ -58,7 +58,7 @@ the user who created it, and its version. "created_at": "2020-02-25T15:17:31.057Z", "created_by": { "full_name": "Ms Moneypenny", - "username": "Moneypenny" + "username": "moneypenny" }, "updated_at": "2020-02-25T15:17:31.057Z" } diff --git a/docs/en/siem/cases-api-create.asciidoc b/docs/en/siem/cases-api-create.asciidoc index a0363ca453..ea93c917ba 100644 --- a/docs/en/siem/cases-api-create.asciidoc +++ b/docs/en/siem/cases-api-create.asciidoc @@ -52,8 +52,8 @@ POST api/cases ==== Response payload -A JSON object that includes the time the case ID, the time it was created, the -user who created it, and its version. +A JSON object that includes the user who created the case and the case's ID, +version, and creation time. ===== Example response diff --git a/docs/en/siem/cases-api-get-all-cases.asciidoc b/docs/en/siem/cases-api-get-all-cases.asciidoc index 04854c16e5..9cb939ec9b 100644 --- a/docs/en/siem/cases-api-get-all-cases.asciidoc +++ b/docs/en/siem/cases-api-get-all-cases.asciidoc @@ -28,7 +28,6 @@ All parameters are optional: |`filter` |String a|Filters the returned results according to the value of the specified field, using the `case-workflow.attributes.:` syntax, where `` can be: -* `title` * `state` * `tags` @@ -40,8 +39,8 @@ query. ===== Example request -Retrieves the first five cases with the `phishing` tag, sorted in ascending -order by their last update time. +Retrieves the first five cases with the `phishing` tag, in ascending order by +last update time. [source,sh] -------------------------------------------------- @@ -56,7 +55,9 @@ GET api/cases?page=1&perPage=5&sortField=updatedAt&sortOrder=asc&filter=case-wor ==== Response payload -A JSON object listing all cases: +A JSON object listing all cases. + +===== Response example [source,json] -------------------------------------------------- diff --git a/docs/en/siem/cases-api-get-case-comments.asciidoc b/docs/en/siem/cases-api-get-case-comments.asciidoc index 322269e0bf..436ac2a491 100644 --- a/docs/en/siem/cases-api-get-case-comments.asciidoc +++ b/docs/en/siem/cases-api-get-case-comments.asciidoc @@ -1,7 +1,7 @@ [[cases-api-get-all-case-comments]] === Get all case comments -Returns all comments for the specified case. +Returns a paginated subset of comments for the specified case. ==== Request URL @@ -14,11 +14,11 @@ comments. ===== Example request -Gets all comments for case ID `7125e150-2fb7-11ea-a3be-f96a1b9531f4`: +Gets all comments for case ID `c2ffcea0-57d0-11ea-95da-cb9f4a010e31`: [source,sh] -------------------------------------------------- -GET api/cases/7125e150-2fb7-11ea-a3be-f96a1b9531f4/comments +GET api/cases/c2ffcea0-57d0-11ea-95da-cb9f4a010e31/comments -------------------------------------------------- // KIBANA @@ -29,7 +29,9 @@ GET api/cases/7125e150-2fb7-11ea-a3be-f96a1b9531f4/comments ==== Response payload -A JSON object listing all comments for the specified case: +A JSON object listing comments for the specified case. + +===== Response example [source,json] -------------------------------------------------- @@ -37,48 +39,28 @@ A JSON object listing all comments for the specified case: "page": 1, "per_page": 20, "total": 2, - "saved_objects": [ + "comments": [ { - "type": "case-workflow-comment", - "id": "0aa70f70-2fb8-11ea-a3be-f96a1b9531f4", - "attributes": { - "comment": "Start operation bubblegum immediately! And chew fast!", - "created_at": 1578227808536, - "created_by": { - "full_name": "Classified", - "username": "M" - } + "comment_id": "0a846810-5940-11ea-bad4-61e6383623ca", + "version": "WzE1LDFd", + "comment": "Start operation bubblegum immediately! And chew fast!", + "created_at": "2020-02-27T09:03:37.554Z", + "created_by": { + "full_name": "Classified", + "username": "M" }, - "references": [ - { - "type": "case-workflow", - "name": "associated-case-workflow", - "id": "7125e150-2fb7-11ea-a3be-f96a1b9531f4" - } - ], - "updated_at": "2020-01-05T12:58:54.109Z", - "version": "WzQ0LDFd" + "updated_at": "2020-02-27T09:03:37.554Z" }, { - "type": "case-workflow-comment", - "id": "0b5174b0-2fc2-11ea-a3be-f96a1b9531f4", - "attributes": { - "comment": "Started chewing.", - "created_at": 1578232104629, - "created_by": { - "full_name": "Ms Moneypenny", - "username": "Moneypenny" - } + "comment_id": "f118e4a0-57e1-11ea-95da-cb9f4a010e31", + "version": "WzE3LDFd", + "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives. Even worse, he likes baked beans.", + "created_at": "2020-02-25T15:17:31.057Z", + "created_by": { + "full_name": "Ms Moneypenny", + "username": "moneypenny" }, - "references": [ - { - "type": "case-workflow", - "name": "associated-case-workflow", - "id": "7125e150-2fb7-11ea-a3be-f96a1b9531f4" - } - ], - "updated_at": "2020-01-05T13:48:24.827Z", - "version": "WzQ2LDFd" + "updated_at": "2020-02-27T09:35:21.019Z" } ] } diff --git a/docs/en/siem/cases-api-get-case.asciidoc b/docs/en/siem/cases-api-get-case.asciidoc index 4a21d2a285..bf7be4af06 100644 --- a/docs/en/siem/cases-api-get-case.asciidoc +++ b/docs/en/siem/cases-api-get-case.asciidoc @@ -23,11 +23,11 @@ returned. |No, defaults to `true`. ===== Example request -Returns case ID `7125e150-2fb7-11ea-a3be-f96a1b9531f4` without comments: +Returns case ID `c2ffcea0-57d0-11ea-95da-cb9f4a010e31` without comments: [source,sh] -------------------------------------------------- -GET api/cases/7125e150-2fb7-11ea-a3be-f96a1b9531f4?includeComments=false +GET api/cases/c2ffcea0-57d0-11ea-95da-cb9f4a010e31?includeComments=false -------------------------------------------------- // KIBANA @@ -38,41 +38,29 @@ GET api/cases/7125e150-2fb7-11ea-a3be-f96a1b9531f4?includeComments=false ==== Response payload -A JSON object listing the case: +The requested case JSON object. + +===== Response example [source,json] -------------------------------------------------- { - "id": "7125e150-2fb7-11ea-a3be-f96a1b9531f4", - "type": "case-workflow", - "updated_at": "2020-01-05T13:13:58.167Z", - "version": "WzQ1LDFd", - "attributes": { - "created_at": 1578227551012, - "created_by": { - "full_name": "Ms Moneypenny", - "username": "Moneypenny" - }, - "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!", - "title": "Urgent phishing case - signal id #dd4fa2d4bd-804743795894438", - "state": "open", - "tags": [ - "phishing", - "social engineering", - "bubblegum" - ], - "case_type": "security", - "assignees": [ - { - "username": "M", - "full_name": "Classified" - }, - { - "username": "Q", - "full_name": "Quality Gadgets" - } - ] + "case_id": "c2ffcea0-57d0-11ea-95da-cb9f4a010e31", + "version": "WzQsMV0=", + "comments": [], + "created_at": "2020-02-25T13:14:32.264Z", + "created_by": { + "full_name": "Alan Hunley", + "username": "ahunley" }, - "references": [] + "updated_at": "2020-02-26T15:46:48.716Z", + "description": "James Bond clicked on a highly suspicious email banner advertising cheap holidays for underpaid civil servants. Operation bubblegum is active. Repeat - operation bubblegum is now active!", + "title": "This case will self-destruct in 5 seconds", + "state": "open", + "tags": [ + "phishing", + "social engineering", + "bubblegum" + ] } -------------------------------------------------- \ No newline at end of file diff --git a/docs/en/siem/cases-api-get-comment.asciidoc b/docs/en/siem/cases-api-get-comment.asciidoc index 3bebfa64df..e49b373066 100644 --- a/docs/en/siem/cases-api-get-comment.asciidoc +++ b/docs/en/siem/cases-api-get-comment.asciidoc @@ -14,12 +14,11 @@ retrieve all comment IDs, call <>. ===== Example request -Retrieves comment ID `0b5174b0-2fc2-11ea-a3be-f96a1b9531f4`, which is -associated with case ID `7125e150-2fb7-11ea-a3be-f96a1b9531f4`: +Retrieves comment ID `f118e4a0-57e1-11ea-95da-cb9f4a010e31`: [source,sh] -------------------------------------------------- -GET api/cases/comments/0b5174b0-2fc2-11ea-a3be-f96a1b9531f4 +GET api/cases/comments/f118e4a0-57e1-11ea-95da-cb9f4a010e31 -------------------------------------------------- // KIBANA @@ -30,27 +29,21 @@ GET api/cases/comments/0b5174b0-2fc2-11ea-a3be-f96a1b9531f4 ==== Response payload +The requested comment JSON object. + +===== Example response + [source,json] -------------------------------------------------- { - "id": "0b5174b0-2fc2-11ea-a3be-f96a1b9531f4", - "type": "case-workflow-comment", - "updated_at": "2020-01-05T13:48:24.827Z", - "version": "WzQ2LDFd", - "attributes": { - "comment": "Started chewing.", - "created_at": 1578232104629, - "created_by": { - "full_name": "Ms Moneypenny", - "username": "Moneypenny" - } + "comment_id": "f118e4a0-57e1-11ea-95da-cb9f4a010e31", + "version": "WzMsMV0=", + "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives.", + "created_at": "2020-02-25T15:17:31.057Z", + "created_by": { + "full_name": "Ms Moneypenny", + "username": "moneypenny" }, - "references": [ - { - "type": "case-workflow", - "name": "associated-case-workflow", - "id": "7125e150-2fb7-11ea-a3be-f96a1b9531f4" - } - ] + "updated_at": "2020-02-26T14:59:06.749Z" } -------------------------------------------------- \ No newline at end of file diff --git a/docs/en/siem/cases-api-update-comment.asciidoc b/docs/en/siem/cases-api-update-comment.asciidoc index 2a2c9607ce..e3ebc8d79b 100644 --- a/docs/en/siem/cases-api-update-comment.asciidoc +++ b/docs/en/siem/cases-api-update-comment.asciidoc @@ -5,7 +5,7 @@ Updates an existing comment. ==== Request URL -`POST /api/cases/comment/` +`PATCH /api/cases/comment/` ===== URL parts @@ -25,14 +25,15 @@ A JSON object with updated comment: ===== Example request -Updates comment ID `0aa70f70-2fb8-11ea-a3be-f96a1b9531f4`, which is associated -with case ID `7125e150-2fb7-11ea-a3be-f96a1b9531f4`: +Updates comment ID `f118e4a0-57e1-11ea-95da-cb9f4a010e3`: [source,sh] -------------------------------------------------- -POST api/cases/comment/0aa70f70-2fb8-11ea-a3be-f96a1b9531f4 +PATCH api/cases/comment/f118e4a0-57e1-11ea-95da-cb9f4a010e3 { - "comment": "Start operation bubblegum immediately! And chew fast!" + "comment": "That is nothing - Ethan Hunt answered a targeted social media + campaign promoting phishy pension schemes to IMF operatives. Even worse, he + likes baked beans." } -------------------------------------------------- // KIBANA @@ -44,15 +45,14 @@ POST api/cases/comment/0aa70f70-2fb8-11ea-a3be-f96a1b9531f4 ==== Response payload +The updated comment and its timestamp. + +===== Example response + [source,json] -------------------------------------------------- { - "id": "0aa70f70-2fb8-11ea-a3be-f96a1b9531f4", - "type": "case-workflow-comment", - "updated_at": "2020-01-05T12:58:54.109Z", - "version": "WzQ0LDFd", - "attributes": { - "comment": "Start operation bubblegum immediately! And chew fast!" - } + "comment": "That is nothing - Ethan Hunt answered a targeted social media campaign promoting phishy pension schemes to IMF operatives. Even worse, he likes baked beans.", + "updated_at": "2020-02-27T09:33:39.803Z" } -------------------------------------------------- \ No newline at end of file diff --git a/docs/en/siem/cases-api-update.asciidoc b/docs/en/siem/cases-api-update.asciidoc index 373184c02a..9574e9eb67 100644 --- a/docs/en/siem/cases-api-update.asciidoc +++ b/docs/en/siem/cases-api-update.asciidoc @@ -19,7 +19,7 @@ A JSON object containing: |============================================== |Name |Type |Description |Required -|`case` |Object a|Contains the updated field values, which can be: +|`case` |Object a|Contains the updated case field values, which can be: * `title`: The case's title (string). * `description`: The case's description (string).