Merge branch 'main' into adding-token-filter-docs-common_gram

.github/workflows/pr_checklist.yml

@@ -32,7 +32,7 @@ jobs:
             const prOwners = ['Naarcha-AWS', 'kolchfa-aws', 'vagimeli', 'natebower'];
             
             if (!prOwners.includes(assignee)) {
-              assignee = 'hdhalter'
+              assignee = 'kolchfa-aws'
             }
 
             github.rest.issues.addAssignees({

_analyzers/token-filters/apostrophe.md

@@ -2,7 +2,7 @@
 layout: default
 title: Apostrophe
 parent: Token filters
-nav_order: 110
+nav_order: 10
 ---
 
 # Apostrophe token filter
@@ -22,7 +22,7 @@ PUT /custom_text_index
       "analyzer": {
         "custom_analyzer": {
           "type": "custom",
-          "tokenizer": "standard", // splits text into words
+          "tokenizer": "standard"
           "filter": [
             "lowercase",
             "apostrophe"

_ml-commons-plugin/agents-tools/index.md

@@ -130,7 +130,7 @@ POST /_plugins/_ml/agents/_register
     {
       "type": "VectorDBTool",
       "name": "VectorDBTool",
-      "description": "A tool to search opensearch index with natural language quesiotn. If you don't know answer for some question, you should always try to search data with this tool. Action Input: <natrual language question>",
+      "description": "A tool to search opensearch index with natural language question. If you don't know answer for some question, you should always try to search data with this tool. Action Input: <natrual language question>",
       "parameters": {
         "model_id": "YOUR_TEXT_EMBEDDING_MODEL_ID",
         "index": "my_test_data",
@@ -157,4 +157,4 @@ It is important to provide thorough descriptions of the tools so that the LLM ca
 - For a list of supported tools, see [Tools]({{site.url}}{{site.baseurl}}/ml-commons-plugin/agents-tools/tools/index/).
 - For a step-by-step tutorial, see [Agents and tools tutorial]({{site.url}}{{site.baseurl}}/ml-commons-plugin/agents-tools/agents-tools-tutorial/).
 - For supported APIs, see [Agent APIs]({{site.url}}{{site.baseurl}}/ml-commons-plugin/api/agent-apis/).
-- To use agents and tools in configuration automation, see [Automating configurations]({{site.url}}{{site.baseurl}}/automating-configurations/index/).
+- To use agents and tools in configuration automation, see [Automating configurations]({{site.url}}{{site.baseurl}}/automating-configurations/index/).

_ml-commons-plugin/api/agent-apis/register-agent.md

@@ -161,7 +161,7 @@ POST /_plugins/_ml/agents/_register
     {
       "type": "VectorDBTool",
       "name": "VectorDBTool",
-      "description": "A tool to search opensearch index with natural language quesiotn. If you don't know answer for some question, you should always try to search data with this tool. Action Input: <natrual language question>",
+      "description": "A tool to search opensearch index with natural language question. If you don't know answer for some question, you should always try to search data with this tool. Action Input: <natrual language question>",
       "parameters": {
         "model_id": "<embedding_model_id>",
         "index": "<your_knn_index>",
@@ -190,4 +190,4 @@ OpenSearch responds with an agent ID that you can use to refer to the agent:
 {
   "agent_id": "bpV_Zo0BRhAwb9PZqGja"
 }
-```
+```

_security-analytics/threat-intelligence/api/findings.md

@@ -0,0 +1,267 @@
+---
+layout: default
+title: Alerts and Findings API
+parent: Threat intelligence APIs
+grand_parent: Threat intelligence
+nav_order: 50
+---
+
+
+# Alerts and Findings API
+
+The threat intelligence Alerts and Findings API retrieves information about alerts and findings from threat intelligence feeds.
+
+
+---
+
+## Get threat intelligence alerts
+
+Retrieves any alerts related to threat intelligence monitors.
+
+### Path and HTTP methods
+
+```json
+GET /_plugins/_security_analytics/threat_intel/alerts
+```
+{% include copy-curl.html %}
+
+
+### Path parameters
+
+You can specify the following parameters when requesting an alert.
+
+Parameter | Description 
+:--- | :---- 
+`severityLevel` | Filter alerts by severity level. Optional.        
+`alertState`    | Used to filter by alert state. Possible values are `ACTIVE`, `ACKNOWLEDGED`, `COMPLETED`, `ERROR`, or `DELETED`. Optional. 
+`sortString`    | The string Security Analytics uses to sort the alerts. Optional.                          
+`sortOrder`     | The order used to sort the list of alerts. Possible values are `asc` or `desc`. Optional.                        
+`missing`       | A list of fields for which no alias mappings were found. Optional.                                          
+`size`          | An optional maximum number of results to be returned in the response. Optional.                          
+`startIndex`    | The pagination indicator. Optional.  
+`searchString`  | The alert attribute you want returned in the search. Optional. 
+
+### Example request
+
+```json
+GET /_plugins/_security_analytics/threat_intel/alerts
+```
+{% include copy-curl.html %}
+
+### Example response
+
+```json
+{
+    "alerts": [{
+      "id": "906669ee-56e8-4f40-a12f-ab4c274d7521",
+      "version": 1,
+      "schema_version": 0,
+      "seq_no": 0,
+      "primary_term": 1,
+      "trigger_id": "regwarg",
+      "trigger_name": "regwarg",
+      "state": "ACTIVE",
+      "error_message": null,
+      "ioc_value": "example-has00001",
+      "ioc_type": "hashes",
+      "severity": "high",
+      "finding_ids": [
+        "a9c10094-6139-42b3-81a8-867dffbe381d"
+      ],
+      "acknowledged_time": 1722038395105,
+      "last_updated_time": null,
+      "start_time": 1722038395105,
+      "end_time": null
+    }],
+    "total_alerts": 1
+}
+```
+
+### Response fields
+
+A threat intelligence alert can have one of the following states.
+
+| State  | Description  |
+| :---- | :--- |
+| `ACTIVE`   | The alert is ongoing and unacknowledged. Alerts remain in this state until they are acknowledged, the trigger associated with the alert is deleted, or the threat intelligence monitor is deleted entirely. |
+| `ACKNOWLEDGED` | The alert is acknowledged, but the root cause of the alert has not been addressed.  |
+| `COMPLETED` | The alert is no longer ongoing. Alerts enter this state after the corresponding trigger evaluates to `false`.   |
+| `DELETED` | The monitor or trigger for the alert was deleted while the alert was active.  |
+
+---
+
+## Update Alerts Status API 
+
+Updates the status of the specified alerts to `ACKNOWLEDGED` or `COMPLETED`. Only alerts in the `ACTIVE` state can be updated. 
+
+### Path and HTTP methods
+
+```json
+PUT /plugins/security_analytics/threat_intel/alerts/status
+```
+
+### Example requests
+
+The following example updates the status of the specified alerts to `ACKNOWLEDGED`:
+
+```json
+PUT /plugins/security_analytics/threat_intel/alerts/status?state=ACKNOWLEDGED&alert_ids=<alert-id>,<alert-id>
+```
+
+The following example updates the status of the specified alerts to `COMPLETED`:
+
+```json
+PUT /plugins/security_analytics/threat_intel/alerts/status?state=COMPLETED&alert_ids=alert_ids=<alert-id>,<alert-id>
+```
+
+### Example response
+
+```json
+{
+  "updated_alerts": [
+    {
+      "id": "906669ee-56e8-4f40-a12f-ab4c274d7521",
+      "version": 1,
+      "schema_version": 0,
+      "seq_no": 2,
+      "primary_term": 1,
+      "trigger_id": "regwarg",
+      "trigger_name": "regwarg",
+      "state": "ACKNOWLEDGED",
+      "error_message": null,
+      "ioc_value": "example-has00001",
+      "ioc_type": "hashes",
+      "severity": "high",
+      "finding_ids": [
+        "a9c10094-6139-42b3-81a8-867dffbe381d"
+      ],
+      "acknowledged_time": 1722039091209,
+      "last_updated_time": 1722039091209,
+      "start_time": 1722038395105,
+      "end_time": null
+    },
+    {
+      "id": "56e8-4f40-a12f-ab4c274d7521-906669ee",
+      "version": 1,
+      "schema_version": 0,
+      "seq_no": 2,
+      "primary_term": 1,
+      "trigger_id": "regwarg",
+      "trigger_name": "regwarg",
+      "state": "ACKNOWLEDGED",
+      "error_message": null,
+      "ioc_value": "example-has00001",
+      "ioc_type": "hashes",
+      "severity": "high",
+      "finding_ids": [
+        "a9c10094-6139-42b3-81a8-867dffbe381d"
+      ],
+      "acknowledged_time": 1722039091209,
+      "last_updated_time": 1722039091209,
+      "start_time": 1722038395105,
+      "end_time": null
+    }
+  ],
+  "failure_messages": []
+}
+```
+
+
+
+---
+
+## Get findings
+
+Returns threat intelligence indicator of compromise (IOC) findings. When the threat intelligence monitor finds a malicious IOC during a data scan, a finding is automatically generated.
+
+### Path and HTTP methods
+
+```json
+GET /_plugins/_security_analytics/threat_intel/findings/
+```
+
+### Path parameters 
+
+| Parameter      | Description                                                                                 |
+|:---------------|:--------------------------------------------------------------------------------------------|
+| `sortString`   | Specifies which string Security Analytics uses to sort the alerts. Optional.     |
+| `sortOrder`    | The order used to sort the list of findings. Possible values are `asc` or `desc`. Optional. |
+| `missing`      | A list of fields for which there were no alias mappings found. Optional.                     |
+| `size`         | The maximum number of results to be returned in the response. Optional.     |
+| `startIndex`   | The pagination indicator. Optional.                                                         |
+| `searchString` | The alert attribute you want returned in the search. Optional.                              |
+
+### Example request
+
+```json
+GET /_plugins/_security_analytics/threat_intel/findings/_search?size=3
+```
+
+```json
+{
+  "total_findings": 10,
+  "ioc_findings": [
+    {
+      "id": "a9c10094-6139-42b3-81a8-867dffbe381d",
+      "related_doc_ids": [
+        "Ccp88ZAB1vBjq44wmTEu:windows"
+      ],
+      "ioc_feed_ids": [
+        {
+          "ioc_id": "2",
+          "feed_id": "Bsp88ZAB1vBjq44wiDGo",
+          "feed_name": "my_custom_feed",
+          "index": ""
+        }
+      ],
+      "monitor_id": "B8p88ZAB1vBjq44wkjEy",
+      "monitor_name": "Threat intelligence monitor",
+      "ioc_value": "example-has00001",
+      "ioc_type": "hashes",
+      "timestamp": 1722038394501,
+      "execution_id": "01cae635-93dc-4f07-9e39-31076b9535d1"
+    },
+    {
+      "id": "8d87aee0-aaa4-4c12-b4e2-b4b1f4ec80f9",
+      "related_doc_ids": [
+        "GsqI8ZAB1vBjq44wXTHa:windows"
+      ],
+      "ioc_feed_ids": [
+        {
+          "ioc_id": "2",
+          "feed_id": "Bsp88ZAB1vBjq44wiDGo",
+          "feed_name": "my_custom_feed",
+          "index": ""
+        }
+      ],
+      "monitor_id": "B8p88ZAB1vBjq44wkjEy",
+      "monitor_name": "Threat intelligence monitor",
+      "ioc_value": "example-has00001",
+      "ioc_type": "hashes",
+      "timestamp": 1722039165824,
+      "execution_id": "54899e32-aeeb-401e-a031-b1728772f0aa"
+    },
+    {
+      "id": "2419f624-ba1a-4873-978c-760183b449b7",
+      "related_doc_ids": [
+        "H8qI8ZAB1vBjq44woDHU:windows"
+      ],
+      "ioc_feed_ids": [
+        {
+          "ioc_id": "2",
+          "feed_id": "Bsp88ZAB1vBjq44wiDGo",
+          "feed_name": "my_custom_feed",
+          "index": ""
+        }
+      ],
+      "monitor_id": "B8p88ZAB1vBjq44wkjEy",
+      "monitor_name": "Threat intelligence monitor",
+      "ioc_value": "example-has00001",
+      "ioc_type": "hashes",
+      "timestamp": 1722039182616,
+      "execution_id": "32ad2544-4b8b-4c9b-b2b4-2ba6d31ece12"
+    }
+  ]
+}
+
+```