[Security Solution] Determine Security Solution APIs OpenAPI migration status

[maximpn]

Epic: https://github.com/elastic/security-team/issues/9400

Summary

Research Security Solution APIs from the OpenAPI perspective. What APIs there are in Security Solution, which of them are available in Serverless, which of them have been fully or partially migrated to OpenAPI, and what's the status of this migration.

Details

As a preliminary effort for Serverless Security Solution API documentation purpose we need to know what Security Solution public APIs exist and wether relevant OpenAPI specification are present. Security Solution here means Security Solution domain rather than security_solution plugin.

This research should answer the following questions

• What public APIs Security Solution exposes?
• What plugin these APIs are defined in?
• What teams own these API?
• Do they have OpenAPI specifications for the APIs?
• Are the OpenAPI specifications up to date?
• Is code generation used to validate input and output route data?

[elasticmachine]

Pinging @elastic/security-solution (Team: SecuritySolution)

[maximpn]

Detections public API

Method	URL Path	OAS path (within /security_solution/common/api/detection_engine/)	Plugin	Team
GET	/api/detection_engine/rules/prepackaged/_status	prebuilt_rules/get_prebuilt_rules_and_timelines_status/get_prebuilt_rules_and_timelines_status_route.schema.yaml	security_solution	Rule Management
PUT	/api/detection_engine/rules/prepackaged	prebuilt_rules/install_prebuilt_rules_and_timelines/install_prebuilt_rules_and_timelines_route.schema.yaml	security_solution	Rule Management
POST	/api/detection_engine/rules/{id}/exceptions	❌	security_solution	Detection Engine
POST	/api/detection_engine/rules	rule_management/crud/create_rule/create_rule_route.schema.yaml	security_solution	Rule Management
GET	/api/detection_engine/rules	rule_management/crud/read_rule/read_rule_route.schema.yaml	security_solution	Rule Management
PUT	/api/detection_engine/rules	rule_management/crud/update_rule/update_rule_route.schema.yaml	security_solution	Rule Management
PATCH	/api/detection_engine/rules	rule_management/crud/patch_rule/patch_rule_route.schema.yaml	security_solution	Rule Management
DELETE	/api/detection_engine/rules	rule_management/crud/delete_rule/delete_rule_route.schema.yaml	security_solution	Rule Management
POST	/api/detection_engine/rules/_bulk_create	rule_management/bulk_crud/bulk_create_rules/bulk_create_rules_route.schema.yaml	security_solution	Rule Management
PUT	/api/detection_engine/rules/_bulk_update	rule_management/bulk_crud/bulk_update_rules/bulk_update_rules_route.schema.yaml	security_solution	Rule Management
PATCH	/api/detection_engine/rules/_bulk_update	rule_management/bulk_crud/bulk_patch_rules/bulk_patch_rules_route.schema.yaml	security_solution	Rule Management
DELETE	/api/detection_engine/rules/_bulk_delete	rule_management/bulk_crud/bulk_delete_rules/bulk_delete_rules_route.schema.yaml	security_solution	Rule Management
POST	/api/detection_engine/rules/_bulk_delete	❌	security_solution	Rule Management
POST	/api/detection_engine/rules/_bulk_action	rule_management/bulk_actions/bulk_actions_route.schema.yaml	security_solution	Rule Management
POST	/api/detection_engine/rules/_export	rule_management/export_rules/export_rules_route.schema.yaml	security_solution	Rule Management
POST	/api/detection_engine/rules/_import	rule_management/import_rules/import_rules_route.schema.yaml	security_solution	Rule Management
GET	/api/detection_engine/rules/_find	rule_management/find_rules/find_rules_route.schema.yaml	security_solution	Rule Management
GET	/api/detection_engine/tags	rule_management/read_tags/read_tags_route.schema.yaml	security_solution	Rule Management
POST	/api/detection_engine/rules/preview	❌	security_solution	Rule Management
POST	/api/detection_engine/signals/status	❌	security_solution	Detection Engine
POST	/api/detection_engine/signals/tags	❌	security_solution	Detection Engine
POST	/api/detection_engine/signals/search	❌	security_solution	Detection Engine
POST	/api/detection_engine/signals/assignees	alert_assignees/set_alert_assignees_route.schema.yaml	security_solution	Detection Engine
GET	/api/detection_engine/signals/migration_status	❌	security_solution	Detection Engine
POST	/api/detection_engine/signals/migration	❌	security_solution	Detection Engine
POST	/api/detection_engine/signals/finalize_migration	❌	security_solution	Detection Engine
DELETE	/api/detection_engine/signals/migration	❌	security_solution	Detection Engine
POST	/api/detection_engine/index	❌	security_solution	Detection Engine
GET	/api/detection_engine/index	❌	security_solution	Detection Engine
DELETE	/api/detection_engine/index	❌	security_solution	Detection Engine
GET	/api/detection_engine/privileges	❌	security_solution	Detection Engine

❌ in OAS path column means missing OAS for the specified API endpoint.

[maximpn]

Timeline public API

Method	Path	OAS Path (within /security_solution/common/api/timeline/)	Plugin	Team
POST	/api/timeline	create_timelines/create_timelines_route_schema.yaml	security_solution	Threat Hunting Investigations
PATCH	/api/timeline	patch_timelines/patch_timeline_route_schema.yaml	security_solution	Threat Hunting Investigations
POST	/api/timeline/_import	import_timelines/import_timelines_route_schema.yaml	security_solution	Threat Hunting Investigations
POST	/api/timeline/_export	export_timelines/export_timelines_route_schema.yaml	security_solution	Threat Hunting Investigations
GET	/api/timeline/_draft	get_draft_timelines/get_draft_timelines_route_schema.yaml	security_solution	Threat Hunting Investigations
GET	/api/timeline	get_timeline/get_timeline_route_schema.yaml	security_solution	Threat Hunting Investigations
GET	/api/timeline/resolve	❌	security_solution	Threat Hunting Investigations
GET	/api/timelines	get_timelines/get_timelines_route_schema.yaml	security_solution	Threat Hunting Investigations
POST	/api/timeline/_draft	clean_draft_timelines/clean_draft_timelines_route_schema.yaml	security_solution	Threat Hunting Investigations
DELETE	/api/timeline	delete_timelines/delete_timelines_route_schema.yaml	security_solution	Threat Hunting Investigations
PATCH	/api/timeline/_favorite	persist_favorite/persist_favorite_route_schema.yaml	security_solution	Threat Hunting Investigations
POST	/api/timeline/_prepackaged	install_prepackaged_timelines/install_prepackaged_timelines_route_schema.yaml	security_solution	Threat Hunting Investigations
PATCH	/api/note	persist_note/persist_note_route_schema.yaml	security_solution	Threat Hunting Investigations
DELETE	/api/note	delete_note/delete_note_route_schema.yaml	security_solution	Threat Hunting Investigations
PATCH	/api/pinned_event	pinned_events/pinned_events_route_schema.yaml	security_solution	Threat Hunting Investigations

[maximpn]

Endpoint management public API

Method	Path	OAS Path (within security_solution/common/api/endpoint/)	Plugin	Team
GET	/api/endpoint/metadata	metadata/metadata.schema.yaml	security_solution	Defend Workflows
GET	/api/endpoint/metadata/{id}	metadata/metadata.schema.yaml	security_solution	Defend Workflows
GET	/api/endpoint/metadata/transforms	metadata/metadata.schema.yaml	security_solution	Defend Workflows
POST	/api/endpoint/suggestions/{suggestion_type}	suggestions/get_suggestions.schema.yaml	security_solution	Defend Workflows
GET	/api/endpoint/policy_response	policy/policy.schema.yaml	security_solution	Defend Workflows
GET	/api/endpoint/policy/summaries	policy/policy.schema.yaml	security_solution	Defend Workflows
GET	/api/endpoint/action_status	actions/actions_status.schema.yaml	security_solution	Defend Workflows
GET	/api/endpoint/action/state	actions/actions.schema.yaml	security_solution	Defend Workflows
GET	/api/endpoint/action_log/{agent_id}	actions/audit_log.schema.yaml	security_solution	Defend Workflows
GET	/api/endpoint/action	actions/list.schema.yaml	security_solution	Defend Workflows
GET	/api/endpoint/action/{action_id}	actions/details.schema.yaml	security_solution	Defend Workflows
POST	/api/endpoint/isolate	❌	security_solution	Defend Workflows
POST	/api/endpoint/unisolate	❌	security_solution	Defend Workflows
POST	/api/endpoint/action/isolate	actions/actions.schema.yaml	security_solution	Defend Workflows
POST	/api/endpoint/action/unisolate	actions/actions.schema.yaml	security_solution	Defend Workflows
POST	/api/endpoint/action/kill_process	actions/actions.schema.yaml	security_solution	Defend Workflows
POST	/api/endpoint/action/suspend_process	actions/actions.schema.yaml	security_solution	Defend Workflows
POST	/api/endpoint/action/running_procs	actions/actions.schema.yaml	security_solution	Defend Workflows
POST	/api/endpoint/action/get_file	actions/get_file.schema.yaml	security_solution	Defend Workflows
POST	/api/endpoint/action/execute	actions/execute.schema.yaml	security_solution	Defend Workflows
POST	/api/endpoint/action/upload	actions/file_upload.schema.yaml	security_solution	Defend Workflows
GET	/api/endpoint/action/{action_id}/file/{file_id}/download	actions/file_download.schema.yaml	security_solution	Defend Workflows
GET	/api/endpoint/action/{action_id}/file/{file_id}	actions/file_info.schema.yaml	security_solution	Defend Workflows
POST	/api/endpoint/protection_updates_note/{package_policy_id}	❌	security_solution	Defend Workflows
GET	/api/endpoint/protection_updates_note/{package_policy_id}	❌	security_solution	Defend Workflows

[maximpn]

Lists public API

Method	Path	OAS Path	Plugin	teams
POST	/api/lists	❌	lists	Detection Engine
GET	/api/lists	❌	lists	Detection Engine
PUT	/api/lists	❌	lists	Detection Engine
DELETE	/api/lists	❌	lists	Detection Engine
PATCH	/api/lists	❌	lists	Detection Engine
GET	/api/lists/_find	❌	lists	Detection Engine
GET	/api/lists/privileges	❌	lists	Detection Engine
POST	/api/lists/items	❌	lists	Detection Engine
GET	/api/lists/items	❌	lists	Detection Engine
PUT	/api/lists/items	❌	lists	Detection Engine
DELETE	/api/lists/items	❌	lists	Detection Engine
PATCH	/api/lists/items	❌	lists	Detection Engine
POST	/api/lists/items/_export	❌	lists	Detection Engine
POST	/api/lists/items/_import	❌	lists	Detection Engine
GET	/api/lists/items/_find	❌	lists	Detection Engine
POST	/api/lists/index	❌	lists	Detection Engine
GET	/api/lists/index	❌	lists	Detection Engine
DELETE	/api/lists/index	❌	lists	Detection Engine

Exceptions public API

Method	Path	OAS Path	Plugin	teams
POST	/api/exceptions/shared	❌	security_solution	Detection Engine
POST	/api/exception_lists/_export	❌	lists	Detection Engine
POST	/api/exception_lists/_import	❌	lists	Detection Engine
POST	/api/exception_lists	❌	lists	Detection Engine
GET	/api/exception_lists	❌	lists	Detection Engine
PUT	/api/exception_lists	❌	lists	Detection Engine
DELETE	/api/exception_lists	❌	lists	Detection Engine
GET	/api/exception_lists/_find	❌	lists	Detection Engine
POST	/api/exception_lists/_duplicate	❌	lists	Detection Engine
POST	/api/exception_lists/items	❌	lists	Detection Engine
GET	/api/exception_lists/items	❌	lists	Detection Engine
PUT	/api/exception_lists/items	❌	lists	Detection Engine
DELETE	/api/exception_lists/items	❌	lists	Detection Engine
GET	/api/exception_lists/items/_find	❌	lists	Detection Engine
GET	/api/exception_lists/summary	❌	lists	Detection Engine

Endpoint list public API

Method	Path	OAS Path	Plugin	teams
POST	/api/endpoint_list	❌	lists	Detection Engine
POST	/api/endpoint_list/items	❌	lists	Detection Engine
GET	/api/endpoint_list/items	❌	lists	Detection Engine
PUT	/api/endpoint_list/items	❌	lists	Detection Engine
DELETE	/api/endpoint_list/items	❌	lists	Detection Engine
GET	/api/endpoint_list/items/_find	❌	lists	Detection Engine

[maximpn]

Osquery public API

Method	Path	OAS Path (within osquery/common/api/)	Plugin	Team
GET	/api/osquery/live_queries	live_query/live_queries.schema.yaml	osquery	Defend Worflows
POST	/api/osquery/live_queries	live_query/live_queries.schema.yaml	osquery	Defend Worflows
GET	/api/osquery/live_queries/{id}	live_query/live_queries.schema.yaml	osquery	Defend Worflows
GET	/api/osquery/live_queries/{id}/results/{actionId}	live_query/live_queries.schema.yaml	osquery	Defend Worflows
POST	/api/osquery/packs	packs/packs.schema.yaml	osquery	Defend Worflows
DELETE	/api/osquery/packs/{id}	packs/packs.schema.yaml	osquery	Defend Worflows
GET	/api/osquery/packs	packs/packs.schema.yaml	osquery	Defend Worflows
GET	/api/osquery/packs/{id}	packs/packs.schema.yaml	osquery	Defend Worflows
PUT	/api/osquery/packs/{id}	packs/packs.schema.yaml	osquery	Defend Worflows
POST	/api/osquery/saved_queries	saved_query/saved_query.schema.yaml	osquery	Defend Worflows
DELETE	/api/osquery/saved_queries/{id}	saved_query/saved_query.schema.yaml	osquery	Defend Worflows
GET	/api/osquery/saved_queries	saved_query/saved_query.schema.yaml	osquery	Defend Worflows
GET	/api/osquery/saved_queries/{id}	saved_query/saved_query.schema.yaml	osquery	Defend Worflows
PUT	/api/osquery/saved_queries/{id}	saved_query/saved_query.schema.yaml	osquery	Defend Worflows

[maximpn]

AI Assistant public API

Method	Path	OAS Path (within x-pack/packages/kbn-elastic-assistant-common/impl/schemas/)	Plugin	Team
POST	/api/elastic_assistant/anonymization_fields/_bulk_action	anonymization_fields/bulk_crud_anonymization_fields_route.schema.yaml	elastic_assistant	Generative AI
GET	/api/elastic_assistant/anonymization_fields/_find	anonymization_fields/find_anonymization_fields_route.schema.yaml	elastic_assistant	Generative AI
POST	/api/elastic_assistant/prompts/_bulk_action	prompts/bulk_crud_prompts_route.schema.yaml	elastic_assistant	Generative AI
GET	/api/elastic_assistant/prompts/_find	prompts/find_prompts_route.schema.yaml	elastic_assistant	Generative AI
POST	/api/elastic_assistant/current_user/conversations/{id}/messages	❌	elastic_assistant	Generative AI
POST	/api/elastic_assistant/prompts/_bulk_action	prompts/bulk_crud_prompts_route.schema.yaml	elastic_assistant	Generative AI
POST	/api/elastic_assistant/current_user/conversations	❌	elastic_assistant	Generative AI
DELETE	/api/elastic_assistant/current_user/conversations/{id}	❌	elastic_assistant	Generative AI
GET	/api/elastic_assistant/current_user/conversations/_find	❌	elastic_assistant	Generative AI
GET	/api/elastic_assistant/current_user/conversations/{id}	❌	elastic_assistant	Generative AI
PUT	/api/elastic_assistant/current_user/conversations/{id}	❌	elastic_assistant	Generative AI

[maximpn]

Result of the research summarized in the comments above.

More detailed list including internal API endpoints is available in the Security Solution APIs spreadsheet.