From 8a933a0d9a29c8b10f28040103b2aedd07bb4d96 Mon Sep 17 00:00:00 2001 From: Kevin Logan Date: Fri, 10 Nov 2023 15:18:14 -0500 Subject: [PATCH 1/5] [EDR Workflows] Correct bugs in Execute action API docs --- docs/management/api/execute-api.asciidoc | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/management/api/execute-api.asciidoc b/docs/management/api/execute-api.asciidoc index 1e8bde57c8..f7003c9ac5 100644 --- a/docs/management/api/execute-api.asciidoc +++ b/docs/management/api/execute-api.asciidoc @@ -22,13 +22,14 @@ A JSON object with these fields: |`case_ids` |Array (String) |The IDs of cases where the action taken will be logged. |No |`comment` |String |Attach a comment to this action's log. The comment text will appear in associated cases. |No |`parameters.command` |String |A shell command to run on the host. The command must be supported by `bash` for Linux and macOS hosts, and `cmd.exe` for Windows. |Yes -|`parameters.timeout` |String |How long the host should wait for the command to complete. Use `h` for hours, `m` for minutes, `s` for seconds (for example, `2s` is two seconds). If no timeout is specified, it defaults to four hours. |No +|`parameters.timeout` |Integer |How long the host should wait for the command to complete in seconds. |No |============================================== +NOTE: The execute action will upload a text file containing the results of the execution on the Endpoint, which is rate limited. If you are using the `endpoint_ids` field to task multiple Endpoints, you should batch your calls in groups of `10` at a time. ===== Example requests -Runs the command `ls -al` on a host with an `endpoint_id` value of `ed518850-681a-4d60-bb98-e22640cae2a8` with a timeout of `5m` and comments `Get list of all files`: +Runs the command `ls -al` on a host with an `endpoint_id` value of `ed518850-681a-4d60-bb98-e22640cae2a8` with a timeout of `600` seconds and comments `Get list of all files`: [source,sh] -------------------------------------------------- @@ -37,7 +38,7 @@ POST /api/endpoint/action/execute "endpoint_ids": ["ed518850-681a-4d60-bb98-e22640cae2a8"], "parameters": { "command": "ls -al", - "timeout": "5m" + "timeout": "600" }, "comment": "Get list of all files" } From 64a4b500d503939605e8619ad42ef5887165c0af Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Tue, 23 Jan 2024 13:46:46 +0000 Subject: [PATCH 2/5] Update docs/management/api/execute-api.asciidoc Co-authored-by: Joe Peeples --- docs/management/api/execute-api.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/management/api/execute-api.asciidoc b/docs/management/api/execute-api.asciidoc index f7003c9ac5..568af9f8d2 100644 --- a/docs/management/api/execute-api.asciidoc +++ b/docs/management/api/execute-api.asciidoc @@ -22,7 +22,7 @@ A JSON object with these fields: |`case_ids` |Array (String) |The IDs of cases where the action taken will be logged. |No |`comment` |String |Attach a comment to this action's log. The comment text will appear in associated cases. |No |`parameters.command` |String |A shell command to run on the host. The command must be supported by `bash` for Linux and macOS hosts, and `cmd.exe` for Windows. |Yes -|`parameters.timeout` |Integer |How long the host should wait for the command to complete in seconds. |No +|`parameters.timeout` |Integer |The duration, in seconds, that the host waits for the command to complete. |No |============================================== NOTE: The execute action will upload a text file containing the results of the execution on the Endpoint, which is rate limited. If you are using the `endpoint_ids` field to task multiple Endpoints, you should batch your calls in groups of `10` at a time. From 60b730182eae7f00a40db58af4940cba65bc7c75 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Tue, 23 Jan 2024 13:46:57 +0000 Subject: [PATCH 3/5] Update docs/management/api/execute-api.asciidoc --- docs/management/api/execute-api.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/management/api/execute-api.asciidoc b/docs/management/api/execute-api.asciidoc index 568af9f8d2..2fb27950a8 100644 --- a/docs/management/api/execute-api.asciidoc +++ b/docs/management/api/execute-api.asciidoc @@ -25,7 +25,7 @@ A JSON object with these fields: |`parameters.timeout` |Integer |The duration, in seconds, that the host waits for the command to complete. |No |============================================== -NOTE: The execute action will upload a text file containing the results of the execution on the Endpoint, which is rate limited. If you are using the `endpoint_ids` field to task multiple Endpoints, you should batch your calls in groups of `10` at a time. +NOTE: The `execute` action uploads a text file containing the results of the execution on the endpoint, which is rate-limited. If you are using the `endpoint_ids` field to task multiple endpoints, you should batch your calls in groups of 10 at a time. ===== Example requests From e6f09566899eb2d72677e7437be7acbce5280187 Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic <137783811+natasha-moore-elastic@users.noreply.github.com> Date: Tue, 23 Jan 2024 13:47:07 +0000 Subject: [PATCH 4/5] Update docs/management/api/execute-api.asciidoc --- docs/management/api/execute-api.asciidoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/management/api/execute-api.asciidoc b/docs/management/api/execute-api.asciidoc index 2fb27950a8..8c599d7c15 100644 --- a/docs/management/api/execute-api.asciidoc +++ b/docs/management/api/execute-api.asciidoc @@ -38,7 +38,7 @@ POST /api/endpoint/action/execute "endpoint_ids": ["ed518850-681a-4d60-bb98-e22640cae2a8"], "parameters": { "command": "ls -al", - "timeout": "600" + "timeout": 600 }, "comment": "Get list of all files" } From 72365c284ce99afa59a234e1fd4c5760db1af65a Mon Sep 17 00:00:00 2001 From: natasha-moore-elastic Date: Tue, 23 Jan 2024 13:51:07 +0000 Subject: [PATCH 5/5] Applies review feedback --- docs/management/api/execute-api.asciidoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/management/api/execute-api.asciidoc b/docs/management/api/execute-api.asciidoc index 8c599d7c15..f762e8c4da 100644 --- a/docs/management/api/execute-api.asciidoc +++ b/docs/management/api/execute-api.asciidoc @@ -22,7 +22,7 @@ A JSON object with these fields: |`case_ids` |Array (String) |The IDs of cases where the action taken will be logged. |No |`comment` |String |Attach a comment to this action's log. The comment text will appear in associated cases. |No |`parameters.command` |String |A shell command to run on the host. The command must be supported by `bash` for Linux and macOS hosts, and `cmd.exe` for Windows. |Yes -|`parameters.timeout` |Integer |The duration, in seconds, that the host waits for the command to complete. |No +|`parameters.timeout` |Integer |The duration, in seconds, that the host waits for the command to complete. If no timeout is specified, it defaults to four hours. |No |============================================== NOTE: The `execute` action uploads a text file containing the results of the execution on the endpoint, which is rate-limited. If you are using the `endpoint_ids` field to task multiple endpoints, you should batch your calls in groups of 10 at a time. @@ -89,7 +89,7 @@ A JSON object with the details of the response action created. "comment": "Get list of all files", "parameters": { "command": "ls -al", - "timeout": 300 + "timeout": 600 } } }