openapi: '3.0.0' info: description: | The Wazuh API is an open source RESTful API that allows for interaction with the Wazuh manager from a web browser, command line tool like cURL or any script or program that can make web requests. The Wazuh WUI relies on this heavily and Wazuh’s goal is to accommodate complete remote management of the Wazuh infrastructure via the Wazuh WUI. Use the Wazuh API to easily perform everyday actions like adding an agent, restarting the manager(s) or agent(s) or looking up syscheck details. # Authentication Wazuh API endpoints require authentication in order to be used. Therefore, all calls must include a JSON Web Token. JWT is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. Perform a call with `basicAuth` to `POST /security/user/authenticate` and obtain a JWT token in order to run any endpoint. JWT tokens have a default duration of 900 seconds. To change this value, you must perform a call with a valid JWT token to `PUT /security/config`. After this change, you will need to get a new JWT token as all previously issued tokens are revoked when any change is performed on security configuration. Login with USER and PASSWORD: `curl -u : -k -X POST "https://:55000/security/user/authenticate"` ```json { "data": { "token": "" }, "error": 0 } ``` Use the token from previous response to perform any endpoint request: `curl -k -X "https://:55000/" -H "Authorization: Bearer "` Change the token base duration: `curl -k -X PUT "https://:55000/security/config" -H "Authorization: Bearer " -d '{"auth_token_exp_timeout":}'` version: '4.7.2' x-revision: '40711' title: 'Wazuh API REST' license: name: 'GPL 2.0' url: 'https://github.com/wazuh/wazuh/blob/v4.7.2/LICENSE' servers: - url: '{protocol}://{host}:{port}' variables: protocol: default: https enum: - http - https host: default: localhost port: default: '55000' x-rbac-catalog: resources: '*:*': description: "Resource applied in functions acting on resources that do not yet exist in the system. We call these functions, resourceless functions" 'agent:group': description: "Reference agents via group name (i.e. agent:group:web)" 'agent:id': description: "Reference agents via agent ID (i.e. agent:id:001)" 'group:id': description: "Reference agent groups via group ID (i.e. group:id:default)" 'node:id': description: "Reference cluster nodes via node ID (i.e. node:id:worker1)" 'decoder:file': description: "Reference decoder files via its path (i.e. decoder:file:0005-wazuh_decoders.xml)" 'list:file': description: "Reference list files via its filename (i.e. list:file:audit-keys)" 'rule:file': description: "Reference rule files via its path (i.e. rule:file:0610-win-ms_logs_rules.xml)" 'policy:id': description: "Reference security policies via its id (i.e. policy:id:1)" 'role:id': description: "Reference security roles via its id (i.e. role:id:1)" 'rule:id': description: "Reference security rules via its id (i.e. rule:id:1)" 'user:id': description: "Reference security users via its id (i.e. user:id:1)" actions: 'active-response:command': description: "Execute active response commands in the agents" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: ['active-response:command'] resources: ['agent:id:001', 'agent:group:atlantic'] effect: "allow" 'agent:create': description: "Create new agents" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['agent:create'] resources: ['*:*:*'] effect: "allow" 'agent:read': description: "Access agents information (id, name, group, last keep alive, etc)" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: ['agent:read'] resources: ['agent:id:*'] effect: "allow" 'agent:delete': description: "Delete agents" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: ['agent:delete'] resources: ['agent:id:010', 'agent:group:pacific'] effect: "allow" 'agent:modify_group': description: "Change the group of agents" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: ['agent:modify_group'] resources: ['agent:id:004', 'agent:group:us-east'] effect: "allow" 'group:modify_assignments': description: "Change the agents assigned to the group" resources: - $ref: '#/x-rbac-catalog/resources/group:id' example: actions: ['group:modify_assignments'] resources: ['group:id:*'] effect: "allow" 'agent:upgrade': description: "Upgrade the version of the agents" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: ['agent:upgrade'] resources: ['agent:id:001', 'agent:group:mediterranean'] effect: "allow" 'agent:reconnect': description: "Force reconnect agents" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: [ 'agent:reconnect' ] resources: [ 'agent:id:050', 'agent:id:049' ] effect: "deny" 'agent:restart': description: "Restart agents" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: ['agent:restart'] resources: ['agent:id:050', 'agent:id:049'] effect: "deny" 'group:create': description: "Create new agent groups" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['group:create'] resources: ['*:*:*'] effect: "allow" 'group:read': description: "Access agent groups information (id, name, agents, etc)" resources: - $ref: '#/x-rbac-catalog/resources/group:id' example: actions: ['group:create'] resources: ['group:id:*'] effect: "allow" 'group:update_config': description: "Change the configuration of agent groups" resources: - $ref: '#/x-rbac-catalog/resources/group:id' example: actions: ['group:update_config'] resources: ['group:id:*'] effect: "deny" 'group:delete': description: "Delete agent groups" resources: - $ref: '#/x-rbac-catalog/resources/group:id' example: actions: ['group:delete'] resources: ['group:id:*'] effect: "allow" 'ciscat:read': description: "Access CIS-CAT results for agents" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: ['ciscat:read'] resources: ['agent:id:001', 'agent:id:003', 'agent:group:default'] effect: "deny" 'cluster:read': description: "Read Wazuh's cluster nodes configuration" resources: - $ref: '#/x-rbac-catalog/resources/node:id' example: actions: ['cluster:read'] resources: ['node:id:worker1', 'node:id:worker3'] effect: "deny" 'cluster:update_config': description: "Change the Wazuh's cluster node configuration" resources: - $ref: '#/x-rbac-catalog/resources/node:id' example: actions: [ 'cluster:update_config' ] resources: ['node:id:worker1'] effect: "allow" 'cluster:read_api_config': description: "Check Wazuh's cluster nodes API configuration" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['cluster:read_api_config'] resources: ['node:id:worker1', 'node:id:worker3'] effect: "allow" 'cluster:restart': description: "Restart Wazuh's cluster nodes" resources: - $ref: '#/x-rbac-catalog/resources/node:id' example: actions: ['cluster:restart'] resources: ['node:id:worker1'] effect: "allow" 'cluster:status': description: "Check Wazuh's cluster general status" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['cluster:status'] resources: ['*:*:*'] effect: "allow" 'manager:read': description: "Read Wazuh manager configuration" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['manager:read'] resources: ['*:*:*'] effect: "allow" 'manager:update_config': description: "Update current Wazuh manager configuration" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: [ 'manager:update_config' ] resources: [ '*:*:*' ] effect: "allow" 'manager:read_api_config': description: "Read Wazuh manager API configuration" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['manager:read_api_config'] resources: ['*:*:*'] effect: "allow" 'manager:restart': description: "Restart Wazuh managers" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['manager:restart'] resources: ['*:*:*'] effect: "deny" 'mitre:read': description: "Access information from MITRE database" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['mitre:read'] resources: ['*:*:*'] effect: "allow" 'decoders:read': description: "Read decoders files" resources: - $ref: '#/x-rbac-catalog/resources/decoder:file' example: actions: ['decoders:read'] resources: ['decoder:file:*'] effect: "allow" 'decoders:update': description: "Update or upload custom decoder files" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['decoders:update'] resources: ['*:*:*'] effect: "allow" 'decoders:delete': description: "Delete custom decoder files" resources: - $ref: '#/x-rbac-catalog/resources/decoder:file' example: actions: ['decoders:delete'] resources: ['decoder:file:local_decoder.xml'] effect: "allow" 'lists:read': description: "Read cdb lists files" resources: - $ref: '#/x-rbac-catalog/resources/list:file' example: actions: ['lists:read'] resources: ['list:file:audit-keys'] effect: "deny" 'lists:update': description: "Update or upload cdb lists files" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['lists:update'] resources: ['*:*:*'] effect: "allow" 'lists:delete': description: "Delete cdb lists files" resources: - $ref: '#/x-rbac-catalog/resources/list:file' example: actions: ['lists:delete'] resources: ['list:file:audit-keys'] effect: "deny" 'logtest:run': description: "Run logtest tool or end a logtest session" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: [ 'logtest:run' ] resources: [ '*:*:*' ] effect: "allow" 'rootcheck:read': description: "Access information from agents rootcheck database" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: [ 'rootcheck:read' ] resources: [ 'agent:id:011' ] effect: "allow" 'rootcheck:clear': description: "Clear the agents rootcheck database" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: [ 'rootcheck:clear' ] resources: [ 'agent:id:*' ] effect: "deny" 'rootcheck:run': description: "Run agents rootcheck scan" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: [ 'rootcheck:run' ] resources: [ 'agent:id:*' ] effect: "allow" 'rules:read': description: "Read rules files" resources: - $ref: '#/x-rbac-catalog/resources/rule:file' example: actions: ['rules:read'] resources: ['rule:file:0610-win-ms_logs_rules.xml'] effect: "allow" 'rules:update': description: "Update or upload custom rule files" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['rules:update'] resources: ['*:*:*'] effect: "allow" 'rules:delete': description: "Delete custom rule files" resources: - $ref: '#/x-rbac-catalog/resources/rule:file' example: actions: ['rules:delete'] resources: ['rule:file:0610-win-ms_logs_rules.xml'] effect: "allow" 'sca:read': description: "Access agents security configuration assessment" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: ['sca:read'] resources: ['agent:id:*'] effect: "allow" 'security:create': description: "Create new system security resources" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['security:create'] resources: ['*:*:*'] effect: "deny" 'security:create_user': description: "Create new system users" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['security:create_user'] resources: ['*:*:*'] effect: "allow" 'security:read': description: "Access information about system security resources" resources: - $ref: '#/x-rbac-catalog/resources/policy:id' - $ref: '#/x-rbac-catalog/resources/role:id' - $ref: '#/x-rbac-catalog/resources/user:id' - $ref: '#/x-rbac-catalog/resources/rule:id' example: actions: ['security:read'] resources: ['policy:id:*', 'role:id:2', 'user:id:5', 'rule:id:3'] effect: "allow" 'security:edit_run_as': description: "Change the value of the allow_run_as flag for a user" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: [ 'security:edit_run_as' ] resources: [ '*:*:*' ] effect: "allow" 'security:update': description: "Update the information of system security resources" resources: - $ref: '#/x-rbac-catalog/resources/policy:id' - $ref: '#/x-rbac-catalog/resources/role:id' - $ref: '#/x-rbac-catalog/resources/user:id' - $ref: '#/x-rbac-catalog/resources/rule:id' example: actions: ['security:update'] resources: ['policy:id:*', 'role:id:4', 'user:id:3', 'rule:id:4'] effect: "deny" 'security:delete': description: "Delete system security resources" resources: - $ref: '#/x-rbac-catalog/resources/policy:id' - $ref: '#/x-rbac-catalog/resources/role:id' - $ref: '#/x-rbac-catalog/resources/user:id' - $ref: '#/x-rbac-catalog/resources/rule:id' example: actions: ['security:update'] resources: ['policy:id:*', 'role:id:3', 'user:id:4', 'rule:id:2'] effect: "deny" 'security:read_config': description: "Read current system security configuration" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['security:read_config'] resources: ['*:*:*'] effect: "allow" 'security:update_config': description: "Update current system security configuration" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['security:update_config'] resources: ['*:*:*'] effect: "allow" 'syscheck:read': description: "Access information from agents syscheck database" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: ['syscheck:read'] resources: ['agent:id:011', 'agent:group:us-west'] effect: "allow" 'syscheck:clear': description: "Clear the agents syscheck database" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: ['syscheck:clear'] resources: ['agent:id:*'] effect: "deny" 'syscheck:run': description: "Run agents syscheck scan" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: ['syscheck:run'] resources: ['agent:id:*'] effect: "allow" 'syscollector:read': description: "Access agents syscollector information" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: ['syscollector:read'] resources: ['agent:id:*'] effect: "allow" 'task:status': description: "Access task's status information" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['task:status'] resources: ['*:*:*'] effect: "deny" 'vulnerability:read': description: "Allow reading agents' vulnerabilities information" resources: - $ref: '#/x-rbac-catalog/resources/agent:id' - $ref: '#/x-rbac-catalog/resources/agent:group' example: actions: [ 'vulnerability:read' ] resources: [ 'agent:id:011', 'agent:group:us-west' ] effect: "allow" 'vulnerability:run': description: "Allow running a vulnerability detector scan" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: [ 'vulnerability:run' ] resources: [ '*:*:*' ] effect: "allow" 'event:ingest': description: "Ingest events" resources: - $ref: '#/x-rbac-catalog/resources/*:*' example: actions: ['event:ingest'] resources: ['*:*:*'] effect: "allow" components: responses: ResponseError: description: "Response to report a bad request" content: application/json: schema: $ref: '#/components/schemas/RequestError' example: title: "Bad Request" detail: "'{invalid_param}' is not a '{expected_type}'. Failed validating 'format' in schema['items']: {'description': '{parameter_name}', 'format': '{expected_format}', 'minLength': {expected_length}, 'type': '{expected_type}', 'x-scope': ['', '#/components/parameters/{parameter_name}']}" PermissionDeniedResponse: description: "Response to report a permission denied request" content: application/json: schema: $ref: '#/components/schemas/ApiError' example: title: "Permission Denied" detail: "Permission denied: Resource type: *:*" remediation: "Please, make sure you have permissions to execute the current request. For more information on how to set up permissions, please visit https://documentation.wazuh.com/4.7/user-manual/api/rbac/configuration.html" error: 4000 dapi_errors: unknown-node: error: "Permission denied: Resource type: *:*" UnauthorizedResponse: description: "Response to report an unauthorized request" content: application/json: schema: $ref: '#/components/schemas/RequestError' example: title: "Unauthorized" detail: "No authorization token provided" InvalidCredentialsResponse: description: "Response to report a problem with authentication" content: application/json: schema: $ref: '#/components/schemas/RequestError' example: title: "Unauthorized" detail: "Invalid credentials" InvalidHTTPMethodResponse: description: "Response to report an invalid HTTP method" content: application/json: schema: $ref: '#/components/schemas/RequestError' example: title: "Method Not Allowed" detail: "Specified method is invalid for this resource" WrongContentTypeResponse: description: "Response to report an invalid content-type" content: application/json: schema: $ref: '#/components/schemas/RequestError' example: title: "Wazuh Error" detail: "The body type is not the one specified in the content-type" error: 6002 RequestTooLargeResponse: description: "Maximum request body size exceeded" content: application/json: schema: $ref: '#/components/schemas/RequestError' example: title: "Request Entity Too Large" detail: "Maximum request body size 1048576 exceeded, actual body size 1225245" TooManyRequestsResponse: description: "Maximum number of request per minute reached" content: application/json: schema: $ref: '#/components/schemas/RequestError' example: title: "Wazuh Error" detail: "Maximum number of requests per minute reached" remediation: "This limit can be changed in api.yaml file. More information here: https://documentation.wazuh.com/4.7/user-manual/api/security/configuration.html" code: 6001 ResourceNotFoundResponse: description: "Resource not found" content: application/json: schema: $ref: '#/components/schemas/ApiError' example: title: "Resource Not Found" detail: "The group does not exist" remediation: "Please, use `GET /groups` to find all available groups: https://documentation.wazuh.com/4.7/user-manual/api/rbac/configuration.html" code: 1710 dapi_errors: unknown-node: error: "The group does not exist" schemas: ## Common models ApiResponse: type: object properties: message: type: string description: "Human readable description to explain the result of the request" SimpleApiError: type: object required: - error properties: error: type: object additionalProperties: properties: code: type: integer format: int32 message: type: string remediation: type: string id: type: array items: oneOf: - type: string - type: integer ApiError: type: object required: - title - detail nullable: true properties: title: type: string detail: type: string instance: type: string format: uri code: type: integer format: int32 remediation: type: string dapi_errors: type: object additionalProperties: type: object properties: error: type: string logfile: type: string format: path RequestError: type: object required: - title - detail nullable: true properties: title: type: string detail: type: string error: type: integer format: int32 ScanIdTime: type: object properties: id: type: integer format: int64 description: "Scan ID" time: type: string format: date-time description: "Date when the scan was performed" ItemAffected: type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: oneOf: - type: string - type: object AllItemsResponse: type: object required: - total_affected_items - failed_items - total_failed_items properties: total_affected_items: type: integer format: int32 description: "Number of items that have successfully applied the requested operation" failed_items: type: array description: "List of items that have failed applying the requested operation" items: $ref: '#/components/schemas/SimpleApiError' total_failed_items: type: integer format: int32 description: "Number of items that have failed applying the requested operation" AllItemsResponseAgents: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/Agent' AllItemsResponseAgentsDistinct: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/AgentDistinct' AllItemsResponseWazuhDaemonStats: allOf: - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: oneOf: - $ref: '#/components/schemas/WazuhRemotedStatsItem' - $ref: '#/components/schemas/WazuhAnalysisdStatsItem' - $ref: '#/components/schemas/WazuhDBStatsItem' - $ref: '#/components/schemas/AllItemsResponse' AllItemsResponseWazuhDaemonStatsAgents: allOf: - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: oneOf: - $ref: '#/components/schemas/WazuhRemotedStatsAgentsItem' - $ref: '#/components/schemas/WazuhAnalysisdStatsAgentsItem' - $ref: '#/components/schemas/AllItemsResponse' AllItemsResponseGroups: allOf: - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/AgentGroup' - $ref: '#/components/schemas/AllItemsResponse' AllItemsResponseAgentIDs: allOf: - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/AgentID' - $ref: '#/components/schemas/AllItemsResponse' AllItemsResponseNodeIDs: allOf: - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/NodeID' - $ref: '#/components/schemas/AllItemsResponse' AllItemsResponseNodeHealthcheck: allOf: - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/NodeHealthcheck' - $ref: '#/components/schemas/AllItemsResponse' AllItemsResponseNodeRulesetSynchronizationStatus: allOf: - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/NodeRulesetSyncStatus' - $ref: '#/components/schemas/AllItemsResponse' AllItemsResponseGroupIDs: allOf: - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/GroupID' - $ref: '#/components/schemas/AllItemsResponse' AllItemsResponseAgentsSimple: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/AgentSimple' AllItemsResponseAgentsSynced: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/AgentSynced' AllItemsResponseAgentsKeys: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/AgentIdKey' AllItemsResponseRules: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/Rule' AllItemsResponseRulesFiles: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/RuleFile' AllItemsResponseDecoders: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/Decoder' AllItemsResponseDecodersFiles: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/DecoderFile' AllItemsResponseLists: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/CDBList' AllItemsResponseListsFiles: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/CDBListFile' AllItemsResponseRoles: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/RolesResponse' AllItemsResponsePolicies: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: oneOf: - $ref: '#/components/schemas/PoliciesResponse' - type: integer AllItemsResponseSyscollectorHardware: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/SyscollectorHardware' AllItemsResponseSyscollectorHotfixes: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/SyscollectorHotfix' AllItemsResponseSyscollectorInterface: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/SyscollectorInterface' AllItemsResponseSyscollectorOS: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/SyscollectorOS' AllItemsResponseSyscollectorPackages: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/SyscollectorPackages' AllItemsResponseSyscollectorPorts: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/SyscollectorPorts' AllItemsResponseSyscollectorProcesses: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/SyscollectorProcess' AllItemsResponseSyscollectorProtocol: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/SyscollectorProtocol' AllItemsResponseSyscollectorNetwork: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/SyscollectorNetwork' AllItemsResponseUsers: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/UsersResponse' AllItemsResponseCiscatResult: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/CiscatResults' AllItemsResponseSyscheckResult: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/SyscheckDatabase' AllItemsResponseLastScan: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/LastScan' AllItemsResponseSCADatabase: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/SCADatabase' AllItemsResponseSCAChecks: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/SCAChecks' AllItemsResponseClusterNodes: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/ClusterNode' AllItemsResponseWazuhLogs: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/WazuhLogs' AllItemsResponseValidationStatus: allOf: - $ref: '#/components/schemas/AllItemsResponse' - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: $ref: '#/components/schemas/ValidationStatus' AllItemsResponseWazuhStats: allOf: - type: object required: - affected_items properties: affected_items: type: array description: "Items that successfully applied the API call action" items: anyOf: - $ref: '#/components/schemas/WazuhStats' - $ref: '#/components/schemas/WazuhHourlyStats' - $ref: '#/components/schemas/WazuhWeeklyStats' - $ref: '#/components/schemas/WazuhAnalysisdStats' - $ref: '#/components/schemas/WazuhRemotedStats' - $ref: '#/components/schemas/AllItemsResponse' BasicInfo: type: object properties: title: type: string description: "API title name" api_version: type: string description: "API version in the manager" revision: type: integer description: "API revision" format: int32 license_name: type: string description: "API license name" license_url: type: string description: "API license url" hostname: type: string description: "Server hostname" timestamp: type: string ## Ruleset models RulesetFile: type: object properties: filename: type: string description: "Name of the file" relative_dirname: type: string format: paths description: "Folder path where the file is located. This path is relative to the Wazuh installation path" RulesetStatus: type: object properties: status: type: string description: "Whether the specified ruleset file is enabled or disabled in Wazuh manager configuration" enum: - enabled - disabled ## Active-response models ActiveResponseBody: type: object properties: arguments: description: "Command arguments" type: array items: type: string command: description: "Command running in the agent. If this value starts by `!`, then it refers to a script name instead of a command name" type: string format: active_response_command custom: description: "Whether the specified command is a custom command or not" type: boolean default: false alert: type: object properties: data: description: "Alert data depending on the AR executed" type: object required: - command ## Agents models ExtraAgentFields: type: object properties: status: $ref: '#/components/schemas/AgentStatus' configSum: type: string description: "MD5 checksum of the group configuration file (agent.conf)" group: type: array description: "List of groups the agent belongs to" items: type: string mergedSum: type: string description: "MD5 checksum of all group shared files merged in a single one (merged.mg)" ip: type: string description: "IP where the agent communicates with the manager. If the manager can't get this information, it will be the same as registerIP field" registerIP: type: string description: "IP used at agent registration process" manager: type: string description: "Hostname of the manager where the agent is reporting to" node_name: type: string description: "Node ID where the agent is reporting to" dateAdd: type: string description: "Date when the agent was registered" lastKeepAlive: type: string description: "Date when the last keepalive was received from the agent" os: type: object properties: major: type: string name: type: string uname: type: string platform: type: string version: type: string codename: type: string arch: type: string minor: type: string description: "Agent OS information" status_code: description: "Agent connection status code" type: integer format: int32 default: 0 minimum: 0 maximum: 5 Agent: allOf: - $ref: '#/components/schemas/AgentSimple' - $ref: '#/components/schemas/ExtraAgentFields' AgentGroup: type: object properties: count: type: integer minimum: 0 description: "Number of agents belonging to that group" name: type: string mergedSum: type: string format: hash description: "MD5 checksum of all group shared files merged in a single one (merged.mg)" configSum: type: string format: hash description: "MD5 checksum of the group configuration file (agent.conf)" AgentGroupDeleted: type: object required: - affected_items properties: affected_items: type: array description: "List of removed groups, agents belonging exclusively to the removed groups will be reassigned to group default" AgentIdKey: type: object required: - id - key properties: id: $ref: '#/components/schemas/AgentID' key: type: string format: base64 AgentSimple: type: object properties: version: type: string description: "Wazuh version the agent has installed" id: $ref: '#/components/schemas/AgentID' name: type: string description: "Agent name used at registration process" AgentStatus: type: string enum: - active - pending - never_connected - disconnected description: "Agent status. It is calculated based on the last keepalive and the Wazuh version" AgentsSummaryStatus: type: object properties: connection: type: object properties: total: type: integer format: int32 active: type: integer format: int32 disconnected: type: integer format: int32 never_connected: type: integer format: int32 pending: type: integer format: int32 configuration: type: object properties: total: type: integer format: int32 synced: type: integer format: int32 not_synced: type: integer format: int32 AgentDistinct: allOf: - $ref: '#/components/schemas/AgentSimple' - $ref: '#/components/schemas/ExtraAgentFields' - type: object properties: count: type: integer format: int32 description: "Number of agents with the specified unique fields" AgentSynced: type: object properties: id: type: string description: "Agent ID" synced: type: boolean description: "Sync info" AgentID: type: string minLength: 3 description: "Agent ID" format: numbers AgentIDListAll: type: string minLength: 3 description: "Agent ID|all" format: numbers_or_all NodeID: type: string description: "Node ID" format: string GroupID: type: string description: "Group name" format: group_names GroupIDListAll: type: string minLength: 1 description: "Group name|all" format: group_names_or_all AgentConfiguration: type: object description: "Current agent's configuration. The output varies with requested component and the agent configuration" GroupConfiguration: type: object required: - filters - config properties: filters: type: object properties: os: type: string description: "OS family where the configuration is being applied" name: type: string description: "The name of the agent where that configuration is being applied" profile: type: string description: "Profile name. Any agent configured to use the defined profile may use the block" config: type: object description: "Group configuration. The fields on this object depend on the actual group configuration" AgentInsertForce: type: object description: "Remove the old agent with the same name, ID or IP if the configuration is matched" properties: enabled: type: boolean default: True description: "Enable force option" disconnected_time: type: object properties: enabled: type: boolean default: True description: "Enable force disconnected_time option" value: type: string default: "1h" description: "Time the agent must has been disconnected to force the insertion. Time in seconds, ‘[n_days]d’, ‘[n_hours]h’, ‘[n_minutes]m’ or ‘[n_seconds]s’. For example, `7d`, `10s` and `10` are valid values. If no time unit is specified, seconds are used" format: timeframe after_registration_time: type: string default: "1h" description: "Time the agent must has been registered to force the insertion. Time in seconds, ‘[n_days]d’, ‘[n_hours]h’, ‘[n_minutes]m’ or ‘[n_seconds]s’. For example, `7d`, `10s` and `10` are valid values. If no time unit is specified, seconds are used" format: timeframe WazuhRemotedStatsAgentsItem: type: object properties: timestamp: type: string format: date-time description: "Daemon stats request time" name: type: string description: "Daemon name" enum: - wazuh-remoted agents: type: array items: type: object properties: uptime: type: string format: date-time description: "When the count of the metrics started" id: type: integer format: int32 description: "Agent ID" metrics: type: object properties: messages: type: object properties: received_breakdown: type: object properties: control: type: integer format: int32 description: "Control messages received from agent" control_breakdown: type: object properties: keepalive: type: integer format: int32 description: "Keepalive messages from agent" request: type: integer format: int32 description: "Request messages (for example, WPK responses) from agent" shutdown: type: integer format: int32 description: "Shutdown messages from agent" startup: type: integer format: int32 description: "Startup messages from agent" event: type: integer format: int32 description: "Event messages (syscheck, syscollector, logcollector, etc.) received from agent" sent_breakdown: type: object properties: ack: type: integer format: int32 description: "ACK messages (response to keepalive, startup and shutdown) sent to agent" ar: type: integer format: int32 description: "Active response messages sent to agent" discarded: type: integer format: int32 description: "Messages discarded because the send queue was full (for this agent)" request: type: integer format: int32 description: "Request messages (for example, WPK chunks) sent to agent" sca: type: integer format: int32 description: "SCA messages sent to agent" shared: type: integer format: int32 description: "Shared configuration messages (merged.mg) sent to agent" WazuhAnalysisdStatsAgentsItem: type: object properties: timestamp: type: string format: date-time description: "Daemon stats request time" name: type: string description: "Daemon name" enum: - wazuh-analysisd agents: type: array items: type: object properties: uptime: type: string format: date-time description: "When the count of the metrics started" id: type: integer format: int32 description: "Agent ID" metrics: type: object properties: events: type: object properties: processed: type: integer format: int32 description: "Total processed events (analyzed by rules) from agent" received_breakdown: type: object properties: decoded_breakdown: type: object properties: agent: type: integer format: int32 description: "Events coming from agentd (this agent)" dbsync: type: integer format: int32 description: "Synchronization events (this agent)" integrations_breakdown: type: object properties: virustotal: type: integer format: int32 description: "Events coming from VirusTotal (this agent)" modules_breakdown: type: object properties: aws: type: integer format: int32 description: "Events coming from AWS module (this agent)" azure: type: integer format: int32 description: "Events coming from Azure module (this agent)" ciscat: type: integer format: int32 description: "Events coming from CIS-CAT module (this agent)" command: type: integer format: int32 description: "Events coming from command module (this agent)" docker: type: integer format: int32 description: "Events coming from Docker module (this agent)" gcp: type: integer format: int32 description: "Events coming from GCP module (this agent)" github: type: integer format: int32 description: "Events coming from GitHub module (this agent)" logcollector_breakdown: type: object properties: eventchannel: type: integer format: int32 description: "EventChannel events collected by logcollector (this agent)" eventlog: type: integer format: int32 description: "EventLog events collected by logcollector (this agent)" macos: type: integer format: int32 description: "MacOS events collected by logcollector (this agent)" others: type: integer format: int32 description: "Other events collected by logcollector (this agent)" office365: type: integer format: int32 description: "Events coming from Office365 module (this agent)" ms-graph: type: integer format: int32 description: "Events coming from ms-graph module (this agent)" oscap: type: integer format: int32 description: "Events coming from OSCAP module (this agent)" osquery: type: integer format: int32 description: "Events coming from OSQuery module (this agent)" rootcheck: type: integer format: int32 description: "Events coming from rootcheck (syscheckd) (this agent)" sca: type: integer format: int32 description: "Events coming from SCA module (this agent)" syscheck: type: integer format: int32 description: "Events coming from syscheckd (this agent)" syscollector: type: integer format: int32 description: "Events coming from syscollector module (this agent)" upgrade: type: integer format: int32 description: "Events coming from upgrade agent module (this agent)" vulnerability: type: integer format: int32 description: "Events coming from vulnerability detector (this agent)" monitor: type: integer format: int32 description: "Events coming from monitord (this agent)" remote: type: integer format: int32 description: "Events coming from remoted (this agent)" written_breakdown: type: object properties: alerts: type: integer format: int32 description: "Alerts written in alerts log file (this agent)" archives: type: integer format: int32 description: "Alerts written in archives log file (this agent)" firewall: type: integer format: int32 description: "Alerts written in firewall log file (this agent)" ## CisCat models CiscatResults: type: object properties: benchmark: type: string description: "CIS-CAT benchmark where the profile is defined" error: type: integer format: int32 description: "Number of checks that CIS-CAT was not able to run" fail: type: integer format: int32 description: "Number of failed checks. If this number is higher than 0 the host will probably have a vulnerability" notchecked: type: integer format: int32 description: "Number of not passed checks" pass: type: integer format: int32 description: "Number of passed checks" profile: type: string description: "CIS-CAT profile scanned" scan: $ref: '#/components/schemas/ScanIdTime' score: type: integer format: int32 description: "Percentage of passed checks" unknown: type: integer format: int32 description: "Number of checks which status CIS-CAT was not able to determine" ## Cluster models ClusterNodeBasic: type: object properties: type: type: string enum: - worker - master description: "Node type" version: type: string format: \d+\.\d+\.\d+ description: "Wazuh version installed in the node" ip: type: string description: "IP the node is using to communicate with other nodes in the cluster" ClusterNodeName: type: string description: "Node ID" ClusterNode: allOf: - $ref: '#/components/schemas/ClusterNodeBasic' - type: object properties: name: $ref: '#/components/schemas/ClusterNodeName' NodeHealthcheck: type: object properties: name: type: object properties: info: type: object properties: name: $ref: '#/components/schemas/ClusterNodeName' info: allOf: - $ref: '#/components/schemas/ClusterNodeBasic' - type: object properties: totalActiveAgents: type: integer format: int32 minimum: 0 description: "Number of agents currently reporting to that node" status: type: object properties: last_keep_alive: type: string last_sync_agentinfo: type: object properties: date_start_master: type: string date_end_master: type: string n_synced_chunks: type: integer format: int32 last_sync_agentgroup: type: object properties: date_start: type: string date_end: type: string n_synced_chunks: type: integer format: int32 last_sync_full_agentgroup: type: object properties: date_start: type: string date_end: type: string n_synced_chunks: type: integer format: int32 last_sync_integrity: type: object properties: date_start_master: type: string date_end_master: type: string total_files: type: object properties: extra: type: integer format: int32 extra_valid: type: integer format: int32 missing: type: integer format: int32 shared: type: integer format: int32 sync_agent_info_free: type: boolean sync_integrity_free: type: boolean NodeRulesetSyncStatus: type: object properties: name: type: string description: "Node name" synced: type: boolean description: "Whether the ruleset is synchronized or not" DaemonStatus: type: string enum: - stopped - running # Logtest models LogtestRequest: type: object required: - event - log_format - location properties: token: type: string description: "Token for the logtest session" log_format: type: string description: "Allowed values: syslog, json, snort-full, squid, eventlog, eventchannel, audit, mysql_log, postgresql_log, nmapg, iis, command, full_command, djb-multilog, multi-line" location: type: string description: "Path string" event: type: string description: "Event to look for" # MITRE models Mitre_reference_id: type: string description: "MITRE Reference ID" Mitre_mitigation_id: type: string description: "MITRE mitigation ID" Mitre_tactic_id: type: string description: "MITRE tactic ID" Mitre_group_id: type: string description: "MITRE group ID" Mitre_software_id: type: string description: "MITRE software ID" Mitre_technique_id: type: string description: "MITRE technique ID" # Security models Role_id: type: string format: numbers description: "Role ID" Role_id_DELETE: type: string description: "Role ID|all" format: numbers_or_all Security_rule_id: type: string format: numbers description: "Security rule ID" Security_rule_id_DELETE: type: string format: numbers_or_all description: "Security rule ID|all" Task_id: type: string format: numbers description: "Task ID" Policy_id: type: string format: numbers description: "Policy ID" Policy_id_DELETE: type: string description: "Policy ID|all" format: numbers_or_all User_id: type: string format: numbers description: "User ID" User_id_DELETE: type: string format: numbers_or_all description: "User ID|all" PoliciesRequest: type: object required: - name - policy properties: name: description: "Policy name" type: string maxLength: 64 format: names policy: description: "New policy definition" type: object properties: actions: type: array description: "Actions to perform" items: type: string resources: type: array description: "Resources to apply the actions on" items: type: string effect: type: string description: "Effect of the policy" required: - actions - resources - effect PoliciesRequest_no_required: type: object properties: name: description: "Policy name" type: string maxLength: 64 format: names policy: description: "New policy definition" type: object properties: actions: type: array description: "Actions to perform" items: type: string resources: type: array description: "Resources to apply the actions on" items: type: string effect: type: string description: "Effect of the policy" required: - actions - resources - effect PoliciesResponse: type: object properties: id: description: "Policy id" type: integer name: description: "Policy name" type: string policy: description: "New policy definition" type: object properties: actions: type: array description: "Actions to perform" items: type: string resources: type: array description: "Resources to apply the actions on" items: type: string effect: type: string description: "Effect of the policy" RolesResponse: type: object properties: id: type: integer description: "Role id" name: type: string description: "Role name" rule: type: object description: "Role rule" RolesRequest: type: object required: - name properties: name: type: string description: "Role name" maxLength: 64 format: names RolesRequest_no_required: type: object properties: name: type: string description: "Role name" maxLength: 64 format: names SecurityRulesRequest: type: object required: - name - rule properties: name: type: string description: "Rule name" maxLength: 64 format: names rule: type: object description: "Rule body" SecurityRulesRequest_no_required: type: object properties: name: type: string description: "Rule name" maxLength: 64 format: names rule: type: object description: "Rule body" UsersResponse: type: object properties: id: type: integer description: "User's id" username: type: string allow_run_as: type: boolean description: "Flag to enable the user to log in using authorization context" roles: type: array description: "User's roles" Token: type: object properties: token: type: string description: "User's JWT token" # Cluster and manager models WazuhRemotedStatsItem: type: object properties: uptime: type: string format: date-time description: "When the count of the metrics started" timestamp: type: string format: date-time description: "Daemon stats request time" name: type: string description: "Daemon name" enum: - wazuh-remoted metrics: type: object properties: bytes: type: object properties: received: type: integer format: int32 description: "Bytes received from agents" sent: type: integer format: int32 description: "Bytes sent to agents" keys_reload_count: type: integer format: int32 description: "Number of times keys were reloaded into memory" messages: type: object properties: received_breakdown: type: object properties: control: type: integer format: int32 description: "Control messages received from agents" control_breakdown: type: object properties: keepalive: type: integer format: int32 description: "Keepalive messages from agents" request: type: integer format: int32 description: "Request messages (for example, WPK responses) from agents" shutdown: type: integer format: int32 description: "Shutdown messages from agents" startup: type: integer format: int32 description: "Startup messages from agents" dequeued_after: type: integer format: int32 description: "Messages dequeued after newer messages (counter < current counter)" discarded: type: integer format: int32 description: "Messages discarded because the received queue was full" event: type: integer format: int32 description: "Event messages (syscheck, syscollector, logcollector, etc.) received from agents" ping: type: integer format: int32 description: "Ping messages received" unknown: type: integer format: int32 description: "Not recognized messages" sent_breakdown: type: object properties: ack: type: integer format: int32 description : "ACK messages (response to keepalive, startup and shutdown) sent to agents" ar: type: integer format: int32 description: "Active response messages sent to agents" discarded: type: integer format: int32 description: "Messages discarded because the send queue was full" request: type: integer format: int32 description: "Request messages (for example, WPK chunks) sent to agents" sca: type: integer format: int32 description: "SCA messages sent to agents" shared: type: integer format: int32 description: "Shared configuration messages (merged.mg) sent to agents" queues: type: object properties: received: type: object properties: size: type: integer format: int32 description: "Size of received messages queue" usage: type: integer format: int32 description: "Current usage of the received queue (count)" tcp_sessions: type: integer format: int32 description: "Current active TCP sessions (agents)" WazuhAnalysisdStatsItem: type: object properties: uptime: type: string format: date-time description: "When the count of the metrics started" timestamp: type: string format: date-time description: "Daemon stats request time" name: type: string description: "Daemon name" enum: - wazuh-analysisd metrics: type: object properties: bytes: type: object properties: received: type: integer format: int32 description: "Bytes received from agents and local modules" eps: type: object properties: available_credits: type: integer format: int32 description: "Available credits to process events in the current timeframe" events_dropped: type: integer format: int32 description: "Events discarded because the EPS limit was reached and queues were full" seconds_over_limit: type: integer format: int32 description: "Time in seconds the EPS limit was exceeded" events: type: object properties: processed: type: integer format: int32 description: "Total processed events (analyzed by rules)" received: type: integer format: int32 description: "Total received events from agents and local modules" received_breakdown: type: object properties: decoded_breakdown: type: object properties: agent: type: integer format: int32 description: "Events coming from agentd" agentless: type: integer format: int32 description: "Events coming from agentlessd" dbsync: type: integer format: int32 description: "Synchronization events" integrations_breakdown: type: object properties: virustotal: type: integer format: int32 description: "Events coming from VirusTotal integration" modules_breakdown: type: object properties: aws: type: integer format: int32 description: "Events coming from AWS module" azure: type: integer format: int32 description: "Events coming from Azure module" ciscat: type: integer format: int32 description: "Events coming from CIS-CAT module" command: type: integer format: int32 description: "Events coming from command module" docker: type: integer format: int32 description: "Events coming from Docker module" gcp: type: integer format: int32 description: "Events coming from GCP module" github: type: integer format: int32 description: "Events coming from GitHub module" logcollector_breakdown: type: object properties: eventchannel: type: integer format: int32 description: "EventChannel events collected by logcollector" eventlog: type: integer format: int32 description: "EventLog events collected by logcollector" macos: type: integer format: int32 description: "MacOS events collected by logcollector" others: type: integer format: int32 description: "Other events collected by logcollector" office365: type: integer format: int32 description: "Events coming from Office365 module" ms-graph: type: integer format: int32 description: "Events coming from ms-graph module" oscap: type: integer format: int32 description: "Events coming from OSCAP module" osquery: type: integer format: int32 description: "Events coming from OSQuery module" rootcheck: type: integer format: int32 description: "Events coming from rootcheck (syscheckd)" sca: type: integer format: int32 description: "Events coming from SCA module" syscheck: type: integer format: int32 description: "Events coming from syscheckd" syscollector: type: integer format: int32 description: "Events coming from syscollector module" upgrade: type: integer format: int32 description: "Events coming from upgrade agent module (upgrade responses)" vulnerability: type: integer format: int32 description: "Events coming from vulnerability detector module" monitor: type: integer format: int32 description: "Events coming from monitord" remote: type: integer format: int32 description: "Events coming from remoted" syslog: type: integer format: int32 description: "Events coming from syslog remoted" dropped_breakdown: type: object properties: agent: type: integer format: int32 description: "Events discarded from agentd because the queue was full" agentless: type: integer format: int32 description: "Events discarded from agentlessd because the queue was full" dbsync: type: integer format: int32 description: "Synchronization events discarded because the queue was full" integrations_breakdown: type: object properties: virustotal: type: integer format: int32 description: "Events discarded from VirusTotal integration because the queue was full" modules_breakdown: type: object properties: aws: type: integer format: int32 description: "Events discarded from AWS module because the queue was full" azure: type: integer format: int32 description: "Events discarded from Azure module because the queue was full" ciscat: type: integer format: int32 description: "Events discarded from CIS-CAT module because the queue was full" command: type: integer format: int32 description: "Events discarded from command module because the queue was full" docker: type: integer format: int32 description: "Events discarded from Docker module because the queue was full" gcp: type: integer format: int32 description: "Events discarded from GCP module because the queue was full" github: type: integer format: int32 description: "Events discarded from GitHub module because the queue was full" logcollector_breakdown: type: object properties: eventchannel: type: integer format: int32 description: "EventChannel events collected by logcollector discarded because the queue was full" eventlog: type: integer format: int32 description: "EventLog events collected by logcollector discarded because the queue was full" macos: type: integer format: int32 description: "MacOS events collected by logcollector discarded because the queue was full" others: type: integer format: int32 description: "Other events collected by logcollector discarded because the queue was full" office365: type: integer format: int32 description: "Events discarded from Office365 module because the queue was full" ms-graph: type: integer format: int32 description: "Events discarded from ms-graph module because the queue was full" oscap: type: integer format: int32 description: "Events discarded from OSCAP module because the queue was full" osquery: type: integer format: int32 description: "Events discarded from OSQuery module because the queue was full" rootcheck: type: integer format: int32 description: "Events discarded from rootcheck (syscheckd) because the queue was full" sca: type: integer format: int32 description: "Events discarded from SCA module because the queue was full" syscheck: type: integer format: int32 description: "Events discarded from syscheckd because the queue was full" syscollector: type: integer format: int32 description: "Events discarded from syscollector module because the queue was full" upgrade: type: integer format: int32 description: "Events discarded from upgrade agent module because the queue was full" vulnerability: type: integer format: int32 description: "Events discarded from vulnerability detector module because the queue was full" monitor: type: integer format: int32 description: "Events discarded from monitord because the queue was full" remote: type: integer format: int32 description: "Events discarded from remoted because the queue was full" syslog: type: integer format: int32 description: "Events discarded from syslog remoted because the queue was full" written_breakdown: type: object properties: alerts: type: integer format: int32 description: "Alerts written in alerts log file" archives: type: integer format: int32 description: "Alerts written in archives log file" firewall: type: integer format: int32 description: "Alerts written in firewall log file" fts: type: integer format: int32 description: "Alerts written in FTS queue file" stats: type: integer format: int32 description: "Alerts written in stats files" queues: type: object properties: alerts: type: object properties: size: type: integer format: int32 description: "Size of alerts messages queue" usage: type: integer format: int32 description: "Current usage of the alerts queue (percentage)" archives: type: object properties: size: type: integer format: int32 description: "Size of archives messages queue" usage: type: integer format: int32 description: "Current usage of the archives queue (percentage)" dbsync: type: object properties: size: type: integer format: int32 description: "Size of dbsync messages queue" usage: type: integer format: int32 description: "Current usage of the dbsync queue (percentage)" eventchannel: type: object properties: size: type: integer format: int32 description: "Size of eventchannel messages queue" usage: type: integer format: int32 description: "Current usage of the eventchannel queue (percentage)" firewall: type: object properties: size: type: integer format: int32 description: "Size of firewall messages queue" usage: type: integer format: int32 description: "Current usage of the firewall queue (percentage)" fts: type: object properties: size: type: integer format: int32 description: "Size of FTS messages queue" usage: type: integer format: int32 description: "Current usage of the FTS queue (percentage)" hostinfo: type: object properties: size: type: integer format: int32 description: "Size of hostinfo messages queue" usage: type: integer format: int32 description: "Current usage of the hostinfo queue (percentage)" others: type: object properties: size: type: integer format: int32 description: "Size of other events messages queue" usage: type: integer format: int32 description: "Current usage of the other events queue (percentage)" processed: type: object properties: size: type: integer format: int32 description: "Size of processed messages queue" usage: type: integer format: int32 description: "Current usage of the processed queue (percentage)" rootcheck: type: object properties: size: type: integer format: int32 description: "Size of rootcheck messages queue" usage: type: integer format: int32 description: "Current usage of the rootcheck queue (percentage)" sca: type: object properties: size: type: integer format: int32 description: "Size of SCA messages queue" usage: type: integer format: int32 description: "Current usage of the SCA queue (percentage)" stats: type: object properties: size: type: integer format: int32 description: "Size of stats messages queue" usage: type: integer format: int32 description: "Current usage of the stats queue (percentage)" syscheck: type: object properties: size: type: integer format: int32 description: "Size of syscheck messages queue" usage: type: integer format: int32 description: "Current usage of the syscheck queue (percentage)" syscollector: type: object properties: size: type: integer format: int32 description: "Size of syscollector messages queue" usage: type: integer format: int32 description: "Current usage of the syscollector queue (percentage)" upgrade: type: object properties: size: type: integer format: int32 description: "Size of upgrade messages queue" usage: type: integer format: int32 description: "Current usage of the upgrade queue (percentage)" WazuhDBStatsItem: type: object properties: uptime: type: string format: date-time description: "When the count of the metrics started" timestamp: type: string format: date-time description: "Daemon stats request time" name: type: string description: "Daemon name" enum: - wazuh-db metrics: type: object properties: queries: type: object properties: received: type: integer format: int32 description: "Total of queries through WazuhDB socket" received_breakdown: type: object properties: agent: type: integer format: int32 description: "Number of agent queries through WazuhDB socket" agent_breakdown: type: object properties: db: type: object description: "Number of queries per operation" properties: begin: type: integer format: int32 close: type: integer format: int32 commit: type: integer format: int32 remove: type: integer format: int32 sql: type: integer format: int32 tables: type: object description: "Number of queries per table" properties: ciscat: type: object properties: ciscat: type: integer format: int32 rootcheck: type: object properties: rootcheck: type: integer format: int32 sca: type: object properties: sca: type: integer format: int32 sync: type: object properties: dbsync: type: integer format: int32 syscheck: type: object properties: fim_file: type: integer format: int32 fim_registry: type: integer format: int32 fim_registry_key: type: integer format: int32 fim_registry_value: type: integer format: int32 syscheck: type: integer format: int32 syscollector: type: object properties: syscollector_hotfixes: type: integer format: int32 syscollector_hwinfo: type: integer format: int32 syscollector_network_address: type: integer format: int32 syscollector_network_iface: type: integer format: int32 syscollector_network_protocol: type: integer format: int32 syscollector_osinfo: type: integer format: int32 syscollector_packages: type: integer format: int32 syscollector_ports: type: integer format: int32 syscollector_processes: type: integer format: int32 deprecated: type: object properties: hardware: type: integer format: int32 hotfix: type: integer format: int32 netaddr: type: integer format: int32 netinfo: type: integer format: int32 netproto: type: integer format: int32 osinfo: type: integer format: int32 package: type: integer format: int32 port: type: integer format: int32 process: type: integer format: int32 vulnerability: type: object properties: vuln_cves: type: integer format: int32 global: type: integer format: int32 description: "Number of global queries through WazuhDB socket" global_breakdown: type: object properties: db: type: object description: "Number of queries per operation" properties: backup: type: integer format: int32 sql: type: integer format: int32 tables: type: object description: "Number of queries per operation in tables" properties: agent: type: object properties: delete-agent: type: integer format: int32 disconnect-agents: type: integer format: int32 find-agent: type: integer format: int32 get-agent-info: type: integer format: int32 get-agents-by-connection-status: type: integer format: int32 get-all-agents: type: integer format: int32 get-groups-integrity: type: integer format: int32 insert-agent: type: integer format: int32 reset-agents-connection: type: integer format: int32 select-agent-group: type: integer format: int32 select-agent-name: type: integer format: int32 set-agent-groups: type: integer format: int32 sync-agent-groups-get: type: integer format: int32 sync-agent-info-get: type: integer format: int32 sync-agent-info-set": type: integer format: int32 update-agent-data: type: integer format: int32 update-agent-name: type: integer format: int32 update-connection-status: type: integer format: int32 update-keepalive: type: integer format: int32 belongs: type: object properties: get-group-agents: type: integer format: int32 select-group-belong: type: integer format: int32 group: type: object properties: delete-group: type: integer format: int32 find-group: type: integer format: int32 insert-agent-group: type: integer format: int32 select-groups: type: integer format: int32 labels: type: object properties: get-labels: type: integer format: int32 mitre: type: integer format: int32 description: "Number of mitre queries through WazuhDB socket" mitre_breakdown: type: object properties: db: type: object description: "Number of queries per operation" properties: sql: type: integer format: int32 task: type: integer format: int32 description: "Number of task queries through WazuhDB socket" task_breakdown: type: object properties: db: type: object description: "Number of queries per operation" properties: sql: type: integer format: int32 tables: type: object description: "Number of queries per operation in tables" properties: tasks: type: object properties: delete_old: type: integer format: int32 set_timeout: type: integer format: int32 upgrade: type: integer format: int32 upgrade_cancel_tasks: type: integer format: int32 upgrade_custom: type: integer format: int32 upgrade_get_status: type: integer format: int32 upgrade_result: type: integer format: int32 upgrade_update_status: type: integer format: int32 wazuhdb: type: integer format: int32 description: "Number of wazuhdb queries through WazuhDB socket" wazuhdb_breakdown: type: object properties: db: type: object description: "Number of queries per operation" properties: remove: type: integer format: int32 time: type: object properties: execution: type: integer format: int32 description: "Total time taken by all the queries (milliseconds)" execution_breakdown: type: object properties: agent: type: integer format: int32 description: "Time taken by all agent queries (milliseconds)" agent_breakdown: type: object properties: db: type: object description: "Time taken by all queries per operation (milliseconds)" properties: begin: type: integer format: int32 close: type: integer format: int32 commit: type: integer format: int32 remove: type: integer format: int32 sql: type: integer format: int32 tables: type: object description: "Time taken by all queries per table (milliseconds)" properties: ciscat: type: object properties: ciscat: type: integer format: int32 rootcheck: type: object properties: rootcheck: type: integer format: int32 sca: type: object properties: sca: type: integer format: int32 sync: type: object properties: dbsync: type: integer format: int32 syscheck: type: object properties: fim_file: type: integer format: int32 fim_registry: type: integer format: int32 fim_registry_key: type: integer format: int32 fim_registry_value: type: integer format: int32 syscheck: type: integer format: int32 syscollector: type: object properties: syscollector_hotfixes: type: integer format: int32 syscollector_hwinfo: type: integer format: int32 syscollector_network_address: type: integer format: int32 syscollector_network_iface: type: integer format: int32 syscollector_network_protocol: type: integer format: int32 syscollector_osinfo: type: integer format: int32 syscollector_packages: type: integer format: int32 syscollector_ports: type: integer format: int32 syscollector_processes: type: integer format: int32 deprecated: type: object properties: hardware: type: integer format: int32 hotfix: type: integer format: int32 netaddr: type: integer format: int32 netinfo: type: integer format: int32 netproto: type: integer format: int32 osinfo: type: integer format: int32 package: type: integer format: int32 port: type: integer format: int32 process: type: integer format: int32 vulnerability: type: object properties: vuln_cves: type: integer format: int32 global: type: integer format: int32 description: "Time taken by all global queries (milliseconds)" global_breakdown: type: object properties: db: type: object description: "Time taken by all queries per operation (milliseconds)" properties: backup: type: integer format: int32 sql: type: integer format: int32 tables: type: object description: "Time taken by all queries per operation in tables (milliseconds)" properties: agent: type: object properties: delete-agent: type: integer format: int32 disconnect-agents: type: integer format: int32 find-agent: type: integer format: int32 get-agent-info: type: integer format: int32 get-agents-by-connection-status: type: integer format: int32 get-all-agents: type: integer format: int32 get-groups-integrity: type: integer format: int32 insert-agent: type: integer format: int32 reset-agents-connection: type: integer format: int32 select-agent-group: type: integer format: int32 select-agent-name: type: integer format: int32 set-agent-groups: type: integer format: int32 sync-agent-groups-get: type: integer format: int32 sync-agent-info-get: type: integer format: int32 sync-agent-info-set": type: integer format: int32 update-agent-data: type: integer format: int32 update-agent-name: type: integer format: int32 update-connection-status: type: integer format: int32 update-keepalive: type: integer format: int32 belongs: type: object properties: get-group-agents: type: integer format: int32 select-group-belong: type: integer format: int32 group: type: object properties: delete-group: type: integer format: int32 find-group: type: integer format: int32 insert-agent-group: type: integer format: int32 select-groups: type: integer format: int32 labels: type: object properties: get-labels: type: integer format: int32 mitre: type: integer format: int32 description: "Time taken by all mitre queries (milliseconds)" mitre_breakdown: type: object properties: db: type: object description: "Time taken by all queries per operation (milliseconds)" properties: sql: type: integer format: int32 task: type: integer format: int32 description: "Time taken by all task queries (milliseconds)" task_breakdown: type: object properties: db: type: object description: "Time taken by all queries per operation (milliseconds)" properties: sql: type: integer format: int32 tables: type: object description: "Time taken by all queries per operation in tables (milliseconds)" properties: tasks: type: object properties: delete_old: type: integer format: int32 set_timeout: type: integer format: int32 upgrade: type: integer format: int32 upgrade_cancel_tasks: type: integer format: int32 upgrade_custom: type: integer format: int32 upgrade_get_status: type: integer format: int32 upgrade_result: type: integer format: int32 upgrade_update_status: type: integer format: int32 wazuhdb: type: integer format: int32 description: "Time taken by all wazuhdb queries (milliseconds)" wazuhdb_breakdown: type: object properties: db: type: object description: "Time taken by all queries per operation (milliseconds)" properties: remove: type: integer format: int32 WazuhDaemonsStatus: type: object properties: wazuh-agentlessd: $ref: '#/components/schemas/DaemonStatus' wazuh-analysisd: $ref: '#/components/schemas/DaemonStatus' wazuh-authd: $ref: '#/components/schemas/DaemonStatus' wazuh-csyslogd: $ref: '#/components/schemas/DaemonStatus' wazuh-dbd: $ref: '#/components/schemas/DaemonStatus' wazuh-execd: $ref: '#/components/schemas/DaemonStatus' wazuh-integratord: $ref: '#/components/schemas/DaemonStatus' wazuh-logcollector: $ref: '#/components/schemas/DaemonStatus' wazuh-maild: $ref: '#/components/schemas/DaemonStatus' wazuh-monitord: $ref: '#/components/schemas/DaemonStatus' wazuh-remoted: $ref: '#/components/schemas/DaemonStatus' wazuh-reportd: $ref: '#/components/schemas/DaemonStatus' wazuh-syscheckd: $ref: '#/components/schemas/DaemonStatus' wazuh-apid: $ref: '#/components/schemas/DaemonStatus' wazuh-clusterd: $ref: '#/components/schemas/DaemonStatus' wazuh-db: $ref: '#/components/schemas/DaemonStatus' wazuh-modulesd: $ref: '#/components/schemas/DaemonStatus' WazuhInfo: type: object properties: path: type: string format: paths description: "Wazuh installation path" version: type: string description: "Wazuh version" compilation_date: type: string format: date-time type: type: string description: "Wazuh installation type" enum: - server - local - hybrid max_agents: type: string minimum: 0 description: "Maximum number of agents that can be registered." openssl_support: type: string tz_offset: type: string tz_name: type: string WazuhManagerConfiguration: type: object properties: active-response: type: array items: type: object agentless: type: array items: type: object alerts: type: object auth: type: object cluster: type: object command: type: array items: type: object database_output: type: object email_alerts: type: object gcp-pubsub: type: object global: type: object integration: type: array items: type: object labels: type: object localfile: type: array items: type: object logging: type: object remote: type: array items: type: object reports: type: object rootcheck: type: object ruleset: type: object sca: type: object socket: type: object syscheck: type: object syslog_output: type: array items: type: object #Wodle sections inside WazuhConfiguration(ossec.conf) aws-s3: type: object azure-logs: type: object cis-cat: type: object docker-listener: type: object open-scap: type: object osquery: type: object syscollector: type: object WazuhStats: type: object items: type: object properties: alerts: type: array items: type: object properties: sigid: type: integer format: int32 description: "Rule ID that matched the event" level: type: integer format: int32 minimum: 0 maximum: 15 description: "Alert level" times: type: integer format: int32 description: "Number of times the alert was raised during the specified hour" events: type: integer format: int32 description: "Number of events processed during the specified hour" firewall: type: integer format: int32 description: "Number of firewall alerts raised during the specified hour" hour: type: integer format: int32 description: "Hour of the day in 24h format" syscheck: type: integer format: int32 description: "Number of syscheck alerts raised during the specified hour" totalAlerts: type: integer format: int32 description: "Number of alerts raised during the specified hour" WazuhHourlyStats: type: object properties: averages: type: array maxLength: 24 minLength: 24 description: "Array containing the number of alerts for every hour" items: type: integer interactions: type: integer format: int32 WazuhWeeklyStats: type: object properties: Sun: $ref: '#/components/schemas/WazuhHourlyStats' Mon: $ref: '#/components/schemas/WazuhHourlyStats' Tue: $ref: '#/components/schemas/WazuhHourlyStats' Wed: $ref: '#/components/schemas/WazuhHourlyStats' Thu: $ref: '#/components/schemas/WazuhHourlyStats' Fri: $ref: '#/components/schemas/WazuhHourlyStats' Sat: $ref: '#/components/schemas/WazuhHourlyStats' WazuhAnalysisdStats: type: object properties: alerts_queue_size: type: number format: float description: "Pending to write in disk alerts queue size" alerts_queue_usage: type: number format: float description: "If an event matches a rule, an alert is raised. The alerts are pushed to a _pending to write in disk alerts_ queue. This variable shows usage of that queue" alerts_written: type: number format: float description: "Total of alerts written in disk during the last 5 seconds" archives_queue_size: type: number format: float description: "_Events to write in the archives.log_ queue size" archives_queue_usage: type: number format: float description: "_Events to write in the archives.log_ queue usage" event_queue_size: type: number format: float description: "Non catalogued events queue size" event_queue_usage: type: number format: float description: "Same as `syscheck_queue_usage` but for events not catalogued in any of the previously mentioned queues" events_dropped: type: number format: float description: "Discarded events because they didn't match any rule in the ruleset" events_processed: type: number format: float description: "Total of events processed (i.e. matched against Wazuh ruleset) in the last 5 seconds" events_received: type: number format: float description: "Events received in `analysisd` from the rest of modules in the last 5 seconds" firewall_queue_size: type: number format: float description: "_Events to write in the firewall log_ queue size" firewall_queue_usage: type: number format: float description: "Percentage of use in the queue of events to write in the firewall log" firewall_written: type: number format: float description: "Same as `alerts_written` but focusing in firewall alerts" fts_written: type: number format: float description: "Same as `alerts_written` but focusing in [FTS alerts] (https://documentation.wazuh.com/4.7/user-manual/ruleset/ruleset-xml-syntax/decoders.html?highlight=fts #fts)" hostinfo_queue_size: type: number format: float description: "Hostinfo events queue size" hostinfo_queue_usage: type: number format: float description: "Same as `syscheck_queue_usage` but for hostinfo events" other_events_decoded: type: number format: float description: "Same as `total_events_decoded` but for non catalogued events" rootcheck_events_decoded: type: number format: float description: "Same as `total_events_decoded` but for rootcheck events" rootcheck_queue_size: type: number format: float description: "Rootcheck events queue size" rootcheck_queue_usage: type: number format: float description: "Same as `syscheck_queue_usage` but for rootcheck events" rule_matching_queue_size: type: number format: float description: "Pending to process events queue size" rule_matching_queue_usage: type: number format: float description: "After decoding, events are pushed to a _pending to process_ queue which will match the events against the Wazuh ruleset to raise alerts. This variable shows usage of that queue" sca_events_decoded: type: number format: float description: "Same as `total_events_decoded` but for policy monitoring events" sca_queue_size: type: number format: float description: "Policy monitoring events queue size" sca_queue_usage: type: number format: float description: "Same as `syscheck_queue_usage` but for policy monitoring events" statistical_queue_size: type: number format: float description: "Stats log queue size" statistical_queue_usage: type: number format: float description: "Stats log queue usage" syscheck_events_decoded: type: number format: float description: "Same as `total_events_decoded` but for FIM events" syscheck_queue_size: type: number format: float description: "Syscheck events queue size" syscheck_queue_usage: type: number format: float description: "Percentage of use in the syscheck events queue pending to be decoded. Events are discarded when the queue is full" syscollector_events_decoded: type: number format: float description: "Same as `total_events_decoded` but for system inventory events" syscollector_queue_size: type: number format: float description: "System inventory events queue size" syscollector_queue_usage: type: number format: float description: "Same as `syscheck_queue_usage` but for system inventory events" total_events_decoded: type: number format: float description: "Total events decoded in the last 5 seconds. This number is not accumulative, the number in the following 5 seconds can be lower than the previous one" winevt_events_decoded: type: number format: float description: "Same as `total_events_decoded` but for Windows events" winevt_queue_size: type: number format: float description: "Windows events queue size" winevt_queue_usage: type: number format: float description: "Same as `syscheck_queue_usage` but for Windows events" WazuhRemotedStats: type: object properties: ctrl_msg_count: type: number format: float description: "Number of control messages received from all agents during the last five seconds" discarded_count: type: number format: float description: "Number of discarded events received from agents during the last five seconds" evt_count: type: number format: float description: "Number of events sent to analysisd during the last five seconds" sent_bytes: type: number format: float description: "Number of sent bytes to the agents during the last five seconds" queue_size: type: number format: float description: "Usage of the queue to storage events from agents" recv_bytes: type: number format: float description: "Number of received bytes from all agents during the last five seconds" tcp_sessions: type: number format: float description: "Number of TCP active sessions during the last five seconds" total_queue_size: type: number format: float description: "Total queue size to store events from agents" WazuhLogs: type: object properties: description: type: string description: "Log message" level: type: string description: "Log level" enum: - critical - debug - debug2 - error - info - warning tag: type: string format: alphanumeric description: "Wazuh component that logged the event" timestamp: type: string format: date-time ValidationStatus: type: object properties: name: type: string description: "Node name" status: type: string description: "Status value" LogSummary: type: object properties: all: type: integer format: int32 minimum: 0 critical: type: integer format: int32 minimum: 0 debug: type: integer format: int32 minimum: 0 error: type: integer format: int32 minimum: 0 info: type: integer format: int32 minimum: 0 warning: type: integer format: int32 minimum: 0 WazuhLogsSummary: type: object properties: wazuh-agentlessd: $ref: '#/components/schemas/LogSummary' wazuh-analysisd: $ref: '#/components/schemas/LogSummary' wazuh-authd: $ref: '#/components/schemas/LogSummary' wazuh-csyslogd: $ref: '#/components/schemas/LogSummary' wazuh-dbd: $ref: '#/components/schemas/LogSummary' wazuh-execd: $ref: '#/components/schemas/LogSummary' wazuh-integratord: $ref: '#/components/schemas/LogSummary' wazuh-maild: $ref: '#/components/schemas/LogSummary' wazuh-monitord: $ref: '#/components/schemas/LogSummary' wazuh-logcollector: $ref: '#/components/schemas/LogSummary' wazuh-remoted: $ref: '#/components/schemas/LogSummary' wazuh-reportd: $ref: '#/components/schemas/LogSummary' wazuh-rootcheck: $ref: '#/components/schemas/LogSummary' wazuh-syscheckd: $ref: '#/components/schemas/LogSummary' sca: $ref: '#/components/schemas/LogSummary' wazuh-db: $ref: '#/components/schemas/LogSummary' wazuh-modulesd: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:agent-upgrade: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:aws-s3: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:azure-logs: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:ciscat: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:control: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:command: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:database: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:docker-listener: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:download: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:oscap: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:osquery: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:syscollector: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:vulnerability-detector: $ref: '#/components/schemas/LogSummary' wazuh-modulesd:task-manager: $ref: '#/components/schemas/LogSummary' ConfirmationMessage: type: object properties: message: type: string description: "Confirmation message" ConfigurationValidation: type: object properties: status: type: string description: "Configuration status" enum: - OK APIconfiguration: type: object minProperties: 1 additionalProperties: false properties: access: description: API Security Options type: object additionalProperties: false properties: max_login_attempts: description: "Maximum number of login attempts in {block_time} seconds" type: integer format: int32 minimum: 1 example: 50 block_time: description: "Blocking time for IPs that have exceeded {max_login_attempts}. Time counts from the first attempt" type: integer format: int32 minimum: 0 example: 300 max_request_per_minute: description: "Maximum number of requests allowed per minute" type: integer format: int32 minimum: 1 example: 300 logs: type: object additionalProperties: false properties: level: description: "Verbosity level of API logs" default: info type: string enum: [disabled, info, warning, error, debug, debug2] cache: type: object additionalProperties: false properties: enabled: description: "Enable cache" type: boolean default: true time: description: "Cache expiration time in seconds" type: number format: double minimum: 0 example: 0.75 cors: type: object additionalProperties: false properties: enabled: description: "Enable CORS" type: boolean default: false source_route: description: "Sources for which the resources will be available. For example 'http://client.example.org'" type: string example: '*' expose_headers: description: "Which headers can be exposed as part of the response" type: string example: '*' allow_headers: description: "Which HTTP headers can be used during the actual request" type: string example: '*' allow_credentials: description: "Browsers will only expose the response to frontend JavaScript code if this is enabled" type: boolean default: false experimental_features: description: "Enable features under development" type: boolean default: false LastScan: type: object properties: end: type: string nullable: true format: date-time description: "Date when the latest scan finished. If it is in progress, or no scans have been run, null will be returned" start: type: string nullable: true format: date-time description: "Date when the latest scan started. If no scans have been run, null will be returned" # Rules models RuleFile: allOf: - $ref: '#/components/schemas/RulesetFile' - $ref: '#/components/schemas/RulesetStatus' Rule: allOf: - $ref: '#/components/schemas/RuleFile' - type: object properties: description: type: string description: "Rule description. This description is shown when an alert matching the rule is raised" details: type: object description: "Rule definition details" gdpr: type: array description: "GDPR checks the rule is checking" items: type: string gpg13: type: array description: "GPG13 checks the rule is checking" items: type: string groups: type: array description: "Groups the rule belongs to" items: type: string hipaa: type: array description: "HIPAA checks the rule is checking" items: type: string id: type: integer format: int32 description: "Rule ID" level: type: integer format: int32 minimum: 0 maximum: 15 description: "Rule level" nist-800-53: type: array description: "NIST-800-53 checks the rule is checking" items: type: string tsc: type: array description: "TSC checks the rule is checking" items: type: string pci: type: array description: "PCI DSS checks the rule is checking" items: type: string SecurityConfiguration: type: object minProperties: 1 properties: auth_token_exp_timeout: description: "Time in seconds until the token expires" type: integer format: int32 minimum: 30 example: 900 rbac_mode: description: "RBAC mode (white/black)" type: string enum: [white, black] example: white # SCA models SCAChecks: type: object properties: description: type: string description: "A description of what is being checked" directory: type: string description: "Analyzed directories" file: type: string description: "Analyzed file path" id: type: integer format: int32 description: "Policy check ID. A policy contains multiple checks" policy_id: type: string description: "Scanned policy ID" process: type: string description: "Check whether a process is running or not. It's only returned when the checked process is running" rationale: type: string description: "Explain why this check is necessary" references: type: string description: "A link to a documentation page about the check" registry: type: string description: "Analyzed registry" remediation: type: string description: "Explain how to fix the check, this field is very useful in case the check failed" result: type: string description: "Check result" enum: - passed - failed - "not applicable" title: type: string description: "A brief description of what is being checked" condition: type: string description: "Specify how rule results are aggregated in order to calculate the final value of a check" enum: - all - any - none SCADatabase: type: object properties: description: type: string description: "Brief description of what the policy is checking" end_scan: type: string format: date-time description: "When the last scan finished" fail: type: integer format: int32 description: "Number of failed checks. If this number is higher than 0 the host has a vulnerability" name: type: string description: "Policy name" pass: type: integer format: int32 description: "Number of passed checks" policy_id: type: string description: "Policy ID" references: type: string description: "A link to a documentation page about the policy" score: type: integer format: int32 description: "Percentage of passed checks" start_scan: type: string format: date-time description: "When the last scan started" # Syscheck models SyscheckDatabase: type: object properties: sha1: type: string format: hash_or_empty description: "SHA1 checksum of the file" file: type: string description: "File name that raised the alert" md5: type: string format: hash_or_empty description: "MD5 checksum of the file" inode: type: integer format: int32 description: "Inode of the file. Only available in Linux agents" uid: type: string format: numbers_or_empty description: "UID of the file" date: type: string format: date-time description: "Date when the alert was raised" perm: type: string format: names_or_empty description: "File permissions" gname: type: string format: names_or_empty description: "Group name. Only available in Linux agents" uname: type: string format: names_or_empty description: "User name of the file" size: type: integer format: int64 description: "File size in bytes" gid: type: string format: numbers_or_empty description: "GID of the file. Only available in Linux agents" mtime: type: string format: date-time_or_empty description: "Last modification date of the file" sha256: type: string format: hash_or_empty description: "SHA256 checksum of the file" # Decoders models Decoder: type: object allOf: - $ref: '#/components/schemas/DecoderFile' properties: name: type: string description: "Decoder name" position: type: integer format: int32 minimum: 0 description: "Position of this decoder in the decoder file. The parent decoder will have position 0, the following defined decoder will have position 1, and so on" details: type: object description: "Decoder definition fields" properties: program_name: type: object nullable: true parent: type: string prematch: type: object regex: type: object items: type: string order: type: string accumulate: type: boolean nullable: true DecoderFile: allOf: - $ref: '#/components/schemas/RulesetFile' - $ref: '#/components/schemas/RulesetStatus' # Syscollector models SyscollectorHardware: type: object properties: board_serial: type: string description: "Motherboard serial number. This value will be empty in virtual machines" cpu: type: object properties: cores: type: integer format: int32 minimum: 0 description: "Number of cores the CPU has" mhz: type: number format: float minimum: 0 description: "Mhz the CPU has" name: type: string description: "CPU name" ram: type: object properties: free: type: integer format: int32 minimum: 0 description: "Current free RAM memory" total: type: integer format: int32 minimum: 0 description: "Total RAM memory" usage: type: integer format: int32 minimum: 0 maximum: 100 description: "RAM memory currently used" scan: $ref: '#/components/schemas/ScanIdTime' agent_id: $ref: '#/components/schemas/AgentID' SyscollectorHotfix: type: object properties: scan: $ref: '#/components/schemas/ScanIdTime' hotfix: type: string description: "Hotfixes for windows agents" SyscollectorNetwork: type: object properties: address: type: string description: "IP address associated with the network interface" broadcast: type: string description: "IP address associated with the broadcast" iface: type: string description: "Network interface name" netmask: type: string description: "Netmask associated with the network interface" proto: type: string description: "Protocol associated with the network interface" scan_id: type: integer format: int64 description: "Scan ID" agent_id: $ref: '#/components/schemas/AgentID' NetworkInterfaceSentPackets: description: "Information related to sent packets in the network interface" type: object properties: bytes: type: integer format: int32 minimum: 0 description: "Number of bytes in the network interface" dropped: type: integer format: int32 minimum: 0 description: "Number of dropped packages in the network interface" error: type: integer format: int32 minimum: 0 description: "Number of packages containing any error in the network interface" packets: type: integer format: int32 minimum: 0 description: "Number of packages in the network interface" NetworkInterfaceReceivedPackets: description: "Information related to received packets in the network interface" type: object properties: bytes: type: integer format: int32 minimum: 0 description: "Number of bytes in the network interface" dropped: type: integer format: int32 minimum: 0 description: "Number of dropped packages in the network interface" error: type: integer format: int32 minimum: 0 description: "Number of packages containing any error in the network interface" packets: type: integer format: int32 minimum: 0 description: "Number of packages in the network interface" SyscollectorInterface: type: object properties: mac: type: string description: "MAC Address of the network interface" mtu: type: integer format: int32 minimum: 0 description: "Network interface's Maximum Transfer Unit" name: type: string description: "Network interface name" rx: $ref: '#/components/schemas/NetworkInterfaceReceivedPackets' scan: $ref: '#/components/schemas/ScanIdTime' state: type: string description: "Network interface state" enum: - up - down tx: $ref: '#/components/schemas/NetworkInterfaceSentPackets' type: type: string description: "Network interface type" agent_id: $ref: '#/components/schemas/AgentID' SyscollectorProtocol: type: object properties: dhcp: $ref: '#/components/schemas/DHCPStatus' gateway: description: "Gateway IP" type: string iface: description: "Network interface name" type: string scan_id: type: integer format: int64 description: "Scan ID" type: type: string description: "Protocol of the interface data" enum: - ipv4 - ipv6 agent_id: $ref: '#/components/schemas/AgentID' DHCPStatus: type: string description: "DHCP status" enum: - enabled - disabled - unknown - BOOTP SyscollectorOS: type: object properties: architecture: type: string description: "OS architecture" hostname: type: string description: "Machine's hostname" os: type: object properties: codename: type: string description: "OS version codename" major: type: string description: "Major release version" minor: type: string description: "Minor release version" name: type: string description: "OS name" platform: type: string description: "OS platform name" version: type: string description: "Full version name" release: type: string description: "Release name" scan: $ref: '#/components/schemas/ScanIdTime' sysname: type: string description: "System name" version: type: string description: "Release version" agent_id: $ref: '#/components/schemas/AgentID' SyscollectorPackages: type: object properties: architecture: type: string description: "Package architecture" description: type: string description: "Brief package description" format: type: string description: "Package format" enum: - pacman - deb - rpm - win - pkg - apk - macports - pypi - npm multiarch: type: string description: "Whether the package has multi architecture support" enum: - allowed - same - foreign name: type: string description: "Package name" priority: type: string description: "Package priority" scan: $ref: '#/components/schemas/ScanIdTime' section: type: string description: "Package section" source: type: string description: "Source section" size: type: integer description: "Installed package size in bytes" vendor: type: string description: "Vendor name" version: type: string description: "Release version installed" agent_id: $ref: '#/components/schemas/AgentID' LocalPortInfo: description: "Information regarding local opened port" type: object properties: ip: type: string description: "Bind IP" port: type: integer minimum: 0 format: int32 description: "Port used" RemotePortInfo: description: "Information regarding the remote port the machine is connected to" type: object properties: ip: type: string description: "Bind IP" port: type: integer minimum: 0 format: int32 description: "Port used" SyscollectorPorts: type: object properties: inode: type: integer format: int64 description: "Port inode" local: $ref: '#/components/schemas/LocalPortInfo' protocol: type: string description: "Protocol used in the communication" enum: - tcp - udp - tcp6 - udp6 remote: $ref: '#/components/schemas/RemotePortInfo' rx_queue: type: integer format: int32 minimum: 0 description: "Packets at the receiver queue" scan: $ref: '#/components/schemas/ScanIdTime' state: type: string description: "Communication status" enum: - established - syn_sent - syn_recv - fin_wait1 - fin_wait2 - time_wait - close - close_wait - last_ack - listening - closing - delete_tcp - unknown tx_queue: type: integer format: int32 minimum: 0 description: "Packets pending to be transmitted" agent_id: $ref: '#/components/schemas/AgentID' pid: type: integer format: int32 description: "PID owner of the opened port" process: type: string format: alphanumeric description: "Name of the PID" SyscollectorProcess: type: object properties: argvs: type: string description: "Process received arguments" cmd: type: string description: "Executed command" egroup: type: string description: "Effective group" euser: type: string description: "Effective user" fgroup: type: string description: "Filesystem group name" name: type: string description: "Process name" nice: type: integer format: int32 description: "Nice value of the process" nlwp: type: integer format: int32 description: "Number of light weight processes" pgrp: type: integer format: int32 description: "Process group" pid: type: string description: "Process PID" ppid: type: integer format: int32 minimum: 0 description: "Process parent PID" priority: type: integer format: int32 description: "Kernel scheduling priority" processor: type: integer format: int32 minimum: 0 description: "Processor number which is running the process" resident: type: integer format: int32 description: "Process resident size in bytes" rgroup: type: string description: "Real group" ruser: type: string description: "Real user" scan: $ref: '#/components/schemas/ScanIdTime' session: type: integer format: int32 description: "Process session" sgroup: type: string description: "Saved-set group" share: type: integer format: int32 minimum: 0 description: "Shared memory" size: type: integer format: int32 minimum: 0 description: "Process size in bytes" start_time: type: integer format: int64 description: "Time when the process started" state: type: string description: "Process state" stime: type: integer format: int32 minimum: 0 description: "Time spent executing system code" suser: type: string description: "Saved-set user" tgid: type: integer format: int32 description: "Thread Group ID" tty: type: integer format: int32 description: "Process TTY number" utime: type: integer format: int32 description: "Time spent executing user code" vm_size: type: integer format: int32 minimum: 0 description: "Total VM size (KB)" agent_id: $ref: '#/components/schemas/AgentID' # Lists models CDBList: allOf: - $ref: '#/components/schemas/RulesetFile' - type: object properties: items: type: array items: $ref: '#/components/schemas/CDBListPair' CDBListPair: type: object required: - key - value properties: key: type: string description: "Value of the CDB list item key" value: type: string description: "Value of the CDB list item value" CDBListFile: $ref: '#/components/schemas/RulesetFile' # Overview models OverviewAgents: type: object required: - agent_os - agent_status - agent_version - groups - last_registered_agent - nodes properties: nodes: type: array description: "Active nodes in the cluster" items: type: object properties: count: type: integer format: int32 node_name: type: string groups: type: array description: "Recount of the number of Wazuh agents group by Wazuh groups" items: $ref: '#/components/schemas/AgentGroup' agent_os: type: array description: "Recount of the number of Wazuh agents group by OS" items: type: object properties: count: type: integer format: int32 os: type: object properties: name: type: string format: alphanumeric_symbols platform: type: string format: alphanumeric version: type: string format: alphanumeric agent_status: $ref: '#/components/schemas/AgentsSummaryStatus' agent_version: type: array description: "Recount of the number of Wazuh agents group by version" items: type: object properties: count: type: integer format: int32 version: type: string format: alphanumeric last_registered_agent: type: array items: $ref: '#/components/schemas/Agent' securitySchemes: basicAuth: type: http scheme: basic description: "Intended method to get a token" x-basicInfoFunc: api.authentication.check_user jwt: type: http scheme: bearer bearerFormat: JWT x-bearerInfoFunc: api.authentication.decode_token parameters: agent_id: in: path name: agent_id description: "Agent ID. All possible values from 000 onwards" required: true schema: $ref: '#/components/schemas/AgentID' agent_name: in: query name: agent_name description: "Agent name. The special characters allowed are: '-','_','.' " required: true schema: type: string format: names maxLength: 128 benchmark: in: query name: benchmark description: "Filter by benchmark type" schema: type: string format: alphanumeric command: in: query name: command description: "Filter by command" schema: type: string format: symbols_alphanumeric_param component: in: path name: component description: "Selected agent's component" required: true schema: type: string enum: - agent - agentless - analysis - auth - com - csyslog - integrator - logcollector - mail - monitor - request - syscheck - wazuh-db - wmodules configuration: in: path name: configuration description: |

Selected agent's configuration to read. The configuration to read depends on the selected component. The following table shows all available combinations of component and configuration values:

Component	Configuration	Tag
agent	client	`<client>`
agent	buffer	`<client_buffer>`
agent	labels	`<labels>`
agent	internal	`<agent>`, `<monitord>`, `<remoted>`
agentless	agentless	`<agentless>`
analysis	global	`<global>`
analysis	active_response	`<active-response>`
analysis	alerts	`<alerts>`
analysis	command	`<command>`
analysis	rules	`<rule>`
analysis	decoders	`<decoder>`
analysis	internal	`<analysisd>`
analysis	rule_test	`<rule_test>`
auth	auth	`<auth>`
com	active-response	`<active-response>`
com	logging	`<logging>`
com	internal	`<execd>`
com	cluster	`<cluster>`
csyslog	csyslog	`<csyslog_output>`
integrator	integration	`<integration>`
logcollector	localfile	`<localfile>`
logcollector	socket	`<socket>`
logcollector	internal	`<logcollector>`
mail	global	`<global><email...>`
mail	alerts	`<email_alerts>`
mail	internal	`<maild>`
monitor	global	`<global>`
monitor	internal	`<monitord>`
monitor	reports	`<reports>`
request	global	`<global>`
request	remote	`<remote>`
request	internal	`<remoted>`
syscheck	syscheck	`<syscheck>`
syscheck	rootcheck	`<rootcheck>`
syscheck	internal	`<syscheck>`, `<rootcheck>`
wazuh-db	internal	`<wazuh_db>`
wazuh-db	wdb	`<wdb>`
wmodules	wmodules	`<wodle>`

required: true schema: type: string enum: - client - buffer - labels - internal - agentless - global - active_response - alerts - command - rules - decoders - auth - logging - reports - active-response - cluster - csyslog - integration - localfile - socket - remote - syscheck - rootcheck - wdb - wmodules - rule_test cve: in: query name: cve description: "Filter by CVE" schema: type: string format: alphanumeric daemons_list: in: query name: daemons_list description: "List of daemon names (separated by comma), all daemons selected by default if not specified" schema: type: array items: type: string enum: - wazuh-analysisd - wazuh-remoted - wazuh-db daemons_list_agents: in: query name: daemons_list description: "List of daemon names (separated by comma), all daemons selected by default if not specified" schema: type: array items: type: string enum: - wazuh-analysisd - wazuh-remoted decoder_name: in: query name: decoder_names description: "Decoder name" schema: type: array items: type: string format: names description: in: query name: description description: "Filter by policy description" schema: type: string format: alphanumeric_symbols directory: in: query name: directory description: "Filter by directory" schema: type: string downloadFile: in: path name: filename required: True description: "Filename to download" schema: type: string format: alphanumeric error: in: query name: error description: "Filter by encountered errors" schema: type: integer format: int32 minimum: 0 fail: in: query name: fail description: "Filter by failed checks" schema: type: integer format: int32 minimum: 0 fields: in: query name: fields description: "List of fields affecting the operation" schema: type: array items: type: string format: names filename: in: query name: filename description: "Filter by filename" schema: type: array items: type: string format: alphanumeric full_path_filter: in: query name: file description: "Filter by full path" schema: type: string format: paths file_name: in: path name: file_name description: "Filename" required: true schema: type: string format: alphanumeric file_format: in: query name: format description: "Filter by file format. For example 'deb' will output deb files" schema: type: string format: alphanumeric group_id: in: path name: group_id description: "Group ID. (Name of the group)" required: true schema: $ref: '#/components/schemas/GroupID' group_id_query: in: query name: group_id description: "Group ID. (Name of the group)" required: true schema: $ref: '#/components/schemas/GroupID' agent_group: in: query name: group description: "Filter by group of agents" schema: $ref: '#/components/schemas/GroupID' hash: in: query name: hash description: "Select algorithm to generate the returned checksums" schema: type: string enum: - md5 - sha1 - sha224 - sha256 - sha384 - sha512 - blake2b - blake2s - sha3_224 - sha3_256 - sha3_384 - sha3_512 hotfix: in: query name: hotfix description: "Filter by hotfix" schema: type: string limit: in: query name: limit description: "Maximum number of elements to return. Although up to 100.000 can be specified, it is recommended not to exceed 500 elements. Responses may be slower the more this number is exceeded. " schema: type: integer format: int32 default: 500 minimum: 1 maximum: 100000 log_lines: in: query name: limit description: "Maximum number of lines to return." schema: type: integer format: int32 default: 500 minimum: 1 maximum: 500 list_filename_path: in: path name: filename description: "Filename (CDB list) to get/edit/delete." required: true schema: type: string format: cdb_filename_path agents_list: in: query name: agents_list description: "List of agent IDs (separated by comma), all agents selected by default if not specified" schema: type: array items: $ref: '#/components/schemas/AgentID' agents_list_all: in: query name: agents_list description: "List of agent IDs (separated by comma), use the keyword `all` to select all agents" required: true schema: type: array items: $ref: '#/components/schemas/AgentIDListAll' groups_list: in: query name: groups_list description: "List of group IDs (separated by comma), all groups selected by default if not specified" schema: type: array items: $ref: '#/components/schemas/GroupID' groups_list_all: in: query name: groups_list description: "List of group IDs (separated by comma), use the keyword 'all' to select all groups" required: true schema: type: array items: $ref: '#/components/schemas/GroupIDListAll' node: in: query name: node description: "Show results filtered by node" schema: type: string format: alphanumeric nodes_list: in: query name: nodes_list description: "List of node IDs (separated by comma), all nodes selected by default if not specified" schema: type: array items: type: string module: in: query name: module description: "Show results filtered by module" schema: type: string format: alphanumeric manager_host: in: query name: manager description: "Filter by manager hostname where agents are connected to" schema: type: string format: alphanumeric mitre_mitigation_ids: in: query name: 'mitigation_ids' description: "List of MITRE's mitigations IDs (separated by comma)" schema: type: array items: $ref: '#/components/schemas/Mitre_mitigation_id' mitre_reference_ids: in: query name: 'reference_ids' description: "List of MITRE's references IDs (separated by comma)" schema: type: array items: $ref: '#/components/schemas/Mitre_reference_id' mitre_tactic_ids: in: query name: 'tactic_ids' description: "List of MITRE's tactics IDs (separated by comma)" schema: type: array items: $ref: '#/components/schemas/Mitre_tactic_id' mitre_group_ids: in: query name: 'group_ids' description: "List of MITRE's group IDs (separated by comma)" schema: type: array items: $ref: '#/components/schemas/Mitre_group_id' mitre_software_ids: in: query name: 'software_ids' description: "List of MITRE's software IDs (separated by comma)" schema: type: array items: $ref: '#/components/schemas/Mitre_software_id' mitre_technique_ids: in: query name: 'technique_ids' description: "List of MITRE's techniques IDs (separated by comma)" schema: type: array items: $ref: '#/components/schemas/Mitre_technique_id' name: in: query name: name description: "Filter by name" schema: type: string format: alphanumeric sca_name: in: query name: name description: "Filter by policy name" schema: type: string notchecked: in: query name: notchecked description: "Filter by not checked" schema: type: integer format: int32 minimum: 0 offset: in: query name: offset description: "First element to return in the collection" schema: type: integer format: int32 default: 0 minimum: 0 olderThanParam: in: query name: older_than description: "Filter out agents whose time lapse from last keep alive signal is longer than specified. Time in seconds, ‘[n_days]d’, ‘[n_hours]h’, ‘[n_minutes]m’ or ‘[n_seconds]s’. For never_connected agents, uses the register date. For example, `7d`, `10s` and `10` are valid values. If no time unit is specified, seconds are used" schema: type: string format: timeframe pass: in: query name: pass description: "Filter by passed checks" schema: type: integer format: int32 minimum: 0 phase_name: in: query name: phase_name description: "Show results filtered by phase" schema: type: string format: alphanumeric platform_name: in: query name: platform_name description: "Show results filtered by platform" schema: type: string format: alphanumeric pretty: in: query name: pretty description: "Show results in human-readable format" schema: type: boolean default: false process: in: query name: process description: "Filter by process name" schema: type: string format: alphanumeric profile: in: query name: profile description: "Filter by evaluated profile" schema: type: string format: alphanumeric policy_id: in: path name: policy_id description: "Filter by policy id" required: true schema: type: string format: alphanumeric policy_id_rbac: in: path name: policy_id description: "Specify a policy id" required: true schema: $ref: '#/components/schemas/Policy_id' policy_ids_rbac: in: query name: 'policy_ids' description: "List of policy IDs" schema: type: array items: $ref: '#/components/schemas/Policy_id' policy_ids_rbac_delete: in: query name: 'policy_ids' description: "List of policy IDs (separated by comma), use the keyword 'all' to select all policies" required: true schema: type: array items: $ref: '#/components/schemas/Policy_id_DELETE' policy_ids_rbac_required: in: query name: 'policy_ids' description: "List of policy IDs" required: true schema: type: array items: $ref: '#/components/schemas/Policy_id' endpoint: in: query name: endpoint description: "Look for the RBAC actions which are related to the specified endpoint" schema: type: string purge: in: query name: purge description: "Permanently delete an agent from the key store" schema: type: boolean default: false query: in: query name: q description: "Query to filter results by. For example q="status=active"" schema: type: string rationale: in: query name: rationale description: "Filter by rationale" schema: type: string format: alphanumeric_symbols raw: in: query name: raw description: "Format response in plain text" required: False schema: type: boolean registry: in: query name: registry description: "Filter by registry" schema: type: string format: alphanumeric references: in: query name: references description: "Filter by references" schema: type: string remediation: in: query name: remediation description: "Filter by remediation" schema: type: string format: alphanumeric_symbols rule_requirement: in: path name: requirement required: true schema: type: string enum: [pci_dss, gdpr, hipaa, nist-800-53, gpg13, tsc, mitre] result: in: query name: result description: "Filter by result" schema: type: string format: alphanumeric condition: in: query name: condition description: "Filter by condition" schema: type: string role_id: in: path name: role_id description: "Specify a role ID" required: true schema: $ref: '#/components/schemas/Role_id' role_ids: in: query name: 'role_ids' description: "List of role IDs (separated by comma)" schema: type: array items: $ref: '#/components/schemas/Role_id' role_ids_delete: in: query name: 'role_ids' description: "List of role IDs (separated by comma), use the keyword 'all' to select all roles" required: true schema: type: array items: $ref: '#/components/schemas/Role_id_DELETE' role_ids_required: in: query name: 'role_ids' description: "List of role IDs (separated by comma)" required: True schema: type: array items: $ref: '#/components/schemas/Role_id_DELETE' security_rule_id: in: path name: 'rule_id' description: "Specify a rule ID" required: true schema: $ref: '#/components/schemas/Security_rule_id' security_rule_ids: in: query name: 'rule_ids' description: "List of rule IDs (separated by comma)" schema: type: array items: $ref: '#/components/schemas/Security_rule_id' security_rule_ids_required: in: query name: 'rule_ids' description: "List of rule IDs (separated by comma)" required: true schema: type: array items: $ref: '#/components/schemas/Security_rule_id' security_rule_ids_delete: in: query name: 'rule_ids' description: "List of rule IDs (separated by comma), use the keyword 'all' to select all rules" required: true schema: type: array items: $ref: '#/components/schemas/Security_rule_id_DELETE' security_position: in: query name: 'position' description: "Security position for roles/policies" required: False schema: type: integer minimum: 0 tasks_list: in: query name: 'tasks_list' description: "List of task IDs (separated by comma)" schema: type: array items: $ref: '#/components/schemas/Task_id' reason: in: query name: reason description: "Filter by reason" schema: type: string format: alphanumeric_symbols rule_ids: in: query name: rule_ids description: "List of rule IDs" schema: type: array items: type: integer format: int32 minimum: 1 score: in: query name: score description: "Filter by final score" schema: type: integer format: int32 minimum: 0 search: in: query name: search description: "Look for elements containing the specified string. To obtain a complementary search, use '-' at the beginning" schema: type: string format: search select: in: query name: select description: "Select which fields to return (separated by comma). Use '.' for nested fields. For example, '{field1: field2}' may be selected with 'field1.field2'" schema: type: array items: type: string format: names # It'd be more appropriate to be an array of strings, and separate the ascending or descending order in another param sort: in: query name: sort description: "Sort the collection by a field or fields (separated by comma). Use +/- at the beggining to list in ascending or descending order. Use '.' for nested fields. For example, '{field1: field2}' may be selected with 'field1.field2'" schema: type: string format: sort stats_component: in: path name: component description: "Selected component stats" required: true schema: type: string enum: - logcollector - agent status: in: query name: status description: "Filter by status" schema: type: string format: alphanumeric statusAgentParam: in: query name: status description: "Filter by agent status (use commas to enter multiple statuses)" schema: type: array items: type: string enum: - active - pending - never_connected - disconnected minItems: 1 statusDeleteAgentParam: in: query name: status required: true description: "Filter by agent status (use commas to enter multiple statuses)" schema: type: array items: type: string enum: - all - active - pending - never_connected - disconnected minItems: 1 statusRLDParam: in: query name: status description: "Filter by list status. Use commas to enter multiple statuses" schema: type: string enum: - enabled - disabled - all minItems: 1 title: in: query name: title description: "Filter by title" schema: type: string format: alphanumeric_symbols logtest_token: in: path name: token description: "Token of the logtest saved session" required: true schema: type: string format: alphanumeric type_agents: in: query name: type description: "Type of file" schema: type: array items: type: string enum: - conf - rootkit_files - rootkit_trojans - rcl type_syscollector: in: query name: type description: "Type of network" schema: type: string format: alphanumeric typesys: in: query name: type description: "Type of interface" schema: type: string allow_run_as: in: query name: allow_run_as description: "Value for the allow_run_as flag" schema: type: boolean default: false user_ids: in: query name: 'user_ids' description: "List of user IDs (separated by comma)" schema: type: array items: $ref: '#/components/schemas/User_id' user_ids_delete: in: query name: 'user_ids' description: "List of user IDs (separated by comma), use the keyword 'all' to select all users" required: true schema: type: array items: $ref: '#/components/schemas/User_id_DELETE' user_id_required: in: path name: 'user_id' description: "User ID" required: True schema: $ref: '#/components/schemas/User_id' unknown: in: query name: unknown description: "Filter by unknown results" schema: type: integer format: int32 version: in: query name: version description: "Filter by agents version using one of the following formats: 'X.Y.Z', 'vX.Y.Z', 'wazuh X.Y.Z' or 'wazuh vX.Y.Z'. For example: '4.4.0'" schema: type: string format: alphanumeric cve_version: in: query name: version description: "Filter by CVE version" schema: type: string format: alphanumeric_symbols cve_status: in: query name: status description: "Filter by CVE status" schema: type: string enum: - valid - pending - obsolete cve_type: in: query name: type description: "Filter by CVE type" schema: type: string enum: - os - package cve_severity: in: query name: severity description: "Filter by CVE severity" schema: type: string format: names wait_for_complete: in: query name: wait_for_complete description: "Disable timeout response" schema: type: boolean default: false node_type: in: query name: type description: "Filter by node type" schema: type: string enum: - worker - master node_id: in: path name: node_id description: "Cluster node name" required: true schema: type: string format: names node_name: in: query name: node_name description: "Filter by node name" schema: type: string format: names section: in: query name: section description: "Indicates the wazuh configuration section" schema: type: string enum: - active-response - agentless - alerts - auth - client - client_buffer - cluster - command - database_output - email_alerts - global - integration - labels - localfile - logging - remote - reports - rootcheck - ruleset - sca - socket - syscheck - syslog_output # Wodle sections - aws-s3 - azure-logs - cis-cat - docker-listener - open-scap - osquery - syscollector - vulnerability-detector field: in: query name: field description: "Indicate a section child. E.g, fields for *ruleset* section are: decoder_dir, rule_dir, etc" schema: type: string format: names date: in: query name: date description: "Date to obtain statistical information from. Format YYYY-MM-DD" schema: type: string format: date tag: in: query name: tag description: "Wazuh component that logged the event" schema: type: string format: alphanumeric log_level: in: query name: level description: "Filter by log level" schema: type: string enum: - critical - debug - debug2 - error - info - warning get_dirnames_path: in: query name: relative_dirname description: "Filter by relative directory name" schema: type: string format: get_dirnames_path overwrite: in: query name: overwrite description: "If set to false, an exception will be raised when updating contents of an already existing filename" schema: type: boolean default: false group: in: query name: group description: "Filter by rule group" schema: type: string format: alphanumeric level: in: query name: level description: "Filter by rule level. Can be a single level (4) or an interval (2-4)" schema: type: string format: range pci_dss: in: query name: pci_dss description: "Filter by PCI_DSS requirement name" schema: type: string format: alphanumeric gdpr: in: query name: gdpr description: "Filter by GDPR requirement" schema: type: string format: alphanumeric gpg13: in: query name: gpg13 description: "Filter by GPG13 requirement" schema: type: string format: alphanumeric hipaa: in: query name: hipaa description: "Filter by HIPAA requirement" schema: type: string format: alphanumeric nist-800-53: in: query name: nist-800-53 description: "Filter by NIST-800-53 requirement" schema: type: string format: alphanumeric tsc: in: query name: tsc description: "Filters by TSC requirement" schema: type: string format: alphanumeric mitre: in: query name: mitre description: "Filters by MITRE technique ID" schema: type: string format: alphanumeric cis: in: query name: cis description: "Filter by CIS requirement" schema: type: string format: alphanumeric filetype: in: query name: type description: "Filter by file type. Registry_key and registry_value types are only available in Windows agents" schema: type: string enum: - file - registry_key - registry_value summary: in: query name: summary description: "Return a summary grouping by filename" schema: type: boolean default: false md5: in: query name: md5 description: "Filter files with the specified MD5 checksum" schema: type: string format: hash sha1: in: query name: sha1 description: "Filter files with the specified SHA1 checksum" schema: type: string format: hash sha256: in: query name: sha256 description: "Filter files with the specified SHA256 checksum" schema: type: string format: hash hashfilter: in: query name: hash description: "Filter files with the specified hash (md5, sha256 or sha1)" schema: type: string format: hash distinct: in: query name: distinct description: Look for distinct values. schema: type: boolean default: false ram.free: in: query name: ram.free description: "Filter by ram.free" schema: type: integer format: int64 minimum: 0 ram.total: in: query name: ram.total description: "Filter by ram.total" schema: type: integer format: int64 minimum: 0 cpu.cores: in: query name: cpu.cores description: "Filter by cpu.cores" schema: type: integer format: int32 minimum: 1 cpu.mhz: in: query name: cpu.mhz description: "Filter by cpu.mhz" schema: type: number format: float minimum: 1 cpu.name: in: query name: cpu.name description: "Filter by cpu.name" schema: type: string board_serial: in: query name: board_serial description: "Filter by board_serial" schema: type: string format: alphanumeric proto: in: query name: proto description: "Filter by IP protocol" schema: type: string format: alphanumeric address: in: query name: address description: "Filter by IP address" schema: type: string format: alphanumeric broadcast: in: query name: broadcast description: "Filter by broadcast direction" schema: type: string format: alphanumeric netmask: in: query name: netmask description: "Filter by netmask" schema: type: string format: alphanumeric adapter: in: query name: adapter description: "Filter by adapter" schema: type: string format: alphanumeric state: in: query name: state description: "Filter by state" schema: type: string format: alphanumeric mtu: in: query name: mtu description: "Filter by mtu" schema: type: integer format: int32 minimum: 0 tx.packets: in: query name: tx.packets description: "Filter by tx.packets" schema: type: integer format: int32 minimum: 0 rx.packets: in: query name: rx.packets description: "Filter by rx.packets" schema: type: integer format: int32 minimum: 0 tx.bytes: in: query name: tx.bytes description: "Filter by tx.bytes" schema: type: integer format: int32 minimum: 0 rx.bytes: in: query name: rx.bytes description: "Filter by rx.bytes" schema: type: integer format: int32 minimum: 0 tx.errors: in: query name: tx.errors description: "Filter by tx.errors" schema: type: integer format: int32 minimum: 0 rx.errors: in: query name: rx.errors description: "Filter by rx.errors" schema: type: integer format: int32 minimum: 0 tx.dropped: in: query name: tx.dropped description: "Filter by tx.dropped" schema: type: integer format: int32 minimum: 0 rx.dropped: in: query name: rx.dropped description: "Filter by rx.dropped" schema: type: integer format: int32 minimum: 0 iface: in: query name: iface description: "Filter by network interface" schema: type: string format: alphanumeric gateway: in: query name: gateway description: "Filter by network gateway" schema: type: string format: alphanumeric dhcp: in: query name: dhcp description: "Filter by network dhcp (enabled or disabled)" schema: $ref: '#/components/schemas/DHCPStatus' os.name: in: query name: os.name description: "Filter by OS name" schema: type: string format: alphanumeric os.platform: in: query name: os.platform description: "Filter by OS platform" schema: type: string format: alphanumeric architecture: in: query name: architecture description: "Filter by architecture" schema: type: string format: alphanumeric os.version: in: query name: os.version description: "Filter by OS version" schema: type: string format: alphanumeric release: in: query name: release description: "Filter by release" schema: type: string format: alphanumeric vendor: in: query name: vendor description: "Filter by vendor" schema: type: string pid: in: query name: pid description: "Filter by pid" schema: type: string format: numbers protocol: in: query name: protocol description: "Filter by protocol" schema: type: string format: alphanumeric local.ip: in: query name: local.ip description: "Filter by Local IP" schema: type: string format: alphanumeric local.port: in: query name: local.port description: "Filter by Local Port" schema: type: string format: numbers remote.ip: in: query name: remote.ip description: "Filter by Remote IP" schema: type: string format: alphanumeric tx_queue: in: query name: tx_queue description: "Filter by tx_queue" schema: type: string format: numbers process_pid: in: query name: pid description: "Filter by process pid" schema: type: string format: numbers process_state: in: query name: state description: "Filter by process state" schema: type: string format: alphanumeric ppid: in: query name: ppid description: "Filter by process parent pid" schema: type: string format: numbers egroup: in: query name: egroup description: "Filter by process egroup" schema: type: string format: alphanumeric euser: in: query name: euser description: "Filter by process euser" schema: type: string format: alphanumeric fgroup: in: query name: fgroup description: "Filter by process fgroup" schema: type: string format: alphanumeric process_name: in: query name: name description: "Filter by process name" schema: type: string format: alphanumeric nlwp: in: query name: nlwp description: "Filter by process nlwp" schema: type: string format: numbers pgrp: in: query name: pgrp description: "Filter by process pgrp" schema: type: string format: numbers priority: in: query name: priority description: "Filter by process priority" schema: type: string format: numbers rgroup: in: query name: rgroup description: "Filter by process rgroup" schema: type: string format: alphanumeric ruser: in: query name: ruser description: "Filter by process ruser" schema: type: string format: alphanumeric syscheck_arch: in: query name: arch description: "Filter by architecture" schema: type: string enum: - '[x32]' - '[x64]' sgroup: in: query name: sgroup description: "Filter by process sgroup" schema: type: string format: alphanumeric suser: in: query name: suser description: "Filter by process suser" schema: type: string format: alphanumeric package_version: in: query name: version description: "Filter by package version" schema: type: string older_than: in: query name: older_than description: "Consider only agents whose last keep alive is older than the specified time frame. For never_connected agents, register date is considered instead of last keep alive. For example, `7d`, `10s` and `10` are valid values. When no time unit is specified, seconds are assumed. Use 0s to select all agents" schema: type: string format: timeframe default: 7d ip: in: query name: ip description: "Filter by the IP used by the agent to communicate with the manager. If it's not available, it will have the same value as registerIP" schema: type: string format: alphanumeric registerIP: in: query name: registerIP description: "Filter by the IP used when registering the agent" schema: type: string format: alphanumeric group_config_status: in: query name: group_config_status description: "Agent groups configuration sync status" schema: type: string enum: - "synced" - "not synced" force_single_group: in: query name: force_single_group description: "Removes the agent from all groups to which it belongs and assigns it to the specified group" schema: type: boolean wpk_repo: in: query name: wpk_repo description: "WPK repository" schema: type: string format: path use_http: in: query name: use_http description: "Use http protocol. If it's false use https. By default the value is set to false" schema: type: boolean default: false upgrade_version: in: query name: upgrade_version description: "Wazuh version to upgrade to" schema: type: string format: wazuh_version force: in: query name: force description: "Force upgrade" schema: type: boolean default: false file_path: in: query name: file_path description: "Full path to the WPK file. The file must be on a folder on the Wazuh's installation directory (by default, /var/ossec)" required: True schema: type: string format: wpk_path installer: in: query name: installer description: "Installation script. Default is upgrade.sh or upgrade.bat for windows agents" schema: type: string format: alphanumeric resource_list: in: query name: resource description: List of current RBAC's resources. schema: type: string enum: - '*:*' - 'agent:group' - 'agent:id' - 'group:id' - 'node:id' - 'decoder:file' - 'list:file' - 'rule:file' - 'policy:id' - 'role:id' - 'user:id' value.name: in: query name: value.name description: "Filter by value name" schema: type: string format: alphanumeric value.type: in: query name: value.type description: "Filter by value type" schema: type: string format: alphanumeric vulnerability_field: in: path name: field description: "Vulnerability inventory field" required: true schema: type: string enum: - cve - name - version - architecture - detection_time - severity - cvss2_score - cvss3_score - external_references - type - status - condition - title - published - updated xml_filename: in: query name: filename description: "Filter by filename of one or more rule or decoder files." schema: type: array items: type: string format: xml_filename xml_filename_path: in: path name: filename description: "Filename (rule or decoder) to download/upload/edit file." required: true schema: type: string format: xml_filename_path tags: - name: API Info description: "Wazuh API information" - name: Active-response description: "Agents Active Response" - name: Agents description: "Agents management related operations" - name: Ciscat description: "Retrieve information from CIS-CAT scans" - name: Cluster description: "Wazuh cluster and nodes management" - name: Decoders description: "Decoders management" - name: Experimental description: "Not ready for production endpoints. Use with caution" - name: Groups description: "Group of agents and centralized configurations" - name: Lists description: "CDB lists management" - name: Logtest description: "Logtest: testing and verification tool for rules and decoders" - name: Manager description: "Wazuh manager management" - name: MITRE description: "Technique information from MITRE database" - name: Overview description: "Overview of Wazuh" - name: Rootcheck description: "Rootcheck management" - name: Rules description: "Rules management" - name: SCA description: "Policy monitoring" - name: Security description: "Roles administration and user authentication management" - name: Syscheck description: "File integrity monitoring" - name: Syscollector description: "Syscollector information" - name: Tasks description: "Tasks information" - name: Vulnerability description: "Vulnerabilities information" - name: Events description: "Ingestion endpoints" security: - jwt: [] paths: /: get: tags: - API Info summary: 'Get API info' description: "Return basic information about the API" operationId: api.controllers.default_controller.default_info parameters: - $ref: '#/components/parameters/pretty' responses: '200': description: "API default info" content: application/json: schema: type: object properties: data: $ref: '#/components/schemas/BasicInfo' example: title: "Wazuh API" api_version: "v4.5.0" revision: '40100' license_name: "GPL 2.0" license_url: "https://github.com/wazuh/wazuh/blob/v4.7.2/LICENSE" hostname: "wazuh" timestamp: "2019-04-02T08:08:11Z" /active-response: put: tags: - Active-response summary: "Run command" description: "Run an Active Response command on all agents or a list of them" operationId: api.controllers.active_response_controller.run_command x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/active-response:command' parameters: - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: content: application/json: schema: $ref: '#/components/schemas/ActiveResponseBody' responses: '200': description: "Command sent to agents" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - "001" - "002" total_affected_items: 2 total_failed_items: 0 failed_items: [] message: 'AR command was sent to all agents' error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents: delete: tags: - Agents summary: "Delete agents" description: "Delete all agents or a list of them based on optional criteria" operationId: api.controllers.agent_controller.delete_agents x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:delete' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list_all' - $ref: '#/components/parameters/purge' - $ref: '#/components/parameters/statusDeleteAgentParam' - $ref: '#/components/parameters/older_than' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/os.platform' - $ref: '#/components/parameters/os.version' - $ref: '#/components/parameters/os.name' - $ref: '#/components/parameters/manager_host' - $ref: '#/components/parameters/version' - $ref: '#/components/parameters/agent_group' - $ref: '#/components/parameters/node_name' - $ref: '#/components/parameters/name' - $ref: '#/components/parameters/ip' - $ref: '#/components/parameters/registerIP' responses: '200': description: "Delete agents" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: allOf: - $ref: '#/components/schemas/AllItemsResponseAgentIDs' example: data: affected_items: - '001' - '002' - '003' total_affected_items: 3 total_failed_items: 0 failed_items: [] message: 'All selected agents were deleted' error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' get: tags: - Agents summary: "List agents" description: "Return information about all available agents or a list of them" operationId: api.controllers.agent_controller.get_agents x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/statusAgentParam' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/olderThanParam' - $ref: '#/components/parameters/os.platform' - $ref: '#/components/parameters/os.version' - $ref: '#/components/parameters/os.name' - $ref: '#/components/parameters/manager_host' - $ref: '#/components/parameters/version' - $ref: '#/components/parameters/agent_group' - $ref: '#/components/parameters/node_name' - $ref: '#/components/parameters/name' - $ref: '#/components/parameters/ip' - $ref: '#/components/parameters/registerIP' - $ref: '#/components/parameters/group_config_status' - $ref: '#/components/parameters/distinct' responses: '200': description: "List of agents or error description" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseAgents' example: data: affected_items: - os: arch: x86_64 codename: Focal Fossa major: '20' minor: '04' name: Ubuntu platform: ubuntu uname: Linux |ac7cb188d538 |5.8.0-45-generic |#51~20.04.1-Ubuntu SMP Tue Feb 23 13:46:31 UTC 2021 |x86_64 version: 20.04.2 LTS lastKeepAlive: '2021-05-26T12:40:40Z' id: '001' dateAdd: 2021-05-26T12:40:08Z configSum: ab73af41699f13fdd81903b5f23d8d00 manager: wazuh-worker2 group: [default] registerIP: Any ip: 172.25.0.6 name: ac7cb188d538 status: active mergedSum: 9a016508cea1e997ab8569f5cfab30f5 version: Wazuh v4.3.0 node_name: worker2 group_config_status: "synced" status_code: 0 - os: arch: x86_64 codename: Focal Fossa major: '20' minor: '04' name: Ubuntu platform: ubuntu uname: Linux |ac7cb188d538 |5.8.0-45-generic |#51~20.04.1-Ubuntu SMP Tue Feb 23 13:46:31 UTC 2021 |x86_64 version: 20.04.2 LTS lastKeepAlive: '2021-05-26T12:40:40Z' id: '002' dateAdd: 2021-05-26T12:40:10Z configSum: ab73af41699f13fdd81903b5f23d8d00 manager: wazuh-worker2 group: [default] registerIP: Any ip: 172.25.0.11 name: 91642a418627 status: active mergedSum: 9a016508cea1e997ab8569f5cfab30f5 version: Wazuh v4.3.0 node_name: worker2 group_config_status: "synced" status_code: 0 - os: arch: x86_64 codename: Focal Fossa major: '20' minor: '04' name: Ubuntu platform: ubuntu uname: Linux |ac7cb188d538 |5.8.0-45-generic |#51~20.04.1-Ubuntu SMP Tue Feb 23 13:46:31 UTC 2021 |x86_64 version: 20.04.2 LTS lastKeepAlive: '2021-05-26T12:40:40Z' id: '003' dateAdd: 2021-05-26T12:40:10Z configSum: ab73af41699f13fdd81903b5f23d8d00 manager: wazuh-worker2 group: [default] registerIP: Any ip: 172.25.0.10 name: a442e15bc84e status: active mergedSum: 9a016508cea1e997ab8569f5cfab30f5 version: Wazuh v4.3.0 node_name: worker1 group_config_status: "not synced" status_code: 0 total_affected_items: 3 total_failed_items: 0 failed_items: [] message: 'All selected agents information was returned' error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' post: tags: - Agents summary: "Add agent" description: "Add a new agent" operationId: api.controllers.agent_controller.add_agent x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:create' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: content: application/json: schema: type: object properties: name: description: "Agent name" type: string format: names ip: description: "If this is not included, the API will get the IP automatically. Allowed values: IP, IP/NET, ANY" type: string format: alphanumeric required: - name example: name: NewHost_2 ip: 10.0.10.11 responses: '200': description: "Add an agent" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AgentIdKey' example: data: id: "009" key: "MDA5IE5ld0hvc3RfMiAxMC4wLjEwLjExIDhkNjllMzRiYTM2ZjcwMzgzZmVkNTIyNzk4MzFiZDg2NWQzZGRkZjJhMTkwZWR jMjY5YmRhOTY1ODU4M2JkMjg=" message: "User was successfully created" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/{agent_id}/config/{component}/{configuration}: get: tags: - Agents summary: "Get active configuration" description: "Return the active configuration the agent is currently using. This can be different from the configuration present in the configuration file, if it has been modified and the agent has not been restarted yet" operationId: api.controllers.agent_controller.get_agent_config x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/component' - $ref: '#/components/parameters/configuration' responses: '200': description: "Get agent configuration" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AgentConfiguration' example: data: client: config-profile: "ubuntu, ubuntu20, ubuntu20.04" notify_time: 10 time-reconnect: 60 force_reconnect_interval: 0 ip_update_interval: 0 auto_restart: "yes" remote_conf: "yes" crypto_method: "aes" server: - address: "nginx-lb/172.25.0.4" port: 1514 max_retries: 5 retry_interval: 10 protocol: tcp enrollment: - enabled: "yes" delay_after_enrollment: 20 port: 1515 ssl_cipher: HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH auto_method: "no" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/{agent_id}/group: delete: tags: - Agents summary: "Remove agent from groups" description: 'Remove the agent from all groups or a list of them. The agent will automatically revert to the default group if it is removed from all its assigned groups' operationId: api.controllers.agent_controller.delete_single_agent_multiple_groups x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:modify_group' - $ref: '#/x-rbac-catalog/actions/group:modify_assignments' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/groups_list' responses: '200': description: "Remove the agent from all groups" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: allOf: - $ref: '#/components/schemas/AllItemsResponseGroupIDs' example: data: affected_items: - group1 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: 'Specified agent was removed from returned groups' error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/{agent_id}/group/is_sync: get: tags: - Agents deprecated: true summary: "Get configuration sync status" description: "Return whether the agent configuration has been synchronized with the agent or not. This can be useful to check after updating a group configuration" operationId: api.controllers.agent_controller.get_sync_agent x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' responses: '200': description: "Get agent sync" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseAgentsSynced' example: data: affected_items: - id: '002' synced: true total_affected_items: 1 total_failed_items: 0 failed_items: [] message: 'Sync info was returned for all selected agents' error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/{agent_id}/group/{group_id}: delete: tags: - Agents summary: "Remove agent from group" description: "Remove an agent from a specified group. If the agent belongs to several groups, only the specified group will be deleted." operationId: api.controllers.agent_controller.delete_single_agent_single_group x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:modify_group' - $ref: '#/x-rbac-catalog/actions/group:modify_assignments' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/group_id' responses: '200': description: "Remove agent from a group" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: message: "Agent '004' removed from 'dmz'." error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '404': $ref: '#/components/responses/ResourceNotFoundResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' put: tags: - Agents summary: "Assign agent to group" description: "Assign an agent to a specified group" operationId: api.controllers.agent_controller.put_agent_single_group x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:modify_group' - $ref: '#/x-rbac-catalog/actions/group:modify_assignments' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/group_id' - $ref: '#/components/parameters/force_single_group' responses: '200': description: "Add agent to group" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - "003" total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All selected agents were assigned to group3" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '404': $ref: '#/components/responses/ResourceNotFoundResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/{agent_id}/key: get: tags: - Agents summary: "Get key" description: "Return the key of an agent" operationId: api.controllers.agent_controller.get_agent_key x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' responses: '200': description: "Get agent key" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseAgentsKeys' example: data: affected_items: - id: '002' key: "MDAyIHdhenVoLWFnZW50MiBhbnkgMzAxYzk0Y2I3NDc5MzliMjAyYTg0OGE3NGIwMTNkODQwZWJkNWUyZmIxMjQ3Nzhl NDhjYzUxOGE4MWQyNDFkYw==" total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Obtained keys for all selected agents" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/{agent_id}/restart: put: tags: - Agents summary: "Restart agent" description: "Restart the specified agent" operationId: api.controllers.agent_controller.restart_agent x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:restart' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' responses: '200': description: "Agent restarted" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/ItemAffected' example: data: affected_items: - "002" total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Restart command sent to all agents" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/{agent_id}/daemons/stats: get: tags: - Agents summary: "Get Wazuh daemon stats from an agent" description: "Return Wazuh statistical information from specified daemons in a specified agent" operationId: api.controllers.agent_controller.get_daemon_stats x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/daemons_list_agents' responses: '200': description: "Wazuh daemon stats" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhDaemonStatsAgents' example: data: affected_items: - timestamp: 2022-07-27T14:09:20+00:00 name: wazuh-remoted agents: - uptime: 2022-07-27T14:09:20+00:00 id: 1 metrics: messages: received_breakdown: control: 2 control_breakdown: keepalive: 1 request: 0 shutdown: 0 startup: 1 event: 195 sent_breakdown: ack: 2 ar: 0 cfga: 2 discarded: 0 request: 0 shared: 0 - timestamp: 2022-07-27T14:09:20+00:00 name: wazuh-analysisd agents: - uptime: 2022-07-27T14:09:20+00:00 id: 1 metrics: events: processed: 195 received_breakdown: decoded_breakdown: agent: 0 dbsync: 0 integrations_breakdown: virustotal: 0 modules_breakdown: aws: 0 azure: 0 ciscat: 0 command: 0 docker: 0 gcp: 0 github: 0 logcollector_breakdown: eventchannel: 0 eventlog: 0 macos: 0 others: 0 office365: 0 ms-graph: 0 oscap: 0 osquery: 0 rootcheck: 1 sca: 194 syscheck: 0 syscollector: 0 upgrade: 0 vulnerability: 0 monitor: 0 remote: 0 written_breakdown: alerts: 191 archives: 0 firewall: 0 total_affected_items: 2 total_failed_items: 0 failed_items: [] message: Statistical information for each daemon was successfully read error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/{agent_id}/stats/{component}: get: tags: - Agents summary: "Get agent's component stats" description: "Return Wazuh's {component} statistical information from agent {agent_id}" operationId: api.controllers.agent_controller.get_component_stats x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/stats_component' responses: '200': description: "Component stats" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - global: start: '2021-05-27T08:01:38Z' end: '2021-05-27T08:08:13Z' files: - location: df -P events: 20 bytes: 1784 targets: - name: agent drops: 0 - location: /var/log/dpkg.log events: 0 bytes: 0 targets: - name: agent drops: 0 - location: /var/ossec/logs/active-responses.log events: 0 bytes: 0 targets: - name: agent drops: 0 - location: last -n 20 events: 2 bytes: 132 targets: - name: agent drops: 0 interval: start: '2021-05-27T08:08:08Z' end: '2021-05-27T08:08:08Z' files: - location: df -P events: 0 bytes: 0 targets: - name: agent drops: 0 - location: /var/log/dpkg.log events: 0 bytes: 0 targets: - name: agent drops: 0 - location: /var/ossec/logs/active-responses.log events: 0 bytes: 0 targets: - name: agent drops: 0 - location: last -n 20 events: 0 bytes: 0 targets: - name: agent drops: 0 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Statistical information for each agent was successfully read" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/upgrade: put: tags: - Agents summary: "Upgrade agents" description: "Upgrade agents using a WPK file from online repository. When upgrading more than 3000 agents at the same time, it's highly recommended to use the parameter `wait_for_complete` set to `true` to avoid a possible API timeout" operationId: api.controllers.agent_controller.put_upgrade_agents x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:upgrade' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list_all' - $ref: '#/components/parameters/wpk_repo' - $ref: '#/components/parameters/upgrade_version' - $ref: '#/components/parameters/use_http' - $ref: '#/components/parameters/force' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/os.platform' - $ref: '#/components/parameters/os.version' - $ref: '#/components/parameters/os.name' - $ref: '#/components/parameters/manager_host' - $ref: '#/components/parameters/version' - $ref: '#/components/parameters/agent_group' - $ref: '#/components/parameters/node_name' - $ref: '#/components/parameters/name' - $ref: '#/components/parameters/ip' - $ref: '#/components/parameters/registerIP' responses: '200': description: "Agents upgraded" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - agent: "001" task_id: 1 - agent: "002" task_id: 2 total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "All upgrade tasks were created" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/upgrade_custom: put: tags: - Agents summary: "Upgrade agents custom" description: "Upgrade the agents using a local WPK file. When upgrading more than 3000 agents at the same time, it's highly recommended to use the parameter `wait_for_complete` set to `true` to avoid a possible API timeout" operationId: api.controllers.agent_controller.put_upgrade_custom_agents x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:upgrade' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list_all' - $ref: '#/components/parameters/file_path' - $ref: '#/components/parameters/installer' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/os.platform' - $ref: '#/components/parameters/os.version' - $ref: '#/components/parameters/os.name' - $ref: '#/components/parameters/manager_host' - $ref: '#/components/parameters/version' - $ref: '#/components/parameters/agent_group' - $ref: '#/components/parameters/node_name' - $ref: '#/components/parameters/name' - $ref: '#/components/parameters/ip' - $ref: '#/components/parameters/registerIP' responses: '200': description: "Agents upgraded" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - agent: "005" task_id: 3 - agent: "006" task_id: 4 total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "All upgrade tasks were created" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/upgrade_result: get: tags: - Agents summary: "Get upgrade results" description: "Return the agents upgrade results" operationId: api.controllers.agent_controller.get_agent_upgrade x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:upgrade' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/os.platform' - $ref: '#/components/parameters/os.version' - $ref: '#/components/parameters/os.name' - $ref: '#/components/parameters/manager_host' - $ref: '#/components/parameters/version' - $ref: '#/components/parameters/agent_group' - $ref: '#/components/parameters/node_name' - $ref: '#/components/parameters/name' - $ref: '#/components/parameters/ip' - $ref: '#/components/parameters/registerIP' responses: '200': description: "Get agent upgrade results" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - message: "Success" agent: "001" task_id: 1 node: "worker1" module: "upgrade_module" command: "upgrade" status: "Legacy upgrade: check the result manually since the agent cannot report the result of the task" create_time: "2020-11-03T15:59:32Z" update_time: "2020-11-03T16:01:55Z" total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All upgrade tasks were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/group: delete: tags: - Agents summary: "Remove agents from group" description: "Remove all agents assignment or a list of them from the specified group" operationId: api.controllers.agent_controller.delete_multiple_agent_single_group x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:modify_group' - $ref: '#/x-rbac-catalog/actions/group:modify_assignments' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list_all' - $ref: '#/components/parameters/group_id_query' responses: '200': description: "Remove multiple agents assignment from a single group" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: allOf: - $ref: '#/components/schemas/AllItemsResponseAgentIDs' example: data: affected_items: - '002' - '006' - '008' - '010' total_affected_items: 4 total_failed_items: 0 failed_items: [] message: "All selected agents were removed from group group1" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '404': $ref: '#/components/responses/ResourceNotFoundResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' put: tags: - Agents summary: "Assign agents to group" description: "Assign all agents or a list of them to the specified group" operationId: api.controllers.agent_controller.put_multiple_agent_single_group x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:modify_group' - $ref: '#/x-rbac-catalog/actions/group:modify_assignments' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/group_id_query' - $ref: '#/components/parameters/force_single_group' responses: '200': description: "Assign multiple agents to a single group" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: allOf: - $ref: '#/components/schemas/AllItemsResponseAgentIDs' example: data: affected_items: - '001' - '002' failed_items: - error: code: 1701 message: Agent does not exist remediation: Please, use `GET /agents?select=id,name` to find all available agents id: - '999' total_affected_items: 2 total_failed_items: 1 message: Some agents were not assigned to group2 and removed from the other groups error: 2 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '404': $ref: '#/components/responses/ResourceNotFoundResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/group/{group_id}/restart: put: tags: - Agents summary: 'Restart agents in group' description: 'Restart all agents which belong to a given group' operationId: api.controllers.agent_controller.restart_agents_by_group x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:restart' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/group_id' responses: '200': description: Agents restarted content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseAgentIDs' example: data: affected_items: - '002' - '003' - '005' total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "Restart command sent to all agents" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '404': $ref: '#/components/responses/ResourceNotFoundResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /groups: delete: tags: - Groups summary: "Delete groups" description: "Delete all groups or a list of them" operationId: api.controllers.agent_controller.delete_groups x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/group:delete' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/groups_list_all' responses: '200': description: "Remove multiple group of multiple agents" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: allOf: - $ref: '#/components/schemas/AgentGroupDeleted' example: data: affected_items: - webserver - dataserver total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "All selected groups were deleted" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' get: tags: - Groups summary: "Get groups" description: "Get information about all groups or a list of them. Returns a list containing basic information about each group such as number of agents belonging to the group and the checksums of the configuration and shared files" operationId: api.controllers.agent_controller.get_list_group x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/group:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/groups_list' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/hash' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/distinct' responses: '200': description: "List all groups" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseGroups' example: data: affected_items: - name: default count: 2 mergedSum: f8d49771911ed9d5c45b03a40babd065 configSum: ab73af41699f13fdd81903b5f23d8d00 - name: dmz count: 3 mergedSum: 220d6c5fc253f251827ee7487341c0fc configSum: cfbae9ecc10eb15f1b4fc736de6758cc - name: pciserver count: 0 mergedSum: 220d6c5fc253f251827ee7487341c0fc configSum: ab73af41699f13fdd81903b5f23d8d00 total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "All selected groups information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' post: tags: - Groups summary: "Create a group" description: "Create a new group" operationId: api.controllers.agent_controller.post_group x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/group:create' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: content: application/json: schema: type: object properties: group_id: description: "Group name. It can contain any of the characters between a-z, A-Z, 0-9, '_', '-' and '.'. Names '.' and '..' are restricted." type: string format: group_names maxLength: 128 required: - group_id example: group_id: NewGroup_1 responses: '200': description: "Add new agent" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: message: "Group 'pciserver' created" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /groups/{group_id}/agents: get: tags: - Groups summary: "Get agents in a group" description: "Return the list of agents that belong to the specified group" operationId: api.controllers.agent_controller.get_agents_in_group x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:read' - $ref: '#/x-rbac-catalog/actions/group:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/group_id' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/statusAgentParam' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "List of agents or error description" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseAgents' example: data: affected_items: - os: arch: x86_64 codename: Focal Fossa major: 20 minor: 04 name: Ubuntu platform: ubuntu uname: Linux |b2497efbf876 |5.8.0-45-generic |#51~20.04.1-Ubuntu SMP Tue Feb 23 13:46:31 UTC 2021 |x86_64 version: 20.04.2 LTS mergedSum: 2c769b2ea138d472ee8f1ba23412b5d4 node_name: worker1 ip: 172.20.0.7 id: 004 manager: wazuh-worker1 group: - default - group1 name: b2497efbf876 configSum: 052374472f3a0d5c8508241dcc455ea7 status: active dateAdd: 2021-05-27T09:14:19Z registerIP: any lastKeepAlive: 2021-05-27T09:23:59Z version: Wazuh v4.3.0 - os: arch: x86_64 codename: Focal Fossa major: 20 minor: 04 name: Ubuntu platform: ubuntu uname: Linux |600e27371700 |5.8.0-45-generic |#51~20.04.1-Ubuntu SMP Tue Feb 23 13:46:31 UTC 2021 |x86_64 version: 20.04.2 LTS mergedSum: 9a016508cea1e997ab8569f5cfab30f5 node_name: worker1 ip: 172.20.0.9 id: 005 manager: wazuh-worker1 group: - default - group2 name: 600e27371700 configSum: ab73af41699f13fdd81903b5f23d8d00 status: active dateAdd: 2021-05-27T09:14:19Z registerIP: any lastKeepAlive: 2021-05-27T09:23:52Z version: Wazuh v4.3.0 - os: arch: x86_64 codename: Focal Fossa major: 20 minor: 04 name: Ubuntu platform: ubuntu uname: Linux |4bdac19ce5e3 |5.8.0-45-generic |#51~20.04.1-Ubuntu SMP Tue Feb 23 13:46:31 UTC 2021 |x86_64 version: 20.04.2 LTS mergedSum: 9a016508cea1e997ab8569f5cfab30f5 node_name: worker2 ip: 172.20.0.10 id: 006 manager: wazuh-worker2 group: - default - group3 name: 4bdac19ce5e3 configSum: ab73af41699f13fdd81903b5f23d8d00 status: active dateAdd: 2021-05-27T09:14:19Z registerIP: any lastKeepAlive: 2021-05-27T09:23:52Z version: Wazuh v4.3.0 total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "All selected agents information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '404': $ref: '#/components/responses/ResourceNotFoundResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /groups/{group_id}/configuration: get: tags: - Groups summary: "Get group configuration" description: "Return the group configuration defined in the `agent.conf` file" operationId: api.controllers.agent_controller.get_group_config x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/group:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/group_id' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' responses: '200': description: "Get group configuration" content: application/json: schema: type: object properties: data: type: object properties: affected_items: type: array items: $ref: '#/components/schemas/GroupConfiguration' total_affected_items: type: integer format: int32 example: data: total_affected_items: 3 affected_items: - filters: name: agent_name config: localfile: - location: "/var/log/my.log" log_format: syslog - filters: os: Linux config: localfile: - location: "/var/log/linux.log" log_format: syslog - filters: profile: database config: localfile: - location: "/var/log/database.log" log_format: syslog error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '404': $ref: '#/components/responses/ResourceNotFoundResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' put: tags: - Groups summary: "Update group configuration" description: "Update an specified group's configuration. This API call expects a full valid XML file with the shared configuration tags/syntax" operationId: api.controllers.agent_controller.put_group_config x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/group:update_config' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/group_id' requestBody: required: true content: application/xml: schema: properties: tmp_file: description: "File to update" type: string responses: '200': description: "Upload configuration" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: message: Agent configuration was successfully updated error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '404': $ref: '#/components/responses/ResourceNotFoundResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /groups/{group_id}/files: get: tags: - Groups summary: "Get group files" description: "Return the files placed under the group directory" operationId: api.controllers.agent_controller.get_group_files x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/group:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/group_id' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/hash' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/distinct' responses: '200': description: "Get group files" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - filename: agent.conf hash: ab73af41699f13fdd81903b5f23d8d00 - filename: ar.conf hash: 76d8be9b97d8eae4c239e530ee7e71c8 - filename: merged.mg hash: f8d49771911ed9d5c45b03a40babd065 - filename: rootkit_files.txt hash: e5ddcac443143cef6237d5f9b8d48585 - filename: rootkit_trojans.txt hash: 6bcf7016d3e6b4c7faa62cf265c24dcc - filename: system_audit_rcl.txt hash: be69b84dd5ee73200bb903a46270e18c - filename: system_audit_ssh.txt hash: 407c1f5e103f0cb58249eb7252a84797 - filename: win_applications_rcl.txt hash: 0a4ad12c8145aca8a28d31de5c448b48 - filename: win_audit_rcl.txt hash: 92d8011facc8b921ece301ea4ce6a616 - filename: win_malware_rcl.txt hash: f5e0305e248bd00e05445f329bd1dd5e total_affected_items: 10 total_failed_items: 0 failed_items: [] message: 'All selected groups files were returned' error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '404': $ref: '#/components/responses/ResourceNotFoundResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /groups/{group_id}/files/{file_name}/json: get: tags: - Groups summary: "Get a file in group" description: "Return the content of the specified group file parsed to JSON" operationId: api.controllers.agent_controller.get_group_file_json x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/group:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/group_id' - $ref: '#/components/parameters/file_name' - $ref: '#/components/parameters/type_agents' responses: '200': description: "Get group file in json format" content: application/json: schema: properties: data: oneOf: - type: array - type: object description: "The output format depends on the type of file that has been requested: rootkit file, rootkit trojans or rcl" example: data: vars: None controls: - name: "CIS - Testing against the CIS Debian Linux Benchmark v1." cis: [] pci: [] condition: "all required" reference: "CIS_Debian_Benchmark_v1.0pdf" checks: - "f:/etc/debian_version;" - "f:/proc/sys/kernel/ostype -> Linux;" - name: "CIS - Debian Linux - 1.4 - Robust partition scheme - /tmp is not on its own partition" cis: [] pci: [] condition: "any" reference: "https://benchmarks.cisecurity.org/tools2/linux/CIS_Debian_Benchmark_v1.0.pdf" checks: - "f:/etc/fstab -> !r:/tmp;" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '404': $ref: '#/components/responses/ResourceNotFoundResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /groups/{group_id}/files/{file_name}/xml: get: tags: - Groups summary: "Get a file in group" description: "Return the contents of the specified group file parsed to XML" operationId: api.controllers.agent_controller.get_group_file_xml x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/group:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/group_id' - $ref: '#/components/parameters/file_name' - $ref: '#/components/parameters/type_agents' responses: '200': description: "Get group file in xml format" content: application/xml: schema: type: string example: | /var/log/linux.log syslog '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '404': $ref: '#/components/responses/ResourceNotFoundResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/insert: post: tags: - Agents summary: "Add agent full" description: "Add an agent specifying its name, ID and IP. If an agent with the same name, the same ID or the same IP already exists, replace it using the `force` parameter" operationId: api.controllers.agent_controller.insert_agent x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:create' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: content: application/json: schema: type: object properties: id: $ref: '#/components/schemas/AgentID' key: type: string maxLength: 64 minLength: 64 format: wazuh_key description: "Key to use when communicating with the manager. The agent must have the same key on its `client.keys` file" name: description: "Agent name" type: string format: names ip: description: "If this is not included, the API will get the IP automatically. Allowed values: IP, IP/NET, ANY" type: string format: alphanumeric force: $ref: '#/components/schemas/AgentInsertForce' required: - name example: name: NewHost_2 ip: 10.0.10.11 id: "123" key: 1abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyzabcdefghi64 force: enabled: True disconnected_time: enabled: True value: "30m" after_registration_time: "2h" responses: '200': description: "Insert new agent" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AgentIdKey' example: data: id: "010" key: "MDEwIHRlc3RfYWdlbnRfd2F6dWhfIDE3Mi4xNi4xNi4xNyBmZTNhYzUyYmUxMDc2MDgwOGI4Y2JiZTczNzFjZDIzMWJjYjF jZjUyMDVjYjMzNTI1YzhjZDEwZGIwYTkyM2E4" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/insert/quick: post: tags: - Agents summary: "Add agent quick" description: "Add a new agent with name `agent_name`. This agent will use `any` as IP" operationId: api.controllers.agent_controller.post_new_agent x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:create' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_name' responses: '200': description: "Agent added" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AgentIdKey' example: data: id: "011" key: "MDExIHRlc3Rfd2F6dWhfcXVpY2sgYW55IDc3ZjNhY2RmMzBhN2ZlNzY0ODVmZTQ3YjUzMzc5ZWQ3ZDA1NDVhYzIyZDQ1NGY 4YzcyZTZhNDU1MjVjYzY3OTM=" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/no_group: get: tags: - Agents summary: "List agents without group" description: "Return a list with all the available agents without an assigned group" operationId: api.controllers.agent_controller.get_agent_no_group x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/query' responses: '200': description: "Get agents without group" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseAgents' example: data: affected_items: - node_name: unknown ip: 172.16.16.16 id: 009 name: test_agent_wazuh status: never_connected dateAdd: 2021-05-27T10:06:13Z registerIP: 172.16.16.16 - node_name: unknown ip: 172.16.16.17 id: 010 name: test_agent_wazuh2 status: never_connected dateAdd: 2021-05-27T10:06:27Z registerIP: 172.16.16.17 - node_name: unknown ip: any id: 011 name: test_wazuh_quick status: never_connected dateAdd: 2021-05-27T10:07:37Z registerIP: any total_affected_items: 3 total_failed_items: 0 failed_items: [] message: All selected agents information was returned error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/node/{node_id}/restart: put: tags: - Agents summary: "Restart agents in node" description: "Restart all agents which belong to a specific given node" operationId: api.controllers.agent_controller.restart_agents_by_node x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' - $ref: '#/x-rbac-catalog/actions/agent:restart' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' responses: '200': description: 'Agents restarted' content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseAgentIDs' example: data: affected_items: - "002" - "006" - "008" total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "Restart command was sent to all agents" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/outdated: get: tags: - Agents summary: "List outdated agents" description: "Return the list of outdated agents" operationId: api.controllers.agent_controller.get_agent_outdated x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/query' responses: '200': description: "Get outdated agents" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseAgentsSimple' example: data: affected_items: - version: Wazuh v3.0.0 id: "003" name: main_database - version: Wazuh v3.0.0 id: "004" name: dmz002 total_affected_items: 2 total_failed_items: 0 failed_items: [] message: 'All selected agents information was returned' error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/reconnect: put: tags: - Agents summary: "Force reconnect agents" description: "Force reconnect all agents or a list of them" operationId: api.controllers.agent_controller.reconnect_agents x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:reconnect' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' responses: '200': description: "Agents reconnected" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseAgentIDs' example: data: affected_items: - '001' - '002' - '003' total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "Force reconnect command was sent to all agents" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/restart: put: tags: - Agents summary: "Restart agents" description: "Restart all agents or a list of them" operationId: api.controllers.agent_controller.restart_agents x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:restart' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' responses: '200': description: "Agents restarted" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseAgentIDs' example: data: affected_items: - '001' - '002' - '003' - '004' - '005' - '006' - '007' - '008' total_affected_items: 8 total_failed_items: 3 failed_items: - error: code: 1707 message: "Cannot send request, agent is not active" remediation: "Please, check non-active agents connection and try again. Visit https://documentation.wazuh.com/4.7/user-manual/registering/index.html and https://documentation.wazuh.com/4.7/user-manual/agents/agent-connection.html to obtain more information on registering and connecting agents" id: - '009' - '010' - '011' message: "Restart command was not sent to some agents" error: 2 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/stats/distinct: get: tags: - Agents summary: "List agents distinct" description: "Return all the different combinations that agents have for the selected fields. It also indicates the total number of agents that have each combination" operationId: api.controllers.agent_controller.get_agent_fields x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/fields' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/query' responses: '200': description: "Get fields in agents" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseAgentsDistinct' example: data: affected_items: - os: version: "20.04.2 LTS" count: 2 - os: version: "unknown" count: 1 total_affected_items: 3 total_failed_items: 0 failed_items: [] message: 'All selected agents information was returned' error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/summary/os: get: tags: - Agents summary: "Summarize agents OS" description: "Return a summary of the OS of available agents" operationId: api.controllers.agent_controller.get_agent_summary_os x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Get summary of agents OS" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - ubuntu totalItems: 1 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Showing the operative system of all specified agents" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /agents/summary/status: get: tags: - Agents summary: "Summarize agents status" description: "Return a summary of the connection and groups configuration synchronization statuses of available agents" operationId: api.controllers.agent_controller.get_agent_summary_status x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Get summary of agents connection and group configuration statuses" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AgentsSummaryStatus' example: data: connection: active: 8 disconnected: 0 never_connected: 3 pending: 0 total: 11 configuration: synced: 8 not_synced: 3 total: 11 error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /ciscat/{agent_id}/results: get: tags: - Ciscat summary: "Get results" description: "Return the agent's ciscat results info" operationId: api.controllers.ciscat_controller.get_agents_ciscat_results x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/ciscat:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/benchmark' - $ref: '#/components/parameters/profile' - $ref: '#/components/parameters/pass' - $ref: '#/components/parameters/fail' - $ref: '#/components/parameters/error' - $ref: '#/components/parameters/notchecked' - $ref: '#/components/parameters/unknown' - $ref: '#/components/parameters/score' - $ref: '#/components/parameters/query' responses: '200': description: "List of agents or error description" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseCiscatResult' example: data: affected_items: - benchmark: CIS Ubuntu Linux 16.04 LTS Benchmark error: 0 fail: 82 notchecked: 36 pass: 102 profile: xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server scan: id: 23487414 time: '2019-10-24T14:30:20.768Z' score: 55 unknown: 0 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: 'All CISCAT results were returned' error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/local/info: get: tags: - Cluster summary: "Get local node info" description: "Return basic information about the cluster node receiving the request" operationId: api.controllers.cluster_controller.get_cluster_node x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Node basic information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: properties: node: description: "Node name" type: string cluster: description: "Cluster name the node belongs to" type: string type: description: "Node type" type: string example: data: affected_items: - node: "master-node" cluster: "wazuh" type: "master" total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All selected information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/nodes: get: tags: - Cluster summary: "Get nodes info" description: "Get information about all nodes in the cluster or a list of them" operationId: api.controllers.cluster_controller.get_cluster_nodes x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/node_type' - $ref: '#/components/parameters/nodes_list' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "List of connected nodes" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseClusterNodes' example: data: affected_items: - name: master-node type: master version: 4.4.0 ip: wazuh-master - name: worker1 type: worker version: 4.4.0 ip: 172.26.0.7 - name: worker2 type: worker version: 4.4.0 ip: 172.26.0.6 total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "All selected nodes information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/healthcheck: get: tags: - Cluster summary: "Get nodes healthcheck" description: "Return cluster healthcheck information for all nodes or a list of them. Such information includes last keep alive, last synchronization time and number of agents reporting on each node" operationId: api.controllers.cluster_controller.get_healthcheck x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/nodes_list' responses: '200': description: "Health information for cluster nodes" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseNodeHealthcheck' example: data: affected_items: - info: name: master-node type: master version: 4.4.0 ip: wazuh-master n_active_agents: 5 - info: name: worker1 type: worker version: 4.4.0 ip: 172.21.0.7 n_active_agents: 3 status: sync_integrity_free: true last_check_integrity: date_start_master: 2021-05-27T10:50:51.325656Z date_end_master: 2021-05-27T10:50:51.342140Z last_sync_integrity: date_start_master: 2021-05-27T10:48:54.086973Z tmp_date_start_master: 2021-05-27T10:48:54.086973Z date_end_master: 2021-05-27T10:48:54.093328Z total_extra_valid: 0 total_files: missing: 2 extra: 0 extra_valid: 0 shared: 0 sync_agent_info_free: true last_sync_agentgroup: date_start: 2021-05-27T10:48:54.086973Z date_end: 2021-05-27T10:49:52.075794Z n_synced_chunks: 1 last_sync_full_agentgroup: date_start: 2021-05-27T10:52:48.038573Z date_end: 2021-05-27T10:53:23.057795Z n_synced_chunks: 2 last_sync_agentinfo: date_start_master: 2021-05-27T10:50:49.174463Z date_end_master: 2021-05-27T10:50:49.175921Z n_synced_chunks: 1 last_keep_alive: 2021-05-27T10:50:08.985208Z - info: name: worker2 type: worker version: 4.4.0 ip: 172.21.0.6 n_active_agents: 1 status: sync_integrity_free: true last_check_integrity: date_start_master: 2021-05-27T10:50:51.939323Z date_end_master: 2021-05-27T10:50:51.955007Z last_sync_integrity: date_start_master: 2021-05-27T10:48:54.706395Z tmp_date_start_master: 2021-05-27T10:48:54.706395Z date_end_master: 2021-05-27T10:48:54.726944Z total_extra_valid: 0 total_files: missing: 2 extra: 0 extra_valid: 0 shared: 0 sync_agent_info_free: true last_sync_agentgroup: date_start: 2021-05-27T10:48:54.086973Z date_end: 2021-05-27T10:49:52.075794Z n_synced_chunks: 1 last_sync_full_agentgroup: date_start: 2021-05-27T10:52:48.038573Z date_end: 2021-05-27T10:53:23.057795Z n_synced_chunks: 2 last_sync_agentinfo: date_start_master: 2021-05-27T10:50:48.832800Z date_end_master: 2021-05-27T10:50:48.833854Z n_synced_chunks: 1 last_keep_alive: 2021-05-27T10:50:18.650204Z total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "All selected nodes healthcheck information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/ruleset/synchronization: get: tags: - Cluster summary: "Get cluster nodes ruleset synchronization status" description: "Return ruleset synchronization status for all nodes or a list of them. This synchronization only covers the user custom ruleset" operationId: api.controllers.cluster_controller.get_nodes_ruleset_sync_status x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/nodes_list' responses: '200': description: "Ruleset synchronization status for cluster nodes" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseNodeRulesetSynchronizationStatus' example: data: affected_items: - name: "master-node" synced: true - name: "worker1" synced: true - name: "worker2" synced: true total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "Nodes ruleset synchronization status was successfully read" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/status: get: tags: - Cluster summary: "Get cluster status" description: "Return information about the cluster status" operationId: api.controllers.cluster_controller.get_status x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:status' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Cluster status" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: properties: enabled: description: "Whether the cluster is enabled in the Wazuh configuration" type: string enum: - "yes" - "no" running: description: "Whether the cluster daemon is running" type: string enum: - "yes" - "no" example: data: enabled: "yes" running: "yes" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/local/config: get: tags: - Cluster summary: "Get local node config" description: "Return the current node cluster configuration" operationId: api.controllers.cluster_controller.get_config x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Cluster configuration" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: properties: name: description: "Cluster name" type: string node_name: description: "Node name" type: string node_type: description: "Node type" type: string enum: - master - worker key: description: "Cluster key used to encrypt messages" type: string port: description: "Port used by the **master** node to communicate with workers" type: integer bind_addr: description: "Network interface used by the **master** to listen to incoming connections" type: string nodes: description: "List of cluster master nodes. This list is used by **worker** nodes to connect to the master" type: array items: type: string hidden: description: "Whether to hide the cluster information in the alerts" type: string disabled: description: "Whether the cluster is enabled or not" type: boolean example: data: affected_items: - name: wazuh node_name: master-node node_type: master key: 9d273b53510fef702b54a92e9cffc82e port: 1516 bind_addr: 0.0.0.0 nodes: - wazuh-master hidden: no disabled: false total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All selected information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/api/config: get: tags: - Cluster summary: "Get nodes API config" description: "Return the API configuration of all nodes (or a list of them) in JSON format" operationId: api.controllers.cluster_controller.get_api_config x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read_api_config' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/nodes_list' responses: '200': description: Current API configuration content: application/json: schema: type: object additionalProperties: true example: data: affected_items: - node_name: "master_node" node_api_config: host: 0.0.0.0 port: 55000 drop_privileges: true experimental_features: false max_upload_size: 10485760 https: enabled: true key: "/var/ossec/api/configuration/ssl/server.key" cert: "/var/ossec/api/configuration/ssl/server.crt" use_ca: false ca: "/var/ossec/api/configuration/ssl/ca.crt" ssl_protocol: "TLSv1.2" ssl_ciphers: "" logs: level: info path: /var/ossec/logs/api.log cors: enabled: false source_route: "*" expose_headers: "*" allow_headers: "*" allow_credentials: false cache: enabled: true time: 0.75 access: max_login_attempts: 50 block_time: 300 max_request_per_minute: 300 remote_commands: localfile: enabled: True exceptions: [] woodle_commands: enabled: True exceptions: [] - node_name: "worker1" node_api_config: host: 0.0.0.0 port: 55000 drop_privileges: true experimental_features: false max_upload_size: 10485760 https: enabled: true key: "/var/ossec/api/configuration/ssl/server.key" cert: "/var/ossec/api/configuration/ssl/server.crt" use_ca: false ca: "/var/ossec/api/configuration/ssl/ca.crt" ssl_protocol: "TLSv1.2" ssl_ciphers: "" logs: path: /var/ossec/logs/api.log level: info cors: enabled: false source_route: "*" allow_headers: "*" allow_credentials: false cache: enabled: true time: 0.75 access: max_login_attempts: 50 block_time: 300 max_request_per_minute: 300 remote_commands: localfile: enabled: True exceptions: [] woodle_commands: enabled: True exceptions: [] - node_name: "worker2" node_api_config: host: 0.0.0.0 port: 55000 drop_privileges: true experimental_features: false max_upload_size: 10485760 https: enabled: true key: "/var/ossec/api/configuration/ssl/server.key" cert: "/var/ossec/api/configuration/ssl/server.crt" use_ca: false ca: "/var/ossec/api/configuration/ssl/ca.crt" ssl_protocol: "TLSv1.2" ssl_ciphers: "" logs: path: /var/ossec/logs/api.log level: info cors: enabled: false source_route: "*" allow_headers: "*" allow_credentials: false cache: enabled: true time: 0.75 access: max_login_attempts: 50 block_time: 300 max_request_per_minute: 300 remote_commands: localfile: enabled: True exceptions: [] woodle_commands: enabled: True exceptions: [] total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "API configuration was successfully read in all specified nodes" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/{node_id}/status: get: tags: - Cluster summary: "Get node status" description: "Return the status of all Wazuh daemons in node node_id" operationId: api.controllers.cluster_controller.get_status_node x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' responses: '200': description: "Node wazuh daemons statuses" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/WazuhDaemonsStatus' example: data: affected_items: - wazuh-agentlessd: stopped wazuh-analysisd: running wazuh-authd: stopped wazuh-csyslogd: stopped wazuh-dbd: stopped wazuh-monitord: running wazuh-execd: running wazuh-integratord: stopped wazuh-logcollector: running wazuh-maild: stopped wazuh-remoted: running wazuh-reportd: stopped wazuh-syscheckd: running wazuh-apid: running wazuh-clusterd: running wazuh-db: running wazuh-modulesd: running total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Processes status was successfully read in specified node" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/{node_id}/info: get: tags: - Cluster summary: "Get node info" description: "Return basic information about a specified node such as version, compilation date, installation path" operationId: api.controllers.cluster_controller.get_info_node x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' responses: '200': description: "Node information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/WazuhInfo' example: data: affected_items: - path: /var/ossec version: v4.3.0 compilation_date: "2021-05-27T09:06:48Z" type: server max_agents: unlimited openssl_support: yes tz_offset: +0000 tz_name: UTC total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Basic information was successfully read in specified node" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/{node_id}/configuration: get: tags: - Cluster summary: "Get node config" description: "Return wazuh configuration used in node {node_id}. The 'section' and 'field' parameters will be ignored if 'raw' parameter is provided." operationId: api.controllers.cluster_controller.get_configuration_node x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' - $ref: '#/components/parameters/raw' - $ref: '#/components/parameters/section' - $ref: '#/components/parameters/field' responses: '200': description: "Node configuration" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/WazuhManagerConfiguration' example: data: affected_items: - global: jsonout_output: yes alerts_log: yes logall: no logall_json: no email_notification: no smtp_server: smtp.example.wazuh.com email_from: wazuh@example.wazuh.com email_to: recipient@example.wazuh.com email_maxperhour: 12 email_log_source: alerts.log agents_disconnection_time: "10m" agents_disconnection_alert_time: 0 white_list: - 127.0.0.1 - ^localhost.localdomain$ - 80.58.61.250 - 80.58.61.254 alerts: log_alert_level: "3" email_alert_level: "12" remote: connection: secure port: 1514 protocol: - tcp queue_size: 131072 rootcheck: disabled: no check_files: yes check_trojans: yes check_dev: yes check_sys: yes check_pids: yes check_ports: yes check_if: yes frequency: 43200 rootkit_files: - etc/rootcheck/rootkit_files.txt rootkit_trojans: - etc/rootcheck/rootkit_trojans.txt skip_nfs: yes cis-cat: disabled: yes timeout: 1800 interval: 1d scan-on-start: yes java_path: wodles/java ciscat_path: wodles/ciscat osquery: disabled: yes run_daemon: yes log_path: /var/log/osquery/osqueryd.results.log config_path: /etc/osquery/osquery.conf add_labels: yes syscollector: disabled: no interval: "1h" scan_on_start: yes hardware: yes os: yes network: yes packages: yes ports: all: no item: yes processes: yes synchronization: "\n " sca: enabled: yes scan_on_start: yes interval: "12h" skip_nfs: yes vulnerability-detector: enabled: no interval: "5m" ignore_time: "6h" run_on_start: yes provider: name: nvd enabled: yes update_interval: "1h" syscheck: disabled: no frequency: 43200 scan_on_start: yes alert_new_files: yes auto_ignore: frequency: 10 timeframe: 3600 item: no directories: - path: /etc - path: /usr/bin - path: /usr/sbin - path: /bin - path: /sbin - path: /boot ignore: - /etc/mtab - /etc/hosts.deny - /etc/mail/statistics - /etc/random-seed - /etc/random.seed - /etc/adjtime - /etc/httpd/logs - /etc/utmpx - /etc/wtmpx - /etc/cups/certs - /etc/dumpdates - /etc/svc/volatile - type: sregex item: ".log$|.swp$" nodiff: - /etc/ssl/private.key skip_nfs: yes skip_dev: yes skip_proc: yes skip_sys: yes process_priority: 10 max_eps: 50 synchronization: enabled: yes interval: "5m" max_eps: 10 command: - name: disable-account executable: disable-account timeout_allowed: yes - name: restart-wazuh executable: restart-wazuh - name: firewall-drop executable: firewall-drop timeout_allowed: yes - name: host-deny executable: host-deny timeout_allowed: yes - name: route-null executable: route-null timeout_allowed: yes - name: win_route-null executable: route-null.exe timeout_allowed: yes - name: netsh executable: netsh.exe timeout_allowed: yes localfile: - log_format: syslog location: /var/ossec/logs/active-responses.log - log_format: syslog location: /var/log/dpkg.log - log_format: command command: "df -P" frequency: 360 - log_format: full_command command: "netstat -tulpn | sed 's/\$[[:alnum:]]\\+\$\\ \\+[[:digit:]]\\+\\ \\+[[:digit:] ]\\+\\ \\+\$.*\$:\$[[:digit:]]*\$\\ \\+\$[0-9\\.\\:\\*]\\+\$.\\+\\ \$[[:digit:]]*\\/[ [:alnum:]\\-]*\$.*/\\1 \\2 == \\3 == \\4 \\5/' | sort -k 4 -g | sed 's/ == \$.*\$ ==/:\\1/' | sed 1,2d" alias: netstat listening ports frequency: 360 - log_format: full_command command: "last -n 20" frequency: 360 ruleset: decoder_dir: - ruleset/decoders - etc/decoders rule_dir: - ruleset/rules - etc/rules rule_exclude: - 0215-policy_rules.xml list: - etc/lists/audit-keys - etc/lists/amazon/aws-eventnames - etc/lists/security-eventchannel auth: disabled: no port: "1515" use_source_ip: "no" force: enabled: "yes" key_mismatch: "yes" disconnected_time: enabled: "yes" value: "1h" after_registration_time: "1h" purge: "yes" use_password: "no" ciphers: "HIGH:!ADH:!EXP:!MD5:!RC4:!3DES:!CAMELLIA:@STRENGTH" ssl_verify_host: "no" ssl_manager_cert: "etc/sslmanager.cert" ssl_manager_key: "etc/sslmanager.key" ssl_auto_negotiate: "no" cluster: name: "wazuh" node_name: "master-node" node_type: "master" key: "9d273b53510fef702b54a92e9cffc82e" port: "1516" bind_addr: "0.0.0.0" nodes: - "wazuh-master" hidden: no disabled: no total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Configuration was successfully read in specified node" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' put: tags: - Cluster summary: "Update node configuration" description: "Replace wazuh configuration for the given node with the data contained in the API request" operationId: api.controllers.cluster_controller.update_configuration x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:update_config' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' requestBody: description: "Content of the ossec.conf to be uploaded" required: true content: application/octet-stream: schema: type: string format: binary responses: '200': description: "Confirmation message" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - $ref: '#/components/schemas/ConfirmationMessage' example: message: "Configuration was successfully updated" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/{node_id}/daemons/stats: get: tags: - Cluster summary: "Get Wazuh daemon stats from a cluster node" description: "Return Wazuh statistical information from specified daemons in a specified cluster node" operationId: api.controllers.cluster_controller.get_daemon_stats_node x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' - $ref: '#/components/parameters/daemons_list' responses: '200': description: "Wazuh daemon stats" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhDaemonStats' example: data: affected_items: - uptime: 2022-07-21T10:09:20+00:00 timestamp: 2022-07-21T10:48:32+00:00 name: wazuh-remoted metrics: tcp_sessions: 0 received_bytes: 0 messages_received_breakdown: event_messages: 0 control_messages: 0 control_breakdown: request_messages: 0 startup_messages: 0 shutdown_messages: 0 keepalive_messages: 0 ping_messages: 0 unknown_messages: 0 dequeued_after_close_messages: 0 discarded_messages: 0 sent_bytes: 0 messages_sent_breakdown: ack_messages: 0 shared_file_messages: 0 ar_messages: 0 cfga_messages: 0 request_messages: 0 discarded_messages: 0 queue_status: receive_queue_usage: 0 receive_queue_size: 131072 keys_reload_count: 0 update_shared_files_count: 42 total_affected_items: 1 failed_items: [] total_failed_items: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/{node_id}/stats: get: tags: - Cluster summary: "Get node stats" description: "Return Wazuh statistical information in node {node_id} for the current or specified date" operationId: api.controllers.cluster_controller.get_stats_node x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' - $ref: '#/components/parameters/date' responses: '200': description: "Wazuh node stats" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhStats' example: data: affected_items: - hour: 10 alerts: - sigid: 530 level: 0 times: 121 - sigid: 501 level: 3 times: 5 - sigid: 502 level: 3 times: 1 - sigid: 503 level: 3 times: 1 - sigid: 506 level: 3 times: 2 - sigid: 515 level: 0 times: 12 - sigid: 19000 level: 0 times: 980 - sigid: 19007 level: 7 times: 470 - sigid: 19008 level: 3 times: 305 - sigid: 19009 level: 3 times: 185 - sigid: 19004, level: 7, times: 10 totalAlerts: 2092 events: 2104 syscheck: 12 firewall: 0 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Statistical information for each node was successfully read" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/{node_id}/stats/hourly: get: tags: - Cluster summary: "Get node stats hour" description: "Return Wazuh statistical information in node {node_id} per hour. Each number in the averages field represents the average of alerts per hour" operationId: api.controllers.cluster_controller.get_stats_hourly_node x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' responses: '200': description: "Wazuh node hourly stats" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhStats' example: data: affected_items: - averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Statistical information per hour for each node was successfully read" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/{node_id}/stats/weekly: get: tags: - Cluster summary: "Get node stats week" description: "Return Wazuh statistical information in node {node_id} per week. Each number in the averages field represents the average of alerts per hour for that specific day" operationId: api.controllers.cluster_controller.get_stats_weekly_node x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' responses: '200': description: "Wazuh node weekly stats" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhStats' example: data: affected_items: - Sun: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 - Mon: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 - Tue: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 - Wed: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 - Thu: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 - Fri: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 - Sat: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 total_affected_items: 7 total_failed_items: 0 failed_items: [] message: "Statistical information per week for each node was successfully read" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/{node_id}/stats/analysisd: get: tags: - Cluster deprecated: true summary: "Get node stats analysisd" description: "Return Wazuh analysisd statistical information in node {node_id}" operationId: api.controllers.cluster_controller.get_stats_analysisd_node x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' responses: '200': description: "Wazuh node analysisd stats" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhStats' example: data: affected_items: - total_events_decoded: 5 syscheck_events_decoded: 0 syscollector_events_decoded: 0 rootcheck_events_decoded: 0 sca_events_decoded: 0 winevt_events_decoded: 0 other_events_decoded: 5 events_processed: 5 events_received: 5 events_dropped: 0 alerts_written: 0 firewall_written: 0 fts_written: 0 syscheck_queue_usage: 0 syscheck_queue_size: 16384 syscollector_queue_usage: 0 syscollector_queue_size: 16384 rootcheck_queue_usage: 0 rootcheck_queue_size: 16384 sca_queue_usage: 0 sca_queue_size: 16384 hostinfo_queue_usage: 0 hostinfo_queue_size: 16384 winevt_queue_usage: 0 winevt_queue_size: 16384 event_queue_usage: 0 event_queue_size: 16384 rule_matching_queue_usage: 0 rule_matching_queue_size: 16384 alerts_queue_usage: 0 alerts_queue_size: 16384 firewall_queue_usage: 0 firewall_queue_size: 16384 statistical_queue_usage: 0 statistical_queue_size: 16384 archives_queue_usage: 0 archives_queue_size: 16384 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Statistical information for each node was successfully read" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/{node_id}/stats/remoted: get: tags: - Cluster deprecated: true summary: "Get node stats remoted" description: "Return Wazuh remoted statistical information in node {node_id}" operationId: api.controllers.cluster_controller.get_stats_remoted_node x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' responses: '200': description: "Wazuh node remoted stats" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhStats' example: data: affected_items: - queue_size: 0 total_queue_size: 131072 tcp_sessions: 4.0 evt_count: 9089.0 ctrl_msg_count: 2099.0 discarded_count: 0 sent_bytes: 784598.0 recv_bytes: 4541779.0 dequeued_after_close: 0.0 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Statistical information for each node was successfully read" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/{node_id}/logs: get: tags: - Cluster summary: "Get node logs" description: "Return the last 2000 wazuh log entries in the specified node" operationId: api.controllers.cluster_controller.get_log_node x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/log_lines' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/tag' - $ref: '#/components/parameters/log_level' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/distinct' responses: '200': description: "Wazuh node logs" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhLogs' example: data: affected_items: - timestamp: '2021-05-27T12:18:08Z' tag: wazuh-remoted level: debug description: " TCP socket 20 already in keystore. Updating..." - timestamp: '2021-05-27T12:18:08Z' tag: wazuh-remoted level: debug description: " Agent '003' group is 'default'" - timestamp: '2021-05-27T12:18:08Z' tag: wazuh-remoted level: debug description: " Agent '003' with group 'default' file 'merged.mg' MD5 '9a016508cea1e997ab8569f5cfab30f5'" total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "Logs were successfully read in specified node" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/{node_id}/logs/summary: get: tags: - Cluster summary: "Get node logs summary" description: "Return a summary of the last 2000 wazuh log entries in the specified node" operationId: api.controllers.cluster_controller.get_log_summary_node x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' responses: '200': description: "Wazuh node logs summary" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/WazuhLogsSummary' example: data: affected_items: - wazuh-db: all: 356 info: 0 error: 0 critical: 0 warning: 0 debug: 356 - wazuh-remoted: all: 842 info: 0 error: 0 critical: 0 warning: 0 debug: 842 total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "Log was successfully summarized in specified node" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/restart: put: tags: - Cluster summary: "Restart nodes" description: "Restart all nodes in the cluster or a list of them" operationId: api.controllers.cluster_controller.put_restart x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' - $ref: '#/x-rbac-catalog/actions/cluster:restart' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/nodes_list' responses: '200': description: "List of affected nodes" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseNodeIDs' example: data: affected_items: - 'master-node' - 'worker1' - 'worker2' total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "Restart request sent to all specified nodes" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/configuration/validation: get: tags: - Cluster summary: "Check nodes config" description: "Return whether the Wazuh configuration is correct or not in all cluster nodes or a list of them" operationId: api.controllers.cluster_controller.get_conf_validation x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/nodes_list' responses: '200': description: "Configuration status" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseValidationStatus' example: data: affected_items: - name: master-node status: OK - name: worker1 status: OK - name: worker2 status: OK total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "Validation was successfully checked in all nodes" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /cluster/{node_id}/configuration/{component}/{configuration}: get: tags: - Cluster summary: "Get node active configuration" description: "Return the requested configuration in JSON format for the specified node" operationId: api.controllers.cluster_controller.get_node_config x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/cluster:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/node_id' - $ref: '#/components/parameters/component' - $ref: '#/components/parameters/configuration' responses: '200': description: "Cluster configuration on-demand" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - name: "wazuh" node_name: "master-node" node_type: "master" key: "9d273b53510fef702b54a92e9cffc82e" port: 1516 bind_addr: "0.0.0.0" nodes: - "wazuh-master" hidden: "no" disabled: "false" total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Active configuration was successfully read in specified node" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /lists: get: tags: - Lists summary: "Get CDB lists info" description: "Return the contents of all CDB lists. Optionally, the result can be filtered by several criteria. See available parameters for more details" operationId: api.controllers.cdb_list_controller.get_lists x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/lists:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/get_dirnames_path' - $ref: '#/components/parameters/filename' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Successfully got all CDB lists and the files where they are defined" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseLists' example: data: affected_items: - items: - key: audit-wazuh-w value: write - key: audit-wazuh-r value: read - key: audit-wazuh-a value: attribute - key: audit-wazuh-x value: execute - key: audit-wazuh-c value: command relative_dirname: etc/lists filename: audit-keys total_affected_items: 4 total_failed_items: 0 failed_items: [] message: "All specified lists were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /lists/files/{filename}: get: tags: - Lists summary: "Get CDB list file content" description: "Return the content of a CDB list file. Only the filename can be specified. It will be searched recursively if not found" operationId: api.controllers.cdb_list_controller.get_file x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/lists:read' parameters: - $ref: '#/components/parameters/list_filename_path' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/raw' responses: '200': description: "Successfully got CDB list" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseListsFiles' example: data: affected_items: - audit-wazuh-w: write audit-wazuh-r: read audit-wazuh-a: attribute audit-wazuh-x: execute audit-wazuh-c: command total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "CDB list was returned" error: 0 'text/plain': schema: type: string example: | audit-wazuh-w:write audit-wazuh-r:read audit-wazuh-a:attribute audit-wazuh-x:execute audit-wazuh-c:command '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' put: tags: - Lists summary: "Update CDB list file" description: "Replace or upload a CDB list file with the data contained in the API request" operationId: api.controllers.cdb_list_controller.put_file x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/lists:update' - $ref: '#/x-rbac-catalog/actions/lists:delete' parameters: - $ref: '#/components/parameters/list_filename_path' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/overwrite' requestBody: description: "Content of the file to be uploaded" required: true content: application/octet-stream: schema: type: string format: binary responses: '200': description: "Confirmation message" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - $ref: '#/components/schemas/ConfirmationMessage' example: data: affected_items: - etc/lists/audit-keys total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "CDB list file uploaded successfully" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Lists summary: "Delete CDB list file" description: "Delete a specified CDB list file. Only the filename can be specified. It will be searched recursively if not found" operationId: api.controllers.cdb_list_controller.delete_file x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/lists:delete' parameters: - $ref: '#/components/parameters/list_filename_path' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Confirmation message" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - $ref: '#/components/schemas/ConfirmationMessage' example: data: affected_items: - etc/lists/test total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "CDB list file was successfully deleted" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /lists/files: get: tags: - Lists summary: "Get CDB lists files" description: "Return the path from all CDB lists. Use this method to know all the CDB lists and their location in the filesystem relative to Wazuh installation folder" operationId: api.controllers.cdb_list_controller.get_lists_files x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/lists:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/get_dirnames_path' - $ref: '#/components/parameters/filename' responses: '200': description: "Successfully got CDB lists" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseListsFiles' example: data: affected_items: - relative_dirname: etc/lists/amazon filename: aws-eventnames - relative_dirname: etc/lists/amazon filename: aws-sources - relative_dirname: etc/lists filename: audit-keys - relative_dirname: etc/lists filename: security-eventchannel total_affected_items: 4 total_failed_items: 0 failed_items: [] message: 'All specified paths were returned' error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /logtest: put: tags: - Logtest summary: "Run logtest" description: "Run logtest tool to check if a specified log raises any alert among other information" operationId: api.controllers.logtest_controller.run_logtest_tool x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/logtest:run' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: description: "Run logtest with the parameters below" required: true content: application/json: schema: $ref: '#/components/schemas/LogtestRequest' responses: '200': description: "Successfully run the logtest tool" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: error: 0 data: messages: - "INFO: (7202): Session initialized with token '8cd2d6d1'" token: 8cd2d6d1 output: timestamp: 2021-05-27T12:46:03.391000Z rule: level: 2 description: "Unknown problem somewhere in the system." id: 1002 firedtimes: 1 mail: false groups: - "syslog" - "errors" gpg13: - 4.3 agent: id: "000" name: "wazuh-master" manager: name: "wazuh-master" id: "1622119563.2682664" cluster: name: "wazuh" node: "master-node" full_log: "ERROR" decoder: None location: "/var/log/syslog" alert: false codemsg: 1 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /logtest/sessions/{token}: delete: tags: - Logtest summary: "End session" description: "Delete the saved logtest session corresponding to {token}" operationId: api.controllers.logtest_controller.end_logtest_session x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/logtest:run' parameters: - $ref: '#/components/parameters/logtest_token' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Successfully deleted the saved session or no session found" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: error: 0 data: messages: ["INFO: (7206): The session '573ed2ca' was closed successfully"] codemsg: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/status: get: tags: - Manager summary: "Get status" description: "Return the status of all Wazuh daemons" operationId: api.controllers.manager_controller.get_status x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Wazuh manager daemons statuses" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/WazuhDaemonsStatus' example: data: affected_items: - wazuh-agentlessd: "stopped" wazuh-analysisd: "running" wazuh-authd: "running" wazuh-csyslogd: "stopped" wazuh-dbd: "stopped" wazuh-monitor": "running" wazuh-execd: "running" wazuh-integratord: "stopped" wazuh-logcollector: "running" wazuh-maild: "stopped" wazuh-remoted: "running" wazuh-reportd: "stopped" wazuh-syscheckd: "running" wazuh-clusterd: "running" wazuh-modulesd: "running" wazuh-db: "running" wazuh-apid: "running" total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Processes status was successfully read in specified node" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/info: get: tags: - Manager summary: "Get information" description: "Return basic information such as version, compilation date, installation path" operationId: api.controllers.manager_controller.get_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Manager information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/WazuhInfo' example: data: affected_items: - path: /var/ossec version: v4.3.0 compilation_date: "2021-05-27T09:06:48Z" type: server max_agents: unlimited openssl_support: yes tz_offset: +0000 tz_name: UTC total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Basic information was successfully read in specified node" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/configuration: get: tags: - Manager summary: "Get configuration" description: "Return wazuh configuration used. The 'section' and 'field' parameters will be ignored if 'raw' parameter is provided." operationId: api.controllers.manager_controller.get_configuration x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/raw' - $ref: '#/components/parameters/section' - $ref: '#/components/parameters/field' - $ref: '#/components/parameters/distinct' responses: '200': description: "Wazuh configuration" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/WazuhManagerConfiguration' example: data: affected_items: - global: jsonout_output: yes alerts_log: yes logall: no logall_json: no email_notification: no smtp_server: smtp.example.wazuh.com email_from: wazuh@example.wazuh.com email_to: recipient@example.wazuh.com email_maxperhour: 12 email_log_source: alerts.log queue_size: 131072 white_list: - 127.0.0.1 - ^localhost.localdomain$ - 127.0.0.53 alerts: log_alert_level: "3" email_alert_level: "12" cis-cat: disabled: yes timeout: 1800 interval: 1d scan-on-start: yes java_path: wodles/java ciscat_path: wodles/ciscat command: - name: disable-account executable: disable-account.sh expect: user timeout_allowed: yes - name: restart-ossec executable: restart-ossec.sh total_affected_items: 1 failed_items: [] total_failed_items: 0 message: "Configuration was successfully read" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' put: tags: - Manager summary: "Update Wazuh configuration" description: "Replace Wazuh configuration with the data contained in the API request" operationId: api.controllers.manager_controller.update_configuration x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:update_config' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: description: "Content of the ossec.conf to be uploaded" required: true content: application/octet-stream: schema: type: string format: binary responses: '200': description: "Confirmation message" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - $ref: '#/components/schemas/ConfirmationMessage' example: message: "Configuration was successfully updated" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/daemons/stats: get: tags: - Manager summary: "Get Wazuh daemon stats" description: "Return Wazuh statistical information from specified daemons" operationId: api.controllers.manager_controller.get_daemon_stats x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/daemons_list' responses: '200': description: "Wazuh daemon stats" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhDaemonStats' example: data: affected_items: - uptime: 2022-07-21T10:09:20+00:00 timestamp: 2022-07-21T10:47:59+00:00 name: wazuh-db metrics: queries_total: 1514 queries_breakdown: wazuhdb_queries: 0 wazuhdb_queries_breakdown: remove_queries: 0 unknown_queries: 0 agent_queries: 73 agent_queries_breakdown: sql_queries: 0 remove_queries: 0 begin_queries: 0 commit_queries: 0 close_queries: 0 syscheck_queries: syscheck_queries: 2 fim_file_queries: 2 fim_registry_queries: 0 fim_registry_key_queries: 0 fim_registry_value_queries: 0 rootcheck_queries: rootcheck_queries: 2 sca_queries: sca_queries: 6 ciscat_queries: ciscat_queries: 0 syscollector_queries: syscollector_processes_queries: 36 syscollector_packages_queries: 1 syscollector_hotfixes_queries: 0 syscollector_ports_queries: 16 syscollector_network_protocol_queries: 1 syscollector_network_address_queries: 1 syscollector_network_iface_queries: 2 syscollector_hwinfo_queries: 2 syscollector_osinfo_queries: 2 process_queries: 0 package_queries: 0 hotfix_queries: 0 port_queries: 0 netproto_queries: 0 netaddr_queries: 0 netinfo_queries: 0 hardware_queries: 0 osinfo_queries: 0 vulnerability_detector_queries: vuln_cves_queries: 0 dbsync_queries: 0 unknown_queries: 0 global_queries: 161 global_queries_breakdown: sql_queries: 0 backup_queries: 0 agent_queries: insert-agent_queries: 1 update-agent-data_queries: 1 update-agent-name_queries: 1 update-keepalive_queries: 0 update-connection-status_queries: 0 reset-agents-connection_queries: 1 delete-agent_queries: 0 select-agent-name_queries: 2 select-agent-group_queries: 1 select-keepalive_queries: 0 find-agent_queries: 0 get-agent-info_queries: 39 get-all-agents_queries: 40 get-agents-by-connection-status_queries: 0 disconnect-agents_queries: 0 sync-agent-info-get_queries: 0 sync-agent-info-set_queries: 37 sync-agent-groups-get_queries: 36 set-agent-groups_queries: 0 get-groups-integrity_queries: 0 group_queries: insert-agent-group_queries: 0 delete-group_queries: 0 select-groups_queries: 1 find-group_queries: 1 belongs_queries: delete-agent-belong_queries: 0 select-group-belong_queries: 0 get-group-agents_queries: 0 labels_queries: set-labels_queries: 0 get-labels_queries: 0 unknown_queries: 0 task_queries: 3 task_queries_breakdown: sql_queries: 0 upgrade_queries: upgrade_queries: 0 upgrade_custom_queries: 0 upgrade_get_status_queries: 0 upgrade_update_status_queries: 0 upgrade_result_queries: 0 upgrade_cancel_tasks_queries: 1 set_timeout_queries: 1 delete_old_queries: 1 unknown_queries: 0 mitre_queries: 1277 mitre_queries_breakdown: sql_queries: 1277 unknown_queries: 0 unknown_queries: 0 queries_time_total: 493 queries_time_breakdown: wazuhdb_time: 0 wazuhdb_time_breakdown: remove_time: 0 agent_time: 351 agent_time_breakdown: sql_time: 0 remove_time: 0 begin_time: 0 commit_time: 0 close_time: 0 syscheck_time: syscheck_time: 49 fim_file_time: 30 fim_registry_time: 0 fim_registry_key_time: 0 fim_registry_value_time: 0 rootcheck_time: rootcheck_time: 47 sca_time: sca_time: 0 ciscat_time: ciscat_time: 0 syscollector_time: syscollector_processes_time: 17 syscollector_packages_time: 33 syscollector_hotfixes_time: 0 syscollector_ports_time: 47 syscollector_network_protocol_time: 27 syscollector_network_address_time: 26 syscollector_network_iface_time: 21 syscollector_hwinfo_time: 20 syscollector_osinfo_time: 27 process_time: 0 package_time: 0 hotfix_time: 0 port_time: 0 netproto_time: 0 netaddr_time: 0 netinfo_time: 0 hardware_time: 0 osinfo_time: 0 vulnerability_detector_time: vuln_cves_time: 0 dbsync_time: 0 global_time: 14 global_time_breakdown: sql_time: 0 backup_time: 0 agent_time: insert-agent_time: 0 update-agent-data_time: 0 update-agent-name_time: 0 update-keepalive_time: 0 update-connection-status_time: 0 reset-agents-connection_time: 0 delete-agent_time: 0 select-agent-name_time: 0 select-agent-group_time: 0 select-keepalive_time: 0 find-agent_time: 0 get-agent-info_time: 2 get-all-agents_time: 1 get-agents-by-connection-status_time: 0 disconnect-agents_time: 0 sync-agent-info-get_time: 0 sync-agent-info-set_time: 6 sync-agent-groups-get_time: 2 set-agent-groups_time: 0 get-groups-integrity_time: 0 group_time: insert-agent-group_time: 0 delete-group_time: 0 select-groups_time: 0 find-group_time: 0 belongs_time: delete-agent-belong_time: 0 select-group-belong_time: 0 get-group-agents_time: 0 labels_time: set-labels_time: 0 get-labels_time: 0 task_time: 0 task_time_breakdown: sql_time: 0 upgrade_time: upgrade_time: 0 upgrade_custom_time: 0 upgrade_get_status_time: 0 upgrade_update_status_time: 0 upgrade_result_time: 0 upgrade_cancel_tasks_time: 0 set_timeout_time: 0 delete_old_time: 0 mitre_time: 128 mitre_time_breakdown: sql_time: 128 total_affected_items: 1 failed_items: [] total_failed_items: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/stats: get: tags: - Manager summary: "Get stats" description: "Return Wazuh statistical information for the current or specified date" operationId: api.controllers.manager_controller.get_stats x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/date' responses: '200': description: "Wazuh stats" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhStats' example: data: affected_items: - hour: 15 alerts: - sigid: 5303 level: 3 times: 1 - sigid: 5501 level: 3 times: 4 - sigid: 221 level: 0 times: 653 totalAlerts: 658 events: 4387 firewall: 0 - hour: 16 alerts: - sigid: 5521 level: 0 times: 1 - sigid: 530 level: 0 times: 120 totalAlerts: 121 events: 4379 syscheck: 0 firewall: 0 total_affected_items: 2 failed_items: [] total_failed_items: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/stats/hourly: get: tags: - Manager summary: "Get stats hour" description: "Return Wazuh statistical information per hour. Each number in the averages field represents the average of alerts per hour" operationId: api.controllers.manager_controller.get_stats_hourly x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Wazuh hourly stats" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhStats' example: data: affected_items: - averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 total_affected_items: 1 failed_items: [] total_failed_items: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/stats/weekly: get: tags: - Manager summary: "Get stats week" description: "Return Wazuh statistical information per week. Each number in the averages field represents the average of alerts per hour for that specific day" operationId: api.controllers.manager_controller.get_stats_weekly x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Wazuh weekly stats" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhStats' example: data: affected_items: - Sun: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 - Mon: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 - Tue: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 - Wed: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 - Thu: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 - Fri: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 - Sat: averages: - 40 - 24 - 67 - 234 - 66 - 24 - 634 - 66 - 123 - 56 - 65 - 23 - 666 - 233 - 646 - 44 - 64 - 99 - 34 - 235 - 653 - 25 - 65 - 23 interactions: 0 total_affected_items: 7 failed_items: [] total_failed_items: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/stats/analysisd: get: tags: - Manager deprecated: true summary: "Get stats analysisd" description: "Return Wazuh analysisd statistical information" operationId: api.controllers.manager_controller.get_stats_analysisd x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Wazuh analysisd stats" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhStats' example: data: affected_items: - total_events_decoded: 5 syscheck_events_decoded: 0 syscollector_events_decoded: 0 rootcheck_events_decoded: 0 sca_events_decoded: 0 winevt_events_decoded: 0 other_events_decoded: 5 events_processed: 5 events_received: 5 events_dropped: 0 alerts_written: 0 firewall_written: 0 fts_written: 0 syscheck_queue_usage: 0 syscheck_queue_size: 16384 syscollector_queue_usage: 0 syscollector_queue_size: 16384 rootcheck_queue_usage: 0 rootcheck_queue_size: 16384 sca_queue_usage: 0 sca_queue_size: 16384 hostinfo_queue_usage: 0 hostinfo_queue_size: 16384 winevt_queue_usage: 0 winevt_queue_size: 16384 event_queue_usage: 0 event_queue_size: 16384 rule_matching_queue_usage: 0 rule_matching_queue_size: 16384 alerts_queue_usage: 0 alerts_queue_size: 16384 firewall_queue_usage: 0 firewall_queue_size: 16384 statistical_queue_usage: 0 statistical_queue_size: 16384 archives_queue_usage: 0 archives_queue_size: 16384 total_affected_items: 1 failed_items: [] total_failed_items: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/stats/remoted: get: tags: - Manager deprecated: true summary: "Get stats remoted" description: "Return Wazuh remoted statistical information" operationId: api.controllers.manager_controller.get_stats_remoted x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Wazuh remoted stats" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhStats' example: data: affected_items: - queue_size: 0 total_queue_size: 131072 tcp_sessions: 0 evt_count: 0 ctrl_msg_count: 0 discarded_count: 0 sent_bytes: 0 recv_bytes: 0 total_affected_items: 0 failed_items: [] total_failed_items: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/logs: get: tags: - Manager summary: "Get logs" description: "Return the last 2000 wazuh log entries" operationId: api.controllers.manager_controller.get_log x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/log_lines' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/tag' - $ref: '#/components/parameters/log_level' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/distinct' responses: '200': description: "Wazuh logs" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseWazuhLogs' example: data: affected_items: - timestamp: '2020-04-15T14:47:54Z' tag: wazuh-modulesd:syscollector level: info description: "Start syscheck scan" - timestamp: '2020-04-15T14:47:51Z' tag: wazuh-modulesd:syscollector level: info description: "Starting evaluation" - timestamp: '2020-04-15T13:50:24Z' tag: wazuh-maild level: error description: " (1263): Error Sending email to 69.172.200.109 (smtp server)" total_affected_items: 3 failed_items: [] total_failed_items: 0 message: Logs read successfully in specified node error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/logs/summary: get: tags: - Manager summary: "Get logs summary" description: "Return a summary of the last 2000 wazuh log entries" operationId: api.controllers.manager_controller.get_log_summary x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Wazuh logs summary" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/WazuhLogsSummary' example: data: affected_items: - wazuh-modulesd: info: 2 all: 2 critical: 0 debug: 0 error: 0 warning: 0 - wazuh-db: info: 1 all: 4 critical: 0 debug: 0 error: 3 warning: 0 - wazuh-rootcheck: info: 8 all: 8 critical: 0 debug: 0 error: 0 warning: 0 total_affected_items: 3 failed_items: [] total_failed_items: 0 message: "Log was successfully summarized" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/api/config: get: tags: - Manager summary: "Get API config" description: "Return the local API configuration in JSON format" operationId: api.controllers.manager_controller.get_api_config x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read_api_config' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Current API configuration" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - node_name: "manager" node_api_config: host: 0.0.0.0 port: 55000 https: enabled: true key: "/var/ossec/api/configuration/ssl/server.key" cert: "/var/ossec/api/configuration/ssl/server.crt" use_ca: false ca: "/var/ossec/api/configuration/ssl/ca.crt" ssl_protocol: "TLSv1.2" ssl_ciphers: "" access: max_login_attempts: 50 block_time: 300 max_request_per_minute: 300 logs: path: /var/ossec/logs/api.log level: info cors: enabled: false source_route: "*" allow_headers: "*" allow_credentials: false cache: enabled: true time: 0.75 drop_privileges: true experimental_features: false max_upload_size: 10485760 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "API configuration was successfully read" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/restart: put: tags: - Manager summary: "Restart manager" description: "Restart the wazuh manager" operationId: api.controllers.manager_controller.put_restart x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' - $ref: '#/x-rbac-catalog/actions/manager:restart' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Confirmation message" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - master-node total_affected_items: 1 failed_items: [] total_failed_items: 0 message: "Restart request sent to all specified nodes" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/configuration/validation: get: tags: - Manager summary: "Check config" description: "Return whether the Wazuh configuration is correct" operationId: api.controllers.manager_controller.get_conf_validation x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "OK message if configuration is right" content: application/json: schema: $ref: '#/components/schemas/ConfigurationValidation' example: data: affected_items: - name: "master-node" status: "OK" total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Validation was successfully checked in all nodes" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /manager/configuration/{component}/{configuration}: get: tags: - Manager summary: "Get active configuration" description: "Return the requested active configuration in JSON format" operationId: api.controllers.manager_controller.get_manager_config_ondemand x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/manager:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/component' - $ref: '#/components/parameters/configuration' responses: '200': description: "Manager configuration on-demand" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - global: email_notification: "no" logall: "no" logall_json: "no" integrity_checking: 8 rootkit_detection: 8 host_information: 8 prelude_output: "no" zeromq_output: "no" jsonout_output: "yes" alerts_log: "yes" stats: 4 memory_size: 8192 white_list: - "127.0.0.1" - "80.58.61.250" - "80.58.61.254" - "localhost.localdomain" rotate_interval: 0 max_output_size: 0 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Active configuration was successfully read in specified node" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /mitre/groups: get: tags: - MITRE summary: "Get MITRE groups" description: "Return the groups from MITRE database" operationId: api.controllers.mitre_controller.get_groups x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/mitre:read' parameters: - $ref: '#/components/parameters/mitre_group_ids' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Get MITRE groups information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - mitre_version: "1.2" deprecated: 0 description: |- [APT38](https://attack.mitre.org/groups/G0082) is a financially-motivated threat group that is backed by the North Korean regime. The group mainly targets banks and financial institutions and has targeted more than 16 organizations in at least 13 countries since at least 2014.(Citation: FireEye APT38 Oct 2018) North Korean group definitions are known to have significant overlap, and the name [Lazarus Group](https://attack.mitre.org/groups/G0032) is known to encompass a broad range of activity. Some organizations use the name Lazarus Group to refer to any activity attributed to North Korea.(Citation: US-CERT HIDDEN COBRA June 2017) Some organizations track North Korean clusters or groups such as Bluenoroff,(Citation: Kaspersky Lazarus Under The Hood Blog 2017) [APT37](https://attack.mitre.org/groups/G0067), and [APT38](https://attack.mitre.org/groups/G0082) separately, while other organizations may track some activity associated with those group names by the name Lazarus Group name: APT38 id: intrusion-set--00f67a77-86a4-4adf-be26-1a54fc713340 modified_time: '2020-03-30T18:50:43.737000Z' created_time: '2019-01-29T21:27:24.793000Z' software: - tool--03342581-f790-4f03-ba41-e82e67392e23 - tool--afc079f3-c0ea-4096-b75d-3f05338b7f60 - malware--53ab35c2-d00e-491a-8753-41d35ae7e547 techniques: - attack-pattern--df8b2a25-8bdf-4856-953c-a04372b1c161 - attack-pattern--09a60ea3-a8d1-4ae5-976e-5783248b72a4 - attack-pattern--8f4a33ec-8b1f-4b80-a2f6-642b2e479580 - attack-pattern--57340c81-c025-4189-8fa0-fc7ede51bae4 - attack-pattern--d742a578-d70e-4d0e-96a6-02a9c30204e6 - attack-pattern--30973a08-aed9-4edf-8604-9084ce1b5c4f - attack-pattern--deb98323-e13f-4b0c-8d94-175379069062 - attack-pattern--d1fcf083-a721-4223-aedf-bf8960798d62 - attack-pattern--e6919abc-99f9-4c6c-95a5-14761e7b2add - attack-pattern--d63a3fb8-9452-4e9d-a60a-54be68d5998c - attack-pattern--6495ae23-3ab4-43c5-a94f-5638a2c31fd2 - attack-pattern--32ad5c86-2bcf-47d8-8fdc-d7f3d79a7490 - attack-pattern--d0613359-5781-4fd2-b5be-c269270be1f6 - attack-pattern--1cfcb312-b8d7-47a4-b560-4b16cc677292 - attack-pattern--0af0ca99-357d-4ba1-805f-674fdfb7bef9 - attack-pattern--b80d107d-fa0d-4b60-9684-b0433e8bdba0 - attack-pattern--d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c - attack-pattern--7e150503-88e7-4861-866b-ff1ac82c4475 - attack-pattern--ff73aa03-0090-4464-83ac-f89e233c02bc references: - url: "https://content.fireeye.com/apt/rpt-apt38" description: "FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018." source: "FireEye APT38 Oct 2018" - url: "https://securelist.com/lazarus-under-the-hood/77908/" description: "GReAT. (2017, April 3). Lazarus Under the Hood. Retrieved April 17, 2019." source: "Kaspersky Lazarus Under The Hood Blog 2017" - url: "https://www.us-cert.gov/ncas/alerts/TA17-164A" description: "US-CERT. (2017, June 13). Alert (TA17-164A) HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure. Retrieved July 13, 2017." source: "US-CERT HIDDEN COBRA June 2017" - url: "https://attack.mitre.org/groups/G0082" external_id: "G0082" source: "mitre-attack" total_affected_items: 111 total_failed_items: 0 failed_items: [] message: MITRE groups information was returned error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /mitre/metadata: get: tags: - MITRE summary: "Get MITRE metadata" description: "Return the metadata from MITRE database" operationId: api.controllers.mitre_controller.get_metadata x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/mitre:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Get MITRE metadata information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - key: "db_version" value: "1" - key: "mitre_version" value: "2.0" total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "MITRE metadata information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /mitre/mitigations: get: tags: - MITRE summary: "Get MITRE mitigations" description: "Return the mitigations from MITRE database" operationId: api.controllers.mitre_controller.get_mitigations x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/mitre:read' parameters: - $ref: '#/components/parameters/mitre_mitigation_ids' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Get MITRE mitigations information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - mitre_version: "1.0" deprecated: 1 description: "Prevent files from having a trailing space after the extension." name: "Space after Filename Mitigation" id: "course-of-action--02f0f92a-0a51-4c94-9bda-6437b9a93f22" modified_time: '2019-07-25T11:46:32.010000Z' created_time: '2018-10-17T00:14:20.652000Z' techniques: - "attack-pattern--e2907cea-4b43-4ed7-a570-0fdf0fbeea00" references: - url: "https://attack.mitre.org/mitigations/T1151" source: "mitre-attack" external_id": "T1151" total_affected_items: 266 total_failed_items: 0 failed_items: [] message: "MITRE mitigations information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /mitre/references: get: tags: - MITRE summary: "Get MITRE references" description: "Return the references from MITRE database" operationId: api.controllers.mitre_controller.get_references x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/mitre:read' parameters: - $ref: '#/components/parameters/mitre_reference_ids' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/query' responses: '200': description: "Get MITRE references" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - url: "https://www.endgame.com/blog/technical-blog/ten-process-injection-techniques-technical-survey-common-and-trending-process" description: "Hosseini, A. (2017, July 18). Ten Process Injection Techniques: A Technical Survey Of Common And Trending Process Injection Techniques. Retrieved December 7, 2017." source: "Endgame Process Injection July 2017" id: "attack-pattern--0042a9f5-f053-4769-b3ef-9ad018dfa298" type: "technique" total_affected_items: 5212 total_failed_items: 0 failed_items: [] message: "MITRE references information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /mitre/software: get: tags: - MITRE summary: "Get MITRE software" description: "Return the software from MITRE database" operationId: api.controllers.mitre_controller.get_software x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/mitre:read' parameters: - $ref: '#/components/parameters/mitre_software_ids' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Get MITRE software information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - mitre_version: "1.0" deprecated: 0 description: "[HDoor](https://attack.mitre.org/software/S0061) is malware that has been customized and used by the [Naikon](https://attack.mitre.org/groups/G0019) group. (Citation: Baumgartner Naikon 2015)" name: HDoor id: malware--007b44b6-e4c5-480b-b5b9-56f2081b1b7b modified_time: '2019-04-25T02:33:53.419000Z' created_time: '2017-05-31T21:32:40.801000Z' groups: - intrusion-set--2a158b0a-7ef8-43cb-9985-bf34d1e12050 techniques: - attack-pattern--ac08589e-ee59-4935-8667-d845e38fe579 - attack-pattern--e3a12395-188d-4051-9a16-ea8e14d07b88 references: - url: "https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" description: "Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019." source: "Baumgartner Naikon 2015" - url: "https://attack.mitre.org/software/S0061" source: "mitre-attack" external_id: "S0061" total_affected_items: 444 total_failed_items: 0 failed_items: [] message: "MITRE software information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /mitre/tactics: get: tags: - MITRE summary: "Get MITRE tactics" description: "Return the tactics from MITRE database" operationId: api.controllers.mitre_controller.get_tactics x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/mitre:read' parameters: - $ref: '#/components/parameters/mitre_tactic_ids' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Get MITRE tactics information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - description: "The adversary is trying to move through your environment.\n\nLateral Movement consists of techniques that adversaries use to enter and control remote systems on a network. Following through on their primary objective often requires exploring the network to find their target and subsequently gaining access to it. Reaching their objective often involves pivoting through multiple systems and accounts to gain. Adversaries might install their own remote access tools to accomplish Lateral Movement or use legitimate credentials with native network and operating system tools, which may be stealthier. " name: "Lateral Movement" id: "x-mitre-tactic--7141578b-e50b-4dcc-bfa4-08a8dd689e9e" modified_time: "2019-07-19T17:44:36.953000Z" created_time: "2018-10-17T00:14:20.652000Z" short_name: "lateral-movement" techniques: - "attack-pattern--01327cde-66c4-4123-bf34-5f258d59457b" - "attack-pattern--246fd3c7-f5e3-466d-8787-4c13d9e3b61c" - "attack-pattern--2db31dcd-54da-405d-acef-b9129b816ed6" - "attack-pattern--3b744087-9945-4a6f-91e8-9dbceda417a4" - "attack-pattern--4d2a5b3e-340d-4600-9123-309dd63c9bf8" - "attack-pattern--4f9ca633-15c5-463c-9724-bdcd54fde541" - "attack-pattern--51a14c76-dd3b-440b-9c20-2bf91d25a814" - "attack-pattern--54a649ff-439a-41a4-9856-8d144a2551ba" - "attack-pattern--5b0ad6f8-6a16-4966-a4ef-d09ea6e2a9f5" - "attack-pattern--60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65" - "attack-pattern--68a0c5ed-bee2-4513-830d-5b0d650139bd" - "attack-pattern--772bc7a8-a157-42cc-8728-d648e25c7fe7" - "attack-pattern--7b211ac6-c815-4189-93a9-ab415deca926" - "attack-pattern--804c042c-cfe6-449e-bc1a-ba0a998a70db" - "attack-pattern--92a78814-b191-47ca-909c-1ccfe3777414" - "attack-pattern--9db0cf3a-a3c9-4012-8268-123b9db6fd82" - "attack-pattern--9e7452df-5144-4b6e-b04a-b66dd4016747" - "attack-pattern--bf90d72c-c00b-45e3-b3aa-68560560d4c5" - "attack-pattern--c3c8c916-2f3c-4e71-94b2-240bdfc996f0" - "attack-pattern--e0033c16-a07e-48aa-8204-7c3ca669998c" - "attack-pattern--e624264c-033a-424d-9fd7-fc9c3bbdb03e" - "attack-pattern--eb062747-2193-45de-8fa2-e62549c37ddf" - "attack-pattern--f005e783-57d4-4837-88ad-dbe7faee1c51" references: - url: "https://attack.mitre.org/tactics/TA0008" source: "mitre-attack" external_id: "TA0008" total_affected_items: 14 total_failed_items: 0 failed_items: [] message: "All tactics information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /mitre/techniques: get: tags: - MITRE summary: "Get MITRE techniques" description: "Return the techniques from MITRE database" operationId: api.controllers.mitre_controller.get_techniques x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/mitre:read' parameters: - $ref: '#/components/parameters/mitre_technique_ids' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Get MITRE techniques information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - mitre_version: "1.0" network_requirements: 0 remote_support: 0 mitre_detection: |- Much of this activity may have a very high occurrence and associated false positive rate, as well as potentially taking place outside the visibility of the target organization, making detection difficult for defenders. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access. id: attack-pattern--9d48cab2-7929-4812-ad22-f536665f0109 modified_time: '2020-10-25T22:58:23.086000Z' deprecated: 0 created_time: '2020-10-02T15:45:17.628000Z' name: Gather Victim Network Information description: |- Before compromising a victim, adversaries may gather information about the victim's networks that can be used during targeting. Information about networks may include a variety of details, including administrative data (ex: IP ranges, domain names, etc.) as well as specifics regarding its topology and operations. Adversaries may gather this information in various ways, such as direct collection actions via [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Phishing for Information](https://attack.mitre.org/techniques/T1598). Information about networks may also be exposed to adversaries via online or other accessible data sets (ex: [Search Open Technical Databases](https://attack.mitre.org/techniques/T1596)).(Citation: WHOIS)(Citation: DNS Dumpster)(Citation: Circl Passive DNS) Gathering this information may reveal opportunities for other forms of reconnaissance (ex: [Active Scanning](https://attack.mitre.org/techniques/T1595) or [Search Open Websites/Domains](https://attack.mitre.org/techniques/T1593)), establishing operational resources (ex: [Acquire Infrastructure](https://attack.mitre.org/techniques/T1583) or [Compromise Infrastructure](https://attack.mitre.org/techniques/T1584)), and/or initial access (ex: [Trusted Relationship](https://attack.mitre.org/techniques/T1199)). tactics: - "x-mitre-tactic--daa4cbb1-b4f4-4723-a824-7f1efd6e0592" mitigations: - "course-of-action--78bb71be-92b4-46de-acd6-5f998fedf1cc" software: [] groups: [] references: - source: "Circl Passive DNS" description: "CIRCL Computer Incident Response Center. (n.d.). Passive DNS. Retrieved October 20, 2020." url: "https://www.circl.lu/services/passive-dns/" - source: "DNS Dumpster" description: "Hacker Target. (n.d.). DNS Dumpster. Retrieved October 20, 2020." url: "https://dnsdumpster.com/" - source: "WHOIS" description: "NTT America. (n.d.). Whois Lookup. Retrieved October 20, 2020." url: "https://www.whois.net/" - source: "mitre-attack" external_id: "T1590" url: "https://attack.mitre.org/techniques/T1590" total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "MITRE techniques information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /rootcheck: put: tags: - Rootcheck summary: "Run scan" description: "Run rootcheck scan in all agents or a list of them" operationId: api.controllers.rootcheck_controller.put_rootcheck x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/rootcheck:run' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' responses: '200': description: "Run rootcheck scan in all agents or a list of them" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - "000" - "001" - "002" - "003" total_affected_items: 4 total_failed_items: 0 failed_items: [] message: "Rootcheck scan was restarted on returned agents" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /rootcheck/{agent_id}: get: tags: - Rootcheck summary: "Get results" description: "Return the rootcheck database of an agent" operationId: api.controllers.rootcheck_controller.get_rootcheck_agent x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/rootcheck:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' - $ref: '#/components/parameters/status' - $ref: '#/components/parameters/pci_dss' - $ref: '#/components/parameters/cis' responses: '200': description: "Return the rootcheck database of an agent" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - date_first: "2020-10-23T10:34:09Z" log: "Ending CIS-CAT scan. File: /var/ossec/wodles/ciscat/benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml." date_last: "2020-10-23T10:34:09Z" status: "outstanding" - date_first: "2020-10-23T10:33:43Z" log: "Starting CIS-CAT scan. File: /var/ossec/wodles/ciscat/benchmarks/CIS_Ubuntu_Linux_16.04_LTS_Benchmark_v1.0.0-xccdf.xml." date_last: "2020-10-23T10:33:49Z" status: "outstanding" total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "All selected rootcheck information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Rootcheck summary: "Clear results" description: "Clear an agent's rootcheck database" operationId: api.controllers.rootcheck_controller.delete_rootcheck x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/rootcheck:clear' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' responses: '200': description: "Clear an agent's rootcheck database" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - "001" total_affected_items: 1 total_failed_items: 0 failed_items: [ ] message: "Rootcheck database was cleared on returned agents" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /rootcheck/{agent_id}/last_scan: get: tags: - Rootcheck summary: "Get last scan datetime" description: "Return the timestamp of the last rootcheck scan of an agent" operationId: api.controllers.rootcheck_controller.get_last_scan_agent x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/rootcheck:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' responses: '200': description: "Return the timestamp of the last rootcheck scan of an agent" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - start: "2021-05-28T11:49:50Z" end: "2021-05-28T11:49:59Z" total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Last rootcheck scan of the agent was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /rules: get: tags: - Rules summary: "List rules" description: "Return a list containing information about each rule such as file where it's defined, description, rule group, status, etc" operationId: api.controllers.rule_controller.get_rules x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/rules:read' parameters: - $ref: '#/components/parameters/rule_ids' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/statusRLDParam' - $ref: '#/components/parameters/group' - $ref: '#/components/parameters/level' - $ref: '#/components/parameters/filename' - $ref: '#/components/parameters/get_dirnames_path' - $ref: '#/components/parameters/pci_dss' - $ref: '#/components/parameters/gdpr' - $ref: '#/components/parameters/gpg13' - $ref: '#/components/parameters/hipaa' - $ref: '#/components/parameters/nist-800-53' - $ref: '#/components/parameters/tsc' - $ref: '#/components/parameters/mitre' - $ref: '#/components/parameters/distinct' responses: '200': description: "Rule" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseRules' example: data: affected_items: - filename: "0020-syslog_rules.xml" relative_dirname: "ruleset/rules" id: 1001 level: 2 status: enabled details: match: pattern: "^Couldn't open /etc/securetty" pci_dss: - "0.2.4" gpg13: - "4.1" gdpr: - "IV_35.7.d" hipaa: - "164.312.b" nist_800_53: - "AU.14" - "AC.7" tsc: - "CC6.1" - "CC6.8" - "CC7.2" - "CC7.3" mitre: [] groups: - syslog - errors description: "File missing. Root access unrestricted." total_affected_items: 707 total_failed_items: 0 failed_items: [] message: "All selected rules were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /rules/groups: get: tags: - Rules summary: "Get groups" description: "Return a list containing all rule groups names" operationId: api.controllers.rule_controller.get_rules_groups x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/rules:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' responses: '200': description: "Rule groups names" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - active_response - agentless - attacks - firewall - gdpr_II_5.1.f - gdpr_IV_30.1.g total_affected_items: 6 total_failed_items: 0 failed_items: [] message: "All groups in rules were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /rules/requirement/{requirement}: get: tags: - Rules summary: "Get requirements" description: "Return all specified requirement names defined in the Wazuh ruleset" operationId: api.controllers.rule_controller.get_rules_requirement x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/rules:read' parameters: - $ref: '#/components/parameters/rule_requirement' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' responses: '200': description: "Requirements names" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - 10.2.6 - 10.2.7 - 10.5.2 - 10.5.5 - 10.6.1 - 11.4 - 11.5 total_affected_items: 7 total_failed_items: 0 failed_items: [] message: "All selected rules were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /rules/files: get: tags: - Rules summary: "Get files" description: "Return a list containing all files used to define rules and their status" operationId: api.controllers.rule_controller.get_rules_files x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/rules:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/get_dirnames_path' - $ref: '#/components/parameters/xml_filename' - $ref: '#/components/parameters/statusRLDParam' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/distinct' responses: '200': description: "Rule" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseRulesFiles' example: data: affected_items: - file: 0010-rules_config.xml relative_dirname: ruleset/rules status: enabled - file: 0015-ossec_rules.xml relative_dirname: ruleset/rules status: enabled - file: 0016-wazuh_rules.xml relative_dirname: ruleset/rules status: enabled - file: 0020-syslog_rules.xml relative_dirname: ruleset/rules status: enabled total_affected_items: 4 total_failed_items: 0 failed_items: [] message: "All rules files were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /rules/files/{filename}: get: tags: - Rules summary: "Get rules file content" description: "Get the content of a specified rule in the ruleset" operationId: api.controllers.rule_controller.get_file x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/rules:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/xml_filename_path' - $ref: '#/components/parameters/raw' - $ref: '#/components/parameters/get_dirnames_path' responses: '200': description: "Rule content" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - group: - "@name": syslog rule: "@id": '1' "@level": '0' "@noalert": '1' category: syslog description: "Generic template for all syslog rules." - "@name": firewall, rule: "@id": '2' "@level": '0' "@noalert": '1' category: firewall description: "Generic template for all firewall rules." - "@name": ids rule: "@id": '3' "@level": '0' "@noalert": '1' category: ids description: "Generic template for all ids rules." - "@name": web-log rule: "@id": '4' "@level": '0' "@noalert": '1' category: web-log description: "Generic template for all web rules." - "@name": squid rule: "@id": '5' "@level": '0' "@noalert": '1' category: squid description: "Generic template for all web proxy rules." - "@name": windows rule: "@id": '6' "@level": '0' "@noalert": '1' category: windows description: "Generic template for all windows rules." - "@name": ossec rule: "@id": '7' "@level": '0' "@noalert": '1' category: ossec description: "Generic template for all ossec rules." total_affected_items: 1 total_failed_items: 0 failed_items: [] message: Selected rule was returned error: 0 application/xml: schema: type: string example: | syslog Generic template for all syslog rules. firewall Generic template for all firewall rules. ids Generic template for all ids rules. web-log Generic template for all web rules. squid Generic template for all web proxy rules. windows Generic template for all windows rules. ossec Generic template for all ossec rules. '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' put: tags: - Rules summary: "Update rules file" description: "Upload or replace a user ruleset file content" operationId: api.controllers.rule_controller.put_file x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/rules:update' - $ref: '#/x-rbac-catalog/actions/rules:delete' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/xml_filename_path' - $ref: '#/components/parameters/overwrite' - $ref: '#/components/parameters/get_dirnames_path' requestBody: description: "Content of the rule to be uploaded" required: true content: application/octet-stream: schema: type: string format: binary responses: '200': description: "Confirmation message" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - "etc/rules/new_rule.xml" failed_items: [] total_affected_items: 1 total_failed_items: 0 message: "Rule was successfully uploaded" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Rules summary: "Delete rules file" description: "Delete a specified rule file" operationId: api.controllers.rule_controller.delete_file x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/rules:delete' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/xml_filename_path' - $ref: '#/components/parameters/get_dirnames_path' responses: '200': description: "Confirmation message" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - "etc/rules/new_rule.xml" failed_items: [] total_affected_items: 1 total_failed_items: 0 message: "Rule was successfully deleted" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /sca/{agent_id}: get: tags: - SCA summary: "Get results" description: "Return the security SCA database of an agent" operationId: api.controllers.sca_controller.get_sca_agent x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/sca:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/sca_name' - $ref: '#/components/parameters/description' - $ref: '#/components/parameters/references' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "SCA database elements" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSCADatabase' example: data: affected_items: - description: "This document provides prescriptive guidance for establishing a secure configuration posture for Ubuntu Linux 20.04 LTS." fail: 87 start_scan: "2022-09-27T08:07:02+00:00" references: "https://www.cisecurity.org/cis-benchmarks/" name: "CIS benchmark for Ubuntu Linux 20.04 LTS" pass: 56 score: 39 end_scan: "2022-09-27T08:07:02+00:00" policy_id: "cis_ubuntu20-04" total_checks: 191 hash_file: "fb41fe9660f4320aaed0c3c292c8602953df7f8c42b37b724855f9005c43fafc" invalid: 48 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All selected sca information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /sca/{agent_id}/checks/{policy_id}: get: tags: - SCA summary: "Get policy checks" description: "Return the policy monitoring alerts for a given policy" operationId: api.controllers.sca_controller.get_sca_checks x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/sca:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/policy_id' - $ref: '#/components/parameters/title' - $ref: '#/components/parameters/description' - $ref: '#/components/parameters/rationale' - $ref: '#/components/parameters/remediation' - $ref: '#/components/parameters/command' - $ref: '#/components/parameters/reason' - $ref: '#/components/parameters/full_path_filter' - $ref: '#/components/parameters/process' - $ref: '#/components/parameters/directory' - $ref: '#/components/parameters/registry' - $ref: '#/components/parameters/references' - $ref: '#/components/parameters/result' - $ref: '#/components/parameters/condition' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "List of SCA Checks for a given policy ID" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSCAChecks' example: data: affected_items: - description: "The cramfs filesystem type is a compressed read-only Linux filesystem embedded in small footprint systems. A cramfs image can be used without having to first decompress the image." id: 19000 reason: "Invalid path or wrong permissions to run command 'modprobe -n -v cramfs'" command: "modprobe -n -v cramfs,lsmod" rationale: "Removing support for unneeded filesystem types reduces the local attack surface of the server. If this filesystem type is not needed, disable it." condition: "all" title: "Ensure mounting of cramfs filesystems is disabled." result: "not applicable" policy_id: "cis_ubuntu20-04" remediation: "1) Edit or create a file in the /etc/modprobe.d/ directory ending in .conf and add the following line: install cramfs /bin/true. 2) Run the following command to unload the cramfs module: # rmmod cramfs" compliance: - value: "1.1.1.1" key: "cis" - value: "5.1" key: "cis_csc" - value: "2.2.5" key: "pci_dss" - value: "CC6.3" key: "tsc" rules: - type: "command" rule: "c:modprobe -n -v cramfs -> r:^install /bin/true" - type: "numeric" rule: "not c:lsmod -> r:cramfs" total_affected_items: 191 total_failed_items: 0 failed_items: [] message: "All selected sca/policy information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /syscheck: put: tags: - Syscheck summary: "Run scan" description: "Run FIM scan in all agents" operationId: api.controllers.syscheck_controller.put_syscheck x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscheck:run' parameters: - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Confirmation message" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseAgentIDs' example: data: affected_items: - '000' - '001' - '002' - '003' total_affected_items: 4 total_failed_items: 0 failed_items: [] message: "Syscheck scan was restarted on returned agents" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /syscheck/{agent_id}: get: tags: - Syscheck summary: "Get results" description: "Return FIM findings in the specified agent" operationId: api.controllers.syscheck_controller.get_syscheck_agent x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscheck:read' parameters: - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/full_path_filter' - $ref: '#/components/parameters/syscheck_arch' - $ref: '#/components/parameters/value.name' - $ref: '#/components/parameters/value.type' - $ref: '#/components/parameters/filetype' - $ref: '#/components/parameters/summary' - $ref: '#/components/parameters/md5' - $ref: '#/components/parameters/sha1' - $ref: '#/components/parameters/sha256' - $ref: '#/components/parameters/hashfilter' - $ref: '#/components/parameters/distinct' - $ref: '#/components/parameters/query' responses: '200': description: "Latest syscheck scan result" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscheckResult' example: data: affected_items: - changes: 1 date: '2019-11-22T10:24:52Z' file: "/etc/dpkg/origins/debian" gid: '0' gname: root inode: 1459742 md5: 731423fa8ba067262f8ef37882d1e742 mtime: '2009-02-02T23:06:58Z' perm: '100644' sha1: b65f7f2af66c53b51765877bbe91a22bc6fca1e2 sha256: 50f35af8ac4a5df3690991a4b428fa49d56580b0020fcc6e38283b3b1b2e6c74 size: 82 type: file uid: '0' uname: root - changes: 1 date: '2019-11-22T10:24:56Z' file: "/etc/sgml/xml-core.cat" gid: '0' gname: root inode: 2896763 md5: 055ba0bd3154c0a58b9bf8a0c9ecf2fa mtime: '2012-11-07T21:44:21Z' perm: '100644' sha1: 3dec5570307472381671ff18bbe4d4be09951690 sha256: 3c46704b553c4b55ce928ffe89badfcfd08a02f0e6558211dfd57d9ae1e72aa4 size: 45 type: file uid: '0' uname: root total_affected_items: 1433 total_failed_items: 0 failed_items: [] message: "FIM findings of the agent were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Syscheck summary: "Clear results" description: "Clear file integrity monitoring scan results for a specified agent. Only available for agents < 3.12.0, it doesn't apply for more recent ones" operationId: api.controllers.syscheck_controller.delete_syscheck_agent x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscheck:clear' parameters: - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Confirmation message" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - '000' total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Syscheck database was cleared on returned agents" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /syscheck/{agent_id}/last_scan: get: tags: - Syscheck summary: "Get last scan datetime" description: "Return when the last syscheck scan started and ended. If the scan is still in progress the end date will be unknown" operationId: api.controllers.syscheck_controller.get_last_scan_agent x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscheck:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' responses: '200': description: "Scan dates" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseLastScan' example: data: affected_items: - start: '2021-05-28T12:11:33Z' end: '2021-05-28T12:11:33Z' total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Last syscheck scan of the agent was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /decoders: get: tags: - Decoders summary: "List decoders" description: "Return information about all decoders included in ossec.conf. This information include decoder's route, decoder's name, decoder's file among others" operationId: api.controllers.decoder_controller.get_decoders x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/decoders:read' parameters: - $ref: '#/components/parameters/decoder_name' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/filename' - $ref: '#/components/parameters/get_dirnames_path' - $ref: '#/components/parameters/statusRLDParam' - $ref: '#/components/parameters/distinct' responses: '200': description: "List of decoders included in ossec.conf" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseDecoders' example: data: affected_items: - filename: "0005-wazuh_decoders.xml" relative_dirname: "ruleset/decoders" status: enabled name: wazuh position: 0 details: prematch: pattern: "^wazuh: " - filename: "0005-wazuh_decoders.xml" relative_dirname: "ruleset/decoders" status: enabled name: agent-buffer position: 1 details: parent: wazuh prematch: pattern: "^wazuh: " offset: after_parent regex: pattern: "^ '(\\S+)'." offset: after_prematch order: level total_affected_items: 1140 total_failed_items: 0 failed_items: [] message: "All selected decoders were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /decoders/files: get: tags: - Decoders summary: "Get files" description: "Return information about all decoders files used in Wazuh. This information include decoder's file, decoder's route and decoder's status among others" operationId: api.controllers.decoder_controller.get_decoders_files x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/decoders:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/xml_filename' - $ref: '#/components/parameters/get_dirnames_path' - $ref: '#/components/parameters/statusRLDParam' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/distinct' responses: '200': description: "List of decoders files" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseDecodersFiles' example: data: affected_items: - filename: 0005-wazuh_decoders.xml relative_dirname: ruleset/decoders status: enabled - filename: 0006-json_decoders.xml relative_dirname: ruleset/decoders status: enabled - filename: 0010-active-response_decoders.xml relative_dirname: ruleset/decoders status: enabled total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "All decoder files were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /decoders/files/{filename}: get: tags: - Decoders summary: "Get decoders file content" description: "Get the content of a specified decoder file" operationId: api.controllers.decoder_controller.get_file x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/decoders:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/xml_filename_path' - $ref: '#/components/parameters/raw' - $ref: '#/components/parameters/get_dirnames_path' responses: '200': description: "Decoder content" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - decoder: - "@name": wazuh prematch: "^wazuh:" - "@name": agent-buffer parent: wazuh prematch: "@offset": after_parent "#text": "^Agent buffer:" regex: "@offset": after_prematch "#text": "^ '(\\S+)'." order: level - "@name": agent-upgrade parent: wazuh prematch: "@offset": after_parent "#text": "^Upgrade procedure |^Custom installation" regex: "@offset": after_prematch "#text": on agent (\d\d\d)\s$(\S+)$:\s(\w+) order: agent.id, agent.name, status - "@name": agent-upgrade parent: wazuh regex: aborted:\s(\.+)$|failed:\s(\.+)$|lost:\s(\.+)$ order: error - "@name": agent-upgrade parent: wazuh regex: started.\sCurrent\sversion:\sWazuh\s(\.+)$ order: agent.cur_version - "@name": agent-upgrade parent: wazuh regex: succeeded.\sNew\sversion:\sWazuh\s(\.+)$ order: agent.new_version - "@name": agent-restart parent: wazuh prematch: "@offset": after_parent "#text": "^Invalid remote configuration:" regex: "@offset": after_prematch "#text": "^ '(\\S+)'." order: module - "@name": fim-state parent: wazuh prematch: "@offset": after_parent "#text": "^FIM DB:" plugin_decoder: "@offset": after_prematch "#text": JSON_Decoder total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Selected decoder was returned" error: 0 application/xml: schema: type: string example: | ^wazuh: wazuh ^Agent buffer: ^ '(\S+)'. level wazuh ^Upgrade procedure |^Custom installation on agent (\d\d\d)\s$(\S+)$:\s(\w+) agent.id, agent.name, status wazuh aborted:\s(\.+)$|failed:\s(\.+)$|lost:\s(\.+)$ error wazuh started.\sCurrent\sversion:\sWazuh\s(\.+)$ agent.cur_version wazuh succeeded.\sNew\sversion:\sWazuh\s(\.+)$ agent.new_version wazuh ^Invalid remote configuration: ^ '(\S+)'. module wazuh ^FIM DB: JSON_Decoder '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' put: tags: - Decoders summary: "Update decoders file" description: "Upload or replace a user decoder file content" operationId: api.controllers.decoder_controller.put_file x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/decoders:update' - $ref: '#/x-rbac-catalog/actions/decoders:delete' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/xml_filename_path' - $ref: '#/components/parameters/overwrite' - $ref: '#/components/parameters/get_dirnames_path' requestBody: description: "Content of the decoder to be uploaded" required: true content: application/octet-stream: schema: type: string format: binary responses: '200': description: "Confirmation message" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - "etc/decoders/new_decoder.xml" total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Decoder was successfully uploaded" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Decoders summary: "Delete decoders file" description: "Delete a specified decoder file" operationId: api.controllers.decoder_controller.delete_file x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/decoders:delete' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/xml_filename_path' - $ref: '#/components/parameters/get_dirnames_path' responses: '200': description: "Confirmation message" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - "etc/decoders/new_decoder.xml" total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Decoder file was successfully deleted" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /decoders/parents: get: tags: - Decoders summary: "Get parent decoders" description: "Return information about all parent decoders. A parent decoder is a decoder used as base of other decoders" operationId: api.controllers.decoder_controller.get_decoders_parents x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/decoders:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' responses: '200': description: "List of parent decoders" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - filename: "0005-wazuh_decoders.xml" relative_dirname: "ruleset/decoders" status: enabled name: wazuh position: 0 details: prematch: pattern: "^wazuh: " - filename: "0006-json_decoders.xml" relative_dirname: "ruleset/decoders" status: enabled name: json position: 0 details: prematch: patten: ^{\\s*\" plugin_decoder: JSON_Decoder total_affected_items: 182 total_failed_items: 0 failed_items: [] message: "All selected decoders were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /experimental/rootcheck: delete: tags: - Experimental summary: "Clear rootcheck results" description: "Clear rootcheck database for all agents or a list of them" operationId: api.controllers.experimental_controller.clear_rootcheck_database x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/rootcheck:clear' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list_all' responses: '200': description: "Clear rootcheck database for all agents or a list of them" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponse' example: data: affected_items: - "002" - "003" total_affected_items: 2 failed_items: [ ] total_failed_items: 0 message: "Rootcheck database was cleared on returned agents" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /experimental/syscheck: delete: tags: - Experimental summary: "Clear agents FIM results" description: "Clear the syscheck database for all agents or a list of them" operationId: api.controllers.experimental_controller.clear_syscheck_database x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscheck:clear' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list_all' responses: '200': description: "Delete syscheck database" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseAgentIDs' example: data: affected_items: - '000' - '001' - '002' - '003' - '004' - '005' - '006' - '007' - '008' - '009' - '010' - '011' - '012' total_affected_items: 13 total_failed_items: 0 failed_items: [] message: "Syscheck database was cleared on returned agents" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /experimental/ciscat/results: get: tags: - Experimental summary: "Get agents CIS-CAT results" description: "Return CIS-CAT results for all agents or a list of them" operationId: api.controllers.experimental_controller.get_cis_cat_results x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/ciscat:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/benchmark' - $ref: '#/components/parameters/profile' - $ref: '#/components/parameters/pass' - $ref: '#/components/parameters/fail' - $ref: '#/components/parameters/error' - $ref: '#/components/parameters/notchecked' - $ref: '#/components/parameters/unknown' - $ref: '#/components/parameters/score' responses: '200': description: "Return a list of CIS-CAT results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseCiscatResult' example: data: affected_items: - agent_id: '001' benchmark: CIS Ubuntu Linux 16.04 LTS Benchmark error: 0 fail: 82 notchecked: 36 pass: 102 profile: xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server scan: id: 1422619291 time: '2019-12-03T08:38:35.230Z' score: 55 unknown: 0 - agent_id: '002' benchmark: CIS Ubuntu Linux 16.04 LTS Benchmark error: 0 fail: 82 notchecked: 36 pass: 102 profile: xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server scan: id: 1794774880 time: '2019-12-03T08:38:27.743Z' score: 55 unknown: 0 - agent_id: '003' benchmark: CIS Ubuntu Linux 16.04 LTS Benchmark error: 0 fail: 82 notchecked: 36 pass: 102 profile: xccdf_org.cisecurity.benchmarks_profile_Level_2_-_Server scan: id: 622382213 time: '2019-12-03T08:39:02.569Z' score: 55 unknown: 0 failed_items: [] total_affected_items: 3 total_failed_items: 0 message: 'All CISCAT results were returned' error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /experimental/syscollector/hardware: get: tags: - Experimental summary: "Get agents hardware" description: "Return all agents (or a list of them) hardware info. This information include cpu, ram, scan info among others of all agents" operationId: api.controllers.experimental_controller.get_hardware_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/ram.free' - $ref: '#/components/parameters/ram.total' - $ref: '#/components/parameters/cpu.cores' - $ref: '#/components/parameters/cpu.mhz' - $ref: '#/components/parameters/cpu.name' - $ref: '#/components/parameters/board_serial' responses: '200': description: "Return a list of agent's hardware results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorHardware' example: data: affected_items: - agent_id: '000' board_serial: BSS-0123456789 cpu: cores: 12 mhz: 3094.875 name: Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz ram: free: 6958480 total: 16263580 usage: 58 scan: id: 1452382474 time: '2019-12-03T08:37:42Z' - agent_id: '001' board_serial: BSS-0123456789 cpu: cores: 12 mhz: 2688.144 name: Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz ram: free: 5793604 total: 16263580 usage: 65 scan: id: 1317471702 time: '2019-12-03T08:38:29Z' - agent_id: '002' board_serial: BSS-0123456789 cpu: cores: 12 mhz: 2896.127 name: Intel(R) Core(TM) i7-8750H CPU @ 2.20GHz ram: free: 5844192 total: 16263580 usage: 65 scan: id: 2069790203 time: '2019-12-03T08:38:21Z' failed_items: [] total_affected_items: 3 total_failed_items: 0 message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /experimental/syscollector/netaddr: get: tags: - Experimental summary: "Get agents netaddr" description: "Return all agents (or a list of them) IPv4 and IPv6 addresses associated to their network interfaces. This information include used IP protocol, interface, and IP address among others" operationId: api.controllers.experimental_controller.get_network_address_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/proto' - $ref: '#/components/parameters/address' - $ref: '#/components/parameters/broadcast' - $ref: '#/components/parameters/netmask' responses: '200': description: "Return a list of agent's network results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorNetwork' example: data: affected_items: - address: 172.23.0.3 agent_id: '000' broadcast: 172.23.255.255 iface: eth0 netmask: 255.255.0.0 proto: ipv4 scan: id: 1921972007 - address: 172.23.0.6 agent_id: '001' broadcast: 172.23.255.255 iface: eth0 netmask: 255.255.0.0 proto: ipv4 scan: id: 1704225423 - address: 172.23.0.7 agent_id: '002' broadcast: 172.23.255.255 iface: eth0 netmask: 255.255.0.0 proto: ipv4 scan: id: 1393900138 failed_items: [] total_affected_items: 3 total_failed_items: 0 message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /experimental/syscollector/netiface: get: tags: - Experimental summary: "Get agents netiface" description: "Return all agents (or a list of them) network interfaces. This information includes rx, scan, tx info and some network information among other" operationId: api.controllers.experimental_controller.get_network_interface_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/name' - $ref: '#/components/parameters/adapter' - $ref: '#/components/parameters/type_syscollector' - $ref: '#/components/parameters/state' - $ref: '#/components/parameters/mtu' - $ref: '#/components/parameters/tx.packets' - $ref: '#/components/parameters/rx.packets' - $ref: '#/components/parameters/tx.bytes' - $ref: '#/components/parameters/rx.bytes' - $ref: '#/components/parameters/tx.errors' - $ref: '#/components/parameters/rx.errors' - $ref: '#/components/parameters/tx.dropped' - $ref: '#/components/parameters/rx.dropped' responses: '200': description: "Return a list of agent's network interfaces results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorInterface' example: data: affected_items: - agent_id: '000' mac: 02:42:ac:17:00:03 mtu: 1500 name: eth0 rx: bytes: 7161 dropped: 0 errors: 0 packets: 58 scan: id: 1921972007 time: '2019-12-03T09:57:04Z' state: up tx: bytes: 115 dropped: 0 errors: 0 packets: 2 type: ethernet - agent_id: '001' mac: 02:42:ac:17:00:06 mtu: 1500 name: eth0 rx: bytes: 868555 dropped: 0 errors: 0 packets: 1037 scan: id: 1704225423 time: '2019-12-03T09:57:42Z' state: up tx: bytes: 231924 dropped: 0 errors: 0 packets: 910 type: ethernet - agent_id: '002' mac: 02:42:ac:17:00:07 mtu: 1500 name: eth0 rx: bytes: 876071 dropped: 0 errors: 0 packets: 1152 scan: id: 1393900138 time: '2019-12-03T09:57:43Z' state: up tx: bytes: 232396 dropped: 0 errors: 0 packets: 906 type: ethernet failed_items: [] total_affected_items: 3 total_failed_items: 0 message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /experimental/syscollector/netproto: get: tags: - Experimental summary: "Get agents netproto" description: "Return all agents (or a list of them) routing configuration for each network interface. This information includes interface, type protocol information among other" operationId: api.controllers.experimental_controller.get_network_protocol_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/iface' - $ref: '#/components/parameters/type_syscollector' - $ref: '#/components/parameters/gateway' - $ref: '#/components/parameters/dhcp' responses: '200': description: "Return a list of agent's network protocol results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorProtocol' example: data: affected_items: - scan: id: 1248412797 iface: eth0 type: ipv4 gateway: 172.24.0.1 dhcp: "enabled" agent_id: '000' - scan: id: 1213296763 iface: eth0 type: ipv4 gateway: 172.24.0.1 dhcp: "enabled" agent_id: '001' - scan: id: 341262067 type: ipv4 iface: eth0 dhcp: "enabled" gateway: 172.24.0.1 agent_id: '002' total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /experimental/syscollector/os: get: tags: - Experimental summary: "Get agents OS" description: "Return all agents (or a list of them) OS info. This information includes os information, architecture information among other" operationId: api.controllers.experimental_controller.get_os_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/os.name' - $ref: '#/components/parameters/architecture' - $ref: '#/components/parameters/os.version' - $ref: '#/components/parameters/version' - $ref: '#/components/parameters/release' responses: '200': description: "Return a list of agent's OS results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorOS' example: data: affected_items: - os: codename: Bionic Beaver major: '18' minor: '04' name: Ubuntu platform: ubuntu version: 18.04.4 LTS (Bionic Beaver) scan: id: 496386874 time: '2020-04-15T11:02:03Z' sysname: Linux hostname: wazuh-master version: "#34~1584408018~19.10~21df4b1-Ubuntu SMP Tue Mar 17 13:38:51 UTC " release: 5.3.0-7642-generic architecture: x86_64 agent_id: '000' - os: codename: Xenial Xerus major: '16' minor: '04' name: Ubuntu platform: ubuntu version: 16.04.6 LTS (Xenial Xerus) scan: id: 196194860 time: '2020-04-15T11:02:23Z' sysname: Linux hostname: wazuh-agent1 version: "#34~1584408018~19.10~21df4b1-Ubuntu SMP Tue Mar 17 13:38:51 UTC " release: 5.3.0-7642-generic architecture: x86_64 agent_id: '001' - os: codename: Xenial Xerus major: '16' minor: '04' name: Ubuntu platform: ubuntu version: 16.04.6 LTS (Xenial Xerus) scan: id: 763390318 time: '2020-04-15T11:02:52Z' hostname: wazuh-agent2 release: 5.3.0-7642-generic version: "#34~1584408018~19.10~21df4b1-Ubuntu SMP Tue Mar 17 13:38:51 UTC " architecture: x86_64 sysname: Linux agent_id: '002' total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /experimental/syscollector/packages: get: tags: - Experimental summary: "Get agents packages" description: "Return all agents (or a list of them) packages info. This information includes name, section, size, and priority information of all packages among other" operationId: api.controllers.experimental_controller.get_packages_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/vendor' - $ref: '#/components/parameters/name' - $ref: '#/components/parameters/architecture' - $ref: '#/components/parameters/file_format' - $ref: '#/components/parameters/package_version' responses: '200': description: "Return a list of agent's packages results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorPackages' example: data: affected_items: - scan: id: 1137251326 time: '2020-04-15T11:02:03Z' name: libquadmath0 size: 269 version: 8.4.0-1ubuntu1~18.04 source: gcc-8 format: deb section: libs architecture: amd64 multiarch: same description: GCC Quad-Precision Math Library priority: optional vendor: Ubuntu Core developers agent_id: '000' - scan: id: 1137251326 time: '2020-04-15T11:02:03Z' name: libnpth0 size: 32 version: 1.5-3 source: npth format: deb section: libs architecture: amd64 multiarch: same description: replacement for GNU Pth using system threads priority: optional vendor: Ubuntu Developers agent_id: '000' - scan: id: 1137251326 time: '2020-04-15T11:02:03Z' name: fdisk size: 427 version: 2.31.1-0.4ubuntu3.5 source: util-linux format: deb section: utils architecture: amd64 multiarch: foreign description: collection of partitioning utilities priority: important vendor: Ubuntu Developers agent_id: '000' total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /experimental/syscollector/ports: get: tags: - Experimental summary: "Get agents ports" description: "Return all agents (or a list of them) ports info. This information includes local IP, Remote IP, protocol information among other" operationId: api.controllers.experimental_controller.get_ports_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/pid' - $ref: '#/components/parameters/protocol' - $ref: '#/components/parameters/local.ip' - $ref: '#/components/parameters/local.port' - $ref: '#/components/parameters/remote.ip' - $ref: '#/components/parameters/tx_queue' - $ref: '#/components/parameters/state' - $ref: '#/components/parameters/process' responses: '200': description: "Return a list of agent's packages results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorPorts' example: data: affected_items: - local: ip: 127.0.0.11 port: 46841 remote: ip: 0.0.0.0 port: 0 scan: id: 315935312 time: '2020-04-15T11:02:07Z' rx_queue: 0 state: listening protocol: tcp inode: 12387152 tx_queue: 0 agent_id: '000' - local: ip: 0.0.0.0 port: 1514 remote: ip: 0.0.0.0 port: 0 scan: id: 315935312 time: '2020-04-15T11:02:07Z' rx_queue: 0 state: listening protocol: tcp inode: 12397927 tx_queue: 0 agent_id: '000' - local: ip: 0.0.0.0 port: 1515 remote: ip: 0.0.0.0 port: 0 scan: id: 315935312 time: '2020-04-15T11:02:07Z' rx_queue: 0 state: listening protocol: tcp inode: 12397153 tx_queue: 0 agent_id: '000' total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /experimental/syscollector/processes: get: tags: - Experimental summary: "Get agents processes" description: "Return all agents (or a list of them) processes info" operationId: api.controllers.experimental_controller.get_processes_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/process_pid' - $ref: '#/components/parameters/process_state' - $ref: '#/components/parameters/ppid' - $ref: '#/components/parameters/egroup' - $ref: '#/components/parameters/euser' - $ref: '#/components/parameters/fgroup' - $ref: '#/components/parameters/process_name' - $ref: '#/components/parameters/nlwp' - $ref: '#/components/parameters/pgrp' - $ref: '#/components/parameters/priority' - $ref: '#/components/parameters/rgroup' - $ref: '#/components/parameters/ruser' - $ref: '#/components/parameters/sgroup' - $ref: '#/components/parameters/suser' responses: '200': description: "Return a list of agent's processes results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorProcesses' example: data: affected_items: - scan: id: 28643647 time: '2020-04-15T11:02:07Z' name: bash suser: root nlwp: 1 pgrp: 1 state: S session: 1 utime: 23 egroup: root ruser: root argvs: "/scripts/entrypoint.sh,wazuh-master,master-node,master" size: 4593 euser: root processor: 3 resident: 793 tty: 0 nice: 0 pid: '1' vm_size: 18372 sgroup: root rgroup: root fgroup: root start_time: 1093372 tgid: 1 stime: 1 ppid: 0 share: 726 priority: 20 cmd: bash agent_id: '000' - scan: id: 28643647 time: '2020-04-15T11:02:07Z' name: wazuh-control suser: root nlwp: 1 pgrp: 1 state: S session: 1 utime: 0 egroup: root ruser: root argvs: "/var/ossec/bin/wazuh-control,restart" size: 1156 euser: root processor: 6 resident: 457 tty: 0 nice: 0 pid: '15' vm_size: 4624 sgroup: root rgroup: root fgroup: root start_time: 1093547 tgid: 15 stime: 3 ppid: 1 share: 417 priority: 20 cmd: "/bin/sh" agent_id: '000' total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /experimental/syscollector/hotfixes: get: tags: - Experimental summary: "Get agents hotfixes" description: "Return all agents (or a list of them) hotfixes info" operationId: api.controllers.experimental_controller.get_hotfixes_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/hotfix' responses: '200': description: "Return a list of agent's hotfix results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorHotfixes' example: data: affected_items: - hotfix: 'KB2978691' scan: id: 1708048540 time: '2019-10-30T16:09:35Z' - hotfix: 'KC2978693' scan: id: 1708048541 time: '2019-10-30T16:19:39Z' total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /syscollector/{agent_id}/hardware: get: tags: - Syscollector summary: "Get agent hardware" description: "Return the agent's hardware info. This information include cpu, ram, scan info among others" operationId: api.controllers.syscollector_controller.get_hardware_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/select' responses: '200': description: "Return a list of agent's hardware results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorHardware' example: data: affected_items: - cpu: cores: 4 mhz: 1101 name: "Intel(R) Core(TM) i5-7600K CPU @ 3.80GHz" ram: free: 12401548 total: 32852420 usage: 63 scan: id: 0 time: "2021-05-28T12:16:14Z" board_serial: "HA16934652" agent_id: "001" total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /syscollector/{agent_id}/hotfixes: get: tags: - Syscollector summary: "Get agent hotfixes" description: "Return all hotfixes installed by Microsoft(R) in Windows(R) systems (KB... fixes)" operationId: api.controllers.syscollector_controller.get_hotfix_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/hotfix' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Return an agent's hotfix results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorHotfixes' example: data: affected_items: - hotfix: 'KB2978691' scan: id: 1708048540 time: '2019-10-30T16:09:35Z' total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /syscollector/{agent_id}/netaddr: get: tags: - Syscollector summary: "Get agent netaddr" description: "Return the agent's network address info. This information include used IP protocol, interface, IP address among others" operationId: api.controllers.syscollector_controller.get_network_address_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/iface' - $ref: '#/components/parameters/proto' - $ref: '#/components/parameters/address' - $ref: '#/components/parameters/broadcast' - $ref: '#/components/parameters/netmask' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Return a list of agent's network results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorNetwork' example: data: affected_items: - address: 172.26.0.7 iface: eth0 netmask: 255.255.0.0 broadcast: 172.26.255.255 proto: ipv4 agent_id: 001 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /syscollector/{agent_id}/netiface: get: tags: - Syscollector summary: "Get agent netiface" description: "Return the agent's network interface info. This information include rx, scan, tx info and some network information among others" operationId: api.controllers.syscollector_controller.get_network_interface_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/name' - $ref: '#/components/parameters/adapter' - $ref: '#/components/parameters/typesys' - $ref: '#/components/parameters/state' - $ref: '#/components/parameters/mtu' - $ref: '#/components/parameters/tx.packets' - $ref: '#/components/parameters/rx.packets' - $ref: '#/components/parameters/tx.bytes' - $ref: '#/components/parameters/rx.bytes' - $ref: '#/components/parameters/tx.errors' - $ref: '#/components/parameters/rx.errors' - $ref: '#/components/parameters/tx.dropped' - $ref: '#/components/parameters/rx.dropped' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Return a list of agent's network interfaces results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorInterface' example: data: affected_items: - rx: bytes: 679529 dropped: 0 errors: 0 packets: 3638 scan: id: 0 time: '2021-05-28T12:16:14Z' tx: bytes: 1326491 dropped: 0 errors: 0 packets: 3828 type: ethernet name: eth0 mtu: 1500 state: up mac: 02:42:ac:18:00:02 agent_id: '001' total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /syscollector/{agent_id}/netproto: get: tags: - Syscollector summary: "Get agent netproto" description: "Return the agent's routing configuration for each network interface" operationId: api.controllers.syscollector_controller.get_network_protocol_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/iface' - $ref: '#/components/parameters/type_syscollector' - $ref: '#/components/parameters/gateway' - $ref: '#/components/parameters/dhcp' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Return a list of agent's network protocol results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorProtocol' example: data: affected_items: - scan: id: 0 gateway: 172.24.0.1 dhcp: "enabled" iface: eth0 type: ipv4 agent_id: '001' total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /syscollector/{agent_id}/os: get: tags: - Syscollector summary: "Get agent OS" description: "Return the agent's OS info. This information include os information, architecture information among others of all agents" operationId: api.controllers.syscollector_controller.get_os_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/select' responses: '200': description: "Return a list of agent's OS results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorOS' example: data: affected_items: - os: codename: "focal" major: '20' minor: '04' name: Ubuntu platform: ubuntu version: "20.04.2 LTS (Focal Fossa)" scan: id: 0 time: '22021-05-28T12:16:14Z' sysname: Linux release: 5.8.0-45-generic version: "#51~20.04.1-Ubuntu SMP Tue Feb 23 13:46:31 UTC 2021" architecture: x86_64 hostname: wazuh-master agent_id: '001' total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /syscollector/{agent_id}/packages: get: tags: - Syscollector summary: "Get agent packages" description: "Return the agent's packages info. This information include name, section, size, priority information of all packages among others" operationId: api.controllers.syscollector_controller.get_packages_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/vendor' - $ref: '#/components/parameters/name' - $ref: '#/components/parameters/architecture' - $ref: '#/components/parameters/file_format' - $ref: '#/components/parameters/package_version' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Return a list of agent's packages results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorPackages' example: data: affected_items: - scan: id: 0 time: '2021-05-28T11:16:15Z' multiarch: same description: "GCC Quad-Precision Math Library" source: krb5 name: libquadmath0 architecture: amd64 vendor: "Ubuntu Developers " size: 426 format: deb version: "8.4.0-1ubuntu1~18.04" section: libs priority: optional agent_id: '002' - scan: id: 0 time: '2021-05-28T11:16:15Z' multiarch: foreign description: "secure shell (SSH) client, for secure access to remote machines" source: openssh name: openssh-client architecture: amd64 vendor: "Ubuntu Developers " size: 4117 format: deb version: "1:8.2p1-4ubuntu0.2" section: net priority: standard agent_id: '002' - scan: id: 0 time: '2021-05-28T11:16:16Z' description: "Foreign Function Interface for Python calling C code - backend" source: python-cffi name: lpython-cffi-backend architecture: amd64 vendor: "Ubuntu Developers " size: 210 format: deb version: "1.14.0-1build1" section: python priority: optional agent_id: '002' total_affected_items: 307 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /syscollector/{agent_id}/ports: get: tags: - Syscollector summary: "Get agent ports" description: "Return the agent's ports info. This information include local IP, Remote IP, protocol information among others" operationId: api.controllers.syscollector_controller.get_ports_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/pid' - $ref: '#/components/parameters/protocol' - $ref: '#/components/parameters/local.ip' - $ref: '#/components/parameters/local.port' - $ref: '#/components/parameters/remote.ip' - $ref: '#/components/parameters/tx_queue' - $ref: '#/components/parameters/state' - $ref: '#/components/parameters/process' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Return a list of agent's packages results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorPorts' example: data: affected_items: - local: ip: 127.0.0.11 port: 46841 remote: ip: 0.0.0.0 port: 0 scan: id: 0 time: '2021-05-28T11:16:14Z' inode: 12387152 rx_queue: 0 protocol: tcp pid: 0 tx_queue: 0 agent_id: '001' - local: ip: 0.0.0.0 port: 1514 remote: ip: 0.0.0.0 port: 0 scan: id: 0 time: '2021-05-28T11:16:14Z' state: listening inode: 12397927 rx_queue: 0 protocol: tcp pid: 0 tx_queue: 0 agent_id: '001' - local: ip: 0.0.0.0 port: 1515 remote: ip: 0.0.0.0 port: 0 scan: id: 315935312 time: '2020-04-15T11:02:07Z' state: listening inode: 12397153 rx_queue: 0 protocol: tcp tx_queue: 0 agent_id: '001' total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /syscollector/{agent_id}/processes: get: tags: - Syscollector summary: "Get agent processes" description: "Return the agent's processes info" operationId: api.controllers.syscollector_controller.get_processes_info x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/syscollector:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/process_pid' - $ref: '#/components/parameters/process_state' - $ref: '#/components/parameters/ppid' - $ref: '#/components/parameters/egroup' - $ref: '#/components/parameters/euser' - $ref: '#/components/parameters/fgroup' - $ref: '#/components/parameters/process_name' - $ref: '#/components/parameters/nlwp' - $ref: '#/components/parameters/pgrp' - $ref: '#/components/parameters/priority' - $ref: '#/components/parameters/rgroup' - $ref: '#/components/parameters/ruser' - $ref: '#/components/parameters/sgroup' - $ref: '#/components/parameters/suser' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Return a list of agent's processes results" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseSyscollectorProcesses' example: data: affected_items: - scan: id: 0 time: 2021-05-28T12:16:15Z nice: 0 name: "bash" resident: 788 egroup: "root" sgroup: "root" euser: "root" size: 996 tgid: 1 share: 729 rgroup: "root" argvs: "/scripts/entrypoint.sh nginx-lb 4.4" start_time: 1217866 stime: 0 vm_size: 3984 priority: 20 utime: 2 nlwp: 1 session: 1 processor: 2 pgrp: 1 suser: "root" state: "S" ppid: 0 cmd: "bash" tty: 0 pid: "1" fgroup: "root" ruser: "root" agent_id: "001" total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "All specified syscollector information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/user/authenticate: post: tags: - Security summary: "Login" description: "This method should be called to get an API token. This token will expire after auth_token_exp_timeout seconds (default: 900). This value can be changed using PUT /security/config" operationId: api.controllers.security_controller.login_user parameters: - $ref: '#/components/parameters/raw' security: - basicAuth: [] responses: '200': description: "Login successful" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/Token' example: data: token: "" error: 0 text/plain: schema: type: string example: "" '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/InvalidCredentialsResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' get: tags: - Security summary: "Login" deprecated: true description: "This method should be called to get an API token. This token will expire after auth_token_exp_timeout seconds (default: 900). This value can be changed using PUT /security/config" operationId: api.controllers.security_controller.deprecated_login_user parameters: - $ref: '#/components/parameters/raw' security: - basicAuth: [] responses: '200': description: "Login successful" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/Token' example: data: token: "" error: 0 text/plain: schema: type: string example: "" '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/InvalidCredentialsResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Security summary: "Logout current user" description: "This method should be called to invalidate all the current user's tokens" operationId: api.controllers.security_controller.logout_user responses: '200': description: "Logout successful" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: message: "User wazuh was successfully logged out" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/user/authenticate/run_as: post: tags: - Security summary: "Login auth_context" description: "This method should be called to get an API token using an authorization context body. This token will expire after auth_token_exp_timeout seconds (default: 900). This value can be changed using PUT /security/config" operationId: api.controllers.security_controller.run_as_login parameters: - $ref: '#/components/parameters/raw' security: - basicAuth: [] requestBody: content: application/json: schema: type: object example: name: "Initial_auth" auth: name: "Wazuh" office: - "20" - "21" - "30" responses: '200': description: "Login successful" content: application/json: schema: type: object properties: token: type: string example: data: token: "" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/InvalidCredentialsResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/users/me: get: tags: - Security summary: "Get current user info" description: "Get the information of the current user" operationId: api.controllers.security_controller.get_user_me parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Information about current user" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseUsers' example: data: affected_items: - id: 1 username: wazuh allow_run_as: true roles: - id: 1 name: administrator rule: FIND: r'^auth[a-zA-Z]+$': - full_admin policies: - id: 1 name: agents_all_resourceless policy: actions: - agent:create - group:create resources: - "*:*:*" effect: allow - id: 2 name: agents_all_agents policy: actions: - agent:read - agent:delete - agent:modify_group - agent:reconnect - agent:restart - agent:upgrade resources: - agent:id:* - agent:group:* effect: allow total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Current user information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/users/me/policies: get: tags: - Security summary: "Get current user processed policies" description: "Get the processed policies information for the current user" operationId: api.controllers.security_controller.get_user_me_policies parameters: - $ref: '#/components/parameters/pretty' responses: '200': description: "Information about current user processed policies" content: application/json: schema: $ref: "#/components/schemas/ApiResponse" example: data: syscheck:run: agent:id:*: allow syscollector:read: agent:id:*: allow rbac_mode: black message: "Current user processed policies information was returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/user/revoke: put: tags: - Security summary: "Revoke JWT tokens" description: "This method should be called to revoke all active JWT tokens" operationId: api.controllers.security_controller.revoke_all_tokens responses: '200': description: "Tokens were successfully revoked" content: application/json: schema: type: object example: message: "Tokens were successfully revoked" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/users/{user_id}/run_as: put: tags: - Security summary: "Enable/Disable run_as" description: "Modify a user's allow_run_as flag by specifying their ID" operationId: api.controllers.security_controller.edit_run_as x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:edit_run_as' parameters: - $ref: '#/components/parameters/user_id_required' - $ref: '#/components/parameters/allow_run_as' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "User's flag changed successfully" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseUsers' example: data: affected_items: - id: 1 username: wazuh allow_run_as: true roles: - 1 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Parameter allow_run_as has been enabled for the user" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/actions: get: tags: - Security summary: 'List RBAC actions' description: 'Get all RBAC actions, including the potential related resources and endpoints.' operationId: api.controllers.security_controller.get_rbac_actions parameters: - $ref: '#/components/parameters/endpoint' - $ref: '#/components/parameters/pretty' responses: '200': description: "Return a list of RBAC actions" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object example: active-response:command: description: Allow to execute active response commands in the agents resources: - "agent:id" example: actions: - active-response:command resources: - agent:id:001 effect: allow related_endpoints: - PUT /active-response agent:create: description: Create new agents resources: - "*:*" example: actions: - agent:create resources: - "*:*:*" effect: allow related_endpoints: - POST /agents - POST /agents/insert - POST /agents/insert/quick '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/resources: get: tags: - Security summary: 'List RBAC resources' description: 'This method should be called to get all current defined RBAC resources.' operationId: api.controllers.security_controller.get_rbac_resources parameters: - $ref: '#/components/parameters/resource_list' - $ref: '#/components/parameters/pretty' responses: '200': description: "Return all RBAC resources" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object example: data: "*:*": description: "Resource applied in functions acting on resources that do not yet exist in the system. We call these functions, resourceless functions" "agent:group": description: "Reference agents via group name (i.e. agent:group:web)" "agent:id": description: "Reference agents via agent ID (i.e. agent:id:001)" "group:id": description: "Reference agent groups via group ID (i.e. group:id:default)" "node:id": description: "Reference cluster nodes via node ID (i.e. node:id:worker1)" "decoder:file": description: "Reference decoder files via its path (i.e. decoder:file:0005-wazuh_decoders.xml)" "list:file": description: "Reference list files via its filename (i.e. list:file:audit-keys)" "rule:file": description: "Reference rule files via its path (i.e. rule:file:0610-win-ms_logs_rules.xml)" "policy:id": description: "Reference security policies via its id (i.e. policy:id:1)" "role:id": description: "Reference security roles via its id (i.e. role:id:1)" "rule:id": description: "Reference security rules via its id (i.e. rule:id:1)" "user:id": description: "Reference security users via its id (i.e. user:id:1)" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/users: get: tags: - Security summary: "List users" description: "Get the information of a specified user" operationId: api.controllers.security_controller.get_users x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:read' parameters: - $ref: '#/components/parameters/user_ids' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Information about user" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseUsers' example: data: affected_items: - id: 3 username: administrator allow_run_as: true roles: - 2 - id: 4 username: guest allow_run_as: false roles: [] - id: 5 username: normal allow_run_as: false roles: - 4 - 5 - 6 - id: 6 username: ossec allow_run_as: true roles: - 2 - 5 - username: python allow_run_as: true roles: [] - id: 7 username: rbac allow_run_as: false roles: - 3 - 4 - 5 - id: 1 username: wazuh allow_run_as: true roles: - 1 - id: 2 username: wazuh-wui allow_run_as: true roles: [] total_affected_items: 8 total_failed_items: 0 failed_items: [] message: "All specified users were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' post: tags: - Security summary: "Add user" description: "Add a new API user to the system" operationId: api.controllers.security_controller.create_user x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:create_user' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: content: application/json: schema: type: object properties: username: type: string minLength: 4 maxLength: 64 format: names password: type: string format: password required: - username - password responses: '200': description: "User created successfully" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseUsers' example: data: affected_items: - id: 100 username: TestWazuh allow_run_as: false roles: [] total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "User was successfully created" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Security summary: "Delete users" description: "Delete a list of users by specifying their IDs" operationId: api.controllers.security_controller.delete_users x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:delete' parameters: - $ref: '#/components/parameters/user_ids_delete' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "User deleted successful" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseUsers' example: data: affected_items: - id: 100 username: new_user allow_run_as: false roles: [] - id: 102 username: another_user allow_run_as: true roles: - 6 total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "Users were successfully deleted" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/users/{user_id}: put: tags: - Security summary: "Update users" description: "Modify a user's password by specifying their ID" operationId: api.controllers.security_controller.update_user x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:update' parameters: - $ref: '#/components/parameters/user_id_required' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: content: application/json: schema: type: object properties: password: type: string format: password responses: '200': description: "User updated successful" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseUsers' example: data: affected_items: - id: 100 username: wazuh-test allow_run_as: false roles: - 2 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "User was successfully updated" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/roles: get: tags: - Security summary: "List roles" description: "For a specific list, indicate the ids separated by commas. Example: ?role_ids=1,2,3" operationId: api.controllers.security_controller.get_roles x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:read' parameters: - $ref: '#/components/parameters/role_ids' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Return a list of roles" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseRoles' example: data: affected_items: - id: 1 name: 'administrator' policies: - 1 - 2 - 3 - 6 - 7 - 8 - 29 - 30 - 12 - 14 - 15 - 18 - 19 - 21 - 23 - 24 - 16 - 25 - 27 - 28 - 33 - 34 - 35 users: - 1 - 2 rules: - 1 - 2 - id: 2 name: 'readonly' policies: - 4 - 5 - 12 - 31 - 32 - 13 - 17 - 20 - 22 - 16 - 25 - 26 - 28 - 35 users: [] rules: [] total_affected_items: 7 total_failed_items: 0 failed_items: [] message: "All specified roles were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' post: tags: - Security summary: "Add role" description: "Add a new role, all fields need to be specified" operationId: api.controllers.security_controller.add_role x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:create' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: content: application/json: schema: $ref: '#/components/schemas/RolesRequest' example: name: "normal" responses: '200': description: "Return the information of the new role" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseRoles' example: data: affected_items: - id: 100 name: TestWazuhRole policies: [] users: [] rules: [] total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Role was successfully created" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Security summary: "Delete roles" description: "Policies linked to roles are not going to be removed" operationId: api.controllers.security_controller.remove_roles x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:delete' parameters: - $ref: '#/components/parameters/role_ids_delete' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Remove result" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseRoles' example: data: affected_items: - id: 4 name: administrator policies: - 4 - 5 rules: - 8 users: - 101 - 104 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: All specified roles were deleted error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/roles/{role_id}: put: tags: - Security summary: "Update role" description: "Modify a role, cannot modify associated policies in this endpoint, at least one property must be indicated" operationId: api.controllers.security_controller.update_role x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:update' parameters: - $ref: '#/components/parameters/role_id' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: content: application/json: schema: $ref: '#/components/schemas/RolesRequest_no_required' example: name: "normal" responses: '200': description: "Information of role modified" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseRoles' example: data: affected_items: - id: 5 name: normal8 policies: [] rules: - 100 users: [] total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Role was successfully updated" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/rules: get: tags: - Security summary: "List security rules" description: "Get a list of security rules from the system or all of them. These rules must be mapped with roles to obtain certain access privileges. For a specific list, indicate the ids separated by commas. Example: ?rule_ids=1,2,3" operationId: api.controllers.security_controller.get_rules x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:read' parameters: - $ref: '#/components/parameters/security_rule_ids' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Return a list of security rules" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseRoles' example: data: affected_items: - id: 1 name: wui_elastic_admin rule: FIND: username: elastic roles: - 1 - id: 2 name: wui_opendistro_admin rule: FIND: username: admin roles: - 1 total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "All specified security rules were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' post: tags: - Security summary: "Add security rule" description: "Add a new security rule" operationId: api.controllers.security_controller.add_rule x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:create' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: content: application/json: schema: $ref: '#/components/schemas/SecurityRulesRequest' example: name: "New_Rule" rule: MATCH: definition: "normalRule" responses: '200': description: "Return the information of the new security rule" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseRoles' example: data: affected_items: - id: 100 name: "TestWazuhRule" rule: MATCH: definition: "test_rule" roles: [] total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Security rule was successfully created" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Security summary: "Delete security rules" description: "Delete a list of security rules or all security rules in the system, roles linked to rules are not going to be deleted" operationId: api.controllers.security_controller.remove_rules x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:delete' parameters: - $ref: '#/components/parameters/security_rule_ids_delete' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Remove result" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseRoles' example: data: affected_items: - id: 100 name: "TestWazuhRule" rule: MATCH: definition: "test_rule" roles: [] total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All specified security rules were deleted" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/rules/{rule_id}: put: tags: - Security summary: "Update security rule" description: "Modify a security rule by specifying its ID" operationId: api.controllers.security_controller.update_rule x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:update' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/security_rule_id' requestBody: content: application/json: schema: $ref: '#/components/schemas/SecurityRulesRequest_no_required' example: name: "new_name" rule: MATCH: definition: "normalRule" responses: '200': description: "Security rule updated successfully" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseUsers' example: data: affected_items: - id: 100 name: "TestWazuhRule" rule: MATCH: definition: "test_rule_updated" roles: [] total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Security rule was successfully updated" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/policies: get: tags: - Security summary: "List policies" description: "Get all policies in the system, including the administrator policy" operationId: api.controllers.security_controller.get_policies x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:read' parameters: - $ref: '#/components/parameters/policy_ids_rbac' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' responses: '200': description: "Return a list of policies" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponsePolicies' example: data: affected_items: - id: 1 name: agents_all_resourceless policy: actions: - "agent:create" - "group:create" resources: - "*:*:*" effect: allow roles: - 1 - 5 - id: 2 name: agents_all_agents policy: actions: - "agent:read" - "agent:delete" - "agent:modify_group" - "agent:reconnect" - "agent:restart" - "agent:upgrade" resources: - "agent:id:*" - "agent:id:*" effect: allow roles: - 1 - 5 total_affected_items: 35 total_failed_items: 0 failed_items: [] message: "All specified policies were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' post: tags: - Security summary: "Add policy" description: "Add a new policy, all fields need to be specified" operationId: api.controllers.security_controller.add_policy x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:create' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: content: application/json: schema: $ref: '#/components/schemas/PoliciesRequest' example: name: 'normal_policy' policy: actions: - "agent:delete" resources: - "agent:id:001" - "agent:id:002" - "agent:id:003" effect: "allow" responses: '200': description: "Add a policy" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponsePolicies' example: data: affected_items: - id: 100 name: "TestWazuhPolicy" policy: actions: - "security:delete" resources: - "user:id:*" effect: deny roles: [] total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Policy was successfully created" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Security summary: "Delete policies" description: "Delete a list of policies or all policies in the system, roles linked to policies are not going to be removed" operationId: api.controllers.security_controller.remove_policies x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:delete' parameters: - $ref: '#/components/parameters/policy_ids_rbac_delete' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Operation result" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponsePolicies' example: data: affected_items: - id: 100 name: "TestWazuhPolicy" policy: actions: - "security:delete" resources: - "user:id:*" effect: deny roles: [] total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All specified policies were deleted" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/policies/{policy_id}: put: tags: - Security summary: "Update policy" description: "Modify a policy, at least one property must be indicated" operationId: api.controllers.security_controller.update_policy x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:update' parameters: - $ref: '#/components/parameters/policy_id_rbac' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: content: application/json: schema: $ref: '#/components/schemas/PoliciesRequest_no_required' example: name: 'wazuhPolicy' policy: actions: - "agent:delete" resources: - "agent:id:001" - "agent:id:002" - "agent:id:003" effect: 'allow' responses: '200': description: "Information of policy modified" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponsePolicies' example: data: affected_items: - id: 100 name: TestWazuhPolicy policy: actions: - "security:delete" resources: - "user:id:*" effect: deny roles: [] total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "Policy was successfully updated" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/users/{user_id}/roles: post: tags: - Security summary: "Add roles to user" description: "Create a specified relation role-policy, one user may have multiples roles" operationId: api.controllers.security_controller.set_user_role x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:update' parameters: - $ref: '#/components/parameters/user_id_required' - $ref: '#/components/parameters/role_ids_required' - $ref: '#/components/parameters/security_position' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Role information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseUsers' example: data: affected_items: - id: 100 username: TestWazuhUsername allow_run_as: false roles: - 1 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All roles were linked to TestWazuhUsername" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Security summary: "Remove roles from user" description: "Delete a specified relation user-roles" operationId: api.controllers.security_controller.remove_user_role x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:delete' parameters: - $ref: '#/components/parameters/user_id_required' - $ref: '#/components/parameters/role_ids_delete' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Role information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseUsers' example: data: affected_items: - id: 100 username: TestWazuhUsername allow_run_as: false roles: [] total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All roles were unlinked from user TestWazuhUsername" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/roles/{role_id}/policies: post: tags: - Security summary: "Add policies to role" description: "Create a specified relation role-policy, one role may have multiples policies" operationId: api.controllers.security_controller.set_role_policy x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:update' parameters: - $ref: '#/components/parameters/role_id' - $ref: '#/components/parameters/policy_ids_rbac_required' - $ref: '#/components/parameters/security_position' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Role information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - id: 100 name: TestWazuhRole policies: - 100 users: [] rules: [] total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "All policies were linked to role 100" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Security summary: "Remove policies from role" description: "Delete a specified relation role-policy" operationId: api.controllers.security_controller.remove_role_policy x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:delete' parameters: - $ref: '#/components/parameters/role_id' - $ref: '#/components/parameters/policy_ids_rbac_delete' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Role information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - id: 100 name: TestWazuhRole policies: [] users: [] rules: [] total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "All policies were unlinked from role 100" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/roles/{role_id}/rules: post: tags: - Security summary: "Add security rules to role" description: "Create a specific role-rule relation. One role may have multiple security rules" operationId: api.controllers.security_controller.set_role_rule x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:update' parameters: - $ref: '#/components/parameters/role_id' - $ref: '#/components/parameters/security_rule_ids_required' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Role information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - id: 100 name: TestWazuhRole policies: [] users: [] rules: - 100 total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All security rules were linked to role 100" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Security summary: "Remove security rules from role" description: "Delete a specific role-rule relation" operationId: api.controllers.security_controller.remove_role_rule x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/security:delete' parameters: - $ref: '#/components/parameters/role_id' - $ref: '#/components/parameters/security_rule_ids_delete' - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Role information" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - id: 100 name: TestWazuhRole policies: [] users: [] rules: [] total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "All security rules were unlinked from role 100" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /overview/agents: get: tags: - Overview summary: "Get agents overview" description: "Return a dictionary with a full agents overview" operationId: api.controllers.overview_controller.get_overview_agents x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/agent:read' - $ref: '#/x-rbac-catalog/actions/group:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Overview of agents" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/OverviewAgents' example: data: nodes: - node_name: "worker1" count: 1 - node_name: "worker2" count: 1 - node_name: "master-node" count: 1 groups: - name: "default" count: 6 mergedSum: "9a016508cea1e997ab8569f5cfab30f5" configSum: "ab73af41699f13fdd81903b5f23d8d00" agent_os: - os: name: Ubuntu platform: ubuntu version: "20.04.02 LTS" count: 6 agent_status: active: 6 disconected: 0 never_connected: 0 pending: 0 total: 6 agent_version: - version: "Wazuh v4.3.0" count: 6 last_registered_agent: - os: arch: "x86_64" codename: "Focal Fossa" major: 20 minor: 04 name: Ubuntu platform: ubuntu uname: "Linux |77000bae7bd0 |5.8.0-45-generic |#51~20.04.1-Ubuntu SMP Tue Feb 23 13:46:31 UTC 2021 |x86_64" version: "20.04.02 LTS" node_name: worker1 lastKeepAlive: "2021-05-31T10:56:52Z" configSum: "ab73af41699f13fdd81903b5f23d8d00" status: active ip: "172.18.0.7" group: - default name: "77000bae7bd0" registerIP: "any" dateAdd: "2021-05-31T09:49:28Z" manager: "wazuh-worker1" id: "004" mergedSum: "9a016508cea1e997ab8569f5cfab30f5" version: "Wazuh v4.3.0" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /security/config: get: tags: - Security summary: "Get security config" description: "Return the security configuration in JSON format" operationId: api.controllers.security_controller.get_security_config x-rbac-actions: - $ref: "#/x-rbac-catalog/actions/security:read_config" parameters: - $ref: "#/components/parameters/pretty" - $ref: "#/components/parameters/wait_for_complete" responses: '200': description: "Current security configuration" content: application/json: schema: $ref: "#/components/schemas/ApiResponse" example: data: auth_token_exp_timeout: 900 rbac_mode: white error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' put: tags: - Security summary: "Update security config" description: "Update the security configuration with the data contained in the API request" operationId: api.controllers.security_controller.put_security_config x-rbac-actions: - $ref: "#/x-rbac-catalog/actions/security:update_config" parameters: - $ref: "#/components/parameters/pretty" - $ref: "#/components/parameters/wait_for_complete" requestBody: content: application/json: schema: $ref: "#/components/schemas/SecurityConfiguration" responses: '200': description: 'Configuration successfully updated' content: application/json: schema: type: object example: message: "Configuration was successfully updated" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' delete: tags: - Security summary: "Restore default security config" description: "Replaces the security configuration with the original one" operationId: api.controllers.security_controller.delete_security_config x-rbac-actions: - $ref: "#/x-rbac-catalog/actions/security:update_config" parameters: - $ref: "#/components/parameters/pretty" - $ref: "#/components/parameters/wait_for_complete" responses: '200': description: 'Configuration successfully updated' content: application/json: schema: type: object example: message: "Configuration was successfully updated" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /tasks/status: get: tags: - Tasks summary: "List tasks" description: "Returns all available information about the specified tasks" operationId: api.controllers.task_controller.get_tasks_status x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/task:status' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/agents_list' - $ref: '#/components/parameters/tasks_list' - $ref: '#/components/parameters/command' - $ref: '#/components/parameters/node' - $ref: '#/components/parameters/module' - $ref: '#/components/parameters/status' responses: '200': description: "Tasks's status" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - message: Success agent: 2 task_id: 1 node: worker2 module: upgrade_module command: upgrade status: In progress create_time: 2020-11-10T11:55:33Z update_time: 2020-11-10T11:55:36Z total_affected_items: 1 total_failed_items: 0 failed_items: [] message: "All specified task's status were returned" error: 0 /vulnerability: put: tags: - Vulnerability deprecated: true summary: "Run vulnerability detector scan" description: "Run a vulnerability detector scan in all nodes" operationId: api.controllers.vulnerability_controller.run_vulnerability_scan x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/vulnerability:run' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' responses: '200': description: "Run vulnerability detector scan" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - master-node - worker1 - worker2 total_affected_items: 3 total_failed_items: 0 failed_items: [] message: "A vulnerability detector scan was requested in all nodes" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /vulnerability/{agent_id}: get: tags: - Vulnerability deprecated: true summary: "Get vulnerabilities" description: "Return the vulnerabilities of an agent" operationId: api.controllers.vulnerability_controller.get_vulnerability_agent x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/vulnerability:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/offset' - $ref: '#/components/parameters/limit' - $ref: '#/components/parameters/sort' - $ref: '#/components/parameters/search' - $ref: '#/components/parameters/select' - $ref: '#/components/parameters/query' - $ref: '#/components/parameters/distinct' - $ref: '#/components/parameters/architecture' - $ref: '#/components/parameters/cve' - $ref: '#/components/parameters/name' - $ref: '#/components/parameters/cve_version' - $ref: '#/components/parameters/cve_type' - $ref: '#/components/parameters/cve_status' - $ref: '#/components/parameters/cve_severity' responses: '200': description: "Get agent vulnerabilities" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - severity: "High" updated: "2022-01-10" version: "2.34-6ubuntu1.3" type: "PACKAGE" name: "binutils" external_references: ["https://sourceware.org/bugzilla/show_bug.cgi?id=28694","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=161e87d12167b1e36193385485c1f6ce92f74f02","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQBH244M5PV6S6UMHUTCVCWFZDX7Y4M6/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UUHLDDT3HH7YEY6TX7IJRGPJUTNNVEL3/","https://security.netapp.com/advisory/ntap-20220107-0002/","https://nvd.nist.gov/vuln/detail/CVE-2021-45078","http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-45078.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45078"] condition: "Package unfixed" detection_time: "2022-03-14T11:04:04Z" cvss3_score: 7.8 published: "2021-12-15" architecture: "amd64" cve: "CVE-2021-45078" status: "VALID" title: "CVE-2021-45078 affects binutils" cvss2_score: 6.8 - severity: "High" updated: "2022-01-10" version: "2.34-6ubuntu1.3" type: "PACKAGE" name: "binutils-common" external_references: ["https://sourceware.org/bugzilla/show_bug.cgi?id=28694","https://sourceware.org/git/gitweb.cgi?p=binutils-gdb.git;h=161e87d12167b1e36193385485c1f6ce92f74f02","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UQBH244M5PV6S6UMHUTCVCWFZDX7Y4M6/","https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/UUHLDDT3HH7YEY6TX7IJRGPJUTNNVEL3/","https://security.netapp.com/advisory/ntap-20220107-0002/","https://nvd.nist.gov/vuln/detail/CVE-2021-45078","http://people.canonical.com/~ubuntu-security/cve/2021/CVE-2021-45078.html","https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45078"] condition: "Package unfixed" detection_time: "2022-03-14T11:04:04Z" cvss3_score: 7.8 published: "2021-12-15" architecture: "amd64" cve: "CVE-2021-45078" status: "VALID" title: "CVE-2021-45078 affects binutils-common" cvss2_score: 6.8 total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "All selected vulnerabilities were returned" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /vulnerability/{agent_id}/last_scan: get: tags: - Vulnerability deprecated: true summary: "Get last scan datetime" description: "Return when the last full and partial vulnerability scan of a specified agent ended." operationId: api.controllers.vulnerability_controller.get_last_scan_agent x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/vulnerability:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' responses: '200': description: "Scan dates" content: application/json: schema: allOf: - $ref: '#/components/schemas/ApiResponse' - type: object properties: data: $ref: '#/components/schemas/AllItemsResponseLastScan' example: data: affected_items: - last_full_scan: '2021-06-14T07:45:51Z' last_partial_scan: '2021-06-14T10:15:56Z' total_affected_items: 1 total_failed_items: 0 failed_items: [ ] message: Last vulnerability scans of the agent were returned error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /vulnerability/{agent_id}/summary/{field}: get: tags: - Vulnerability deprecated: true summary: "Get agent vulnerabilities' field summary" description: "Return a summary of the vulnerabilities' field of an agent" operationId: api.controllers.vulnerability_controller.get_vulnerabilities_field_summary x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/vulnerability:read' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' - $ref: '#/components/parameters/agent_id' - $ref: '#/components/parameters/vulnerability_field' - $ref: '#/components/parameters/limit' responses: '200': description: "Get agent vulnerabilities' field summary" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: severity: critical: 8 medium: 3 high: 1 low: 0 error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' /events: post: tags: - Events summary: "Ingest events" description: |- Send security events to analysisd. The endpoint is limited to receiving a max of 30 requests per minute and a max bulk size of 100 events per request. operationId: api.controllers.event_controller.forward_event x-rbac-actions: - $ref: '#/x-rbac-catalog/actions/event:ingest' parameters: - $ref: '#/components/parameters/pretty' - $ref: '#/components/parameters/wait_for_complete' requestBody: content: application/json: schema: type: object properties: events: description: "Bulk of events" type: array items: type: string required: - events example: events: - "Event value 1" - "{\"someKey\": \"Event value 2\"}" responses: '200': description: "Events accepted" content: application/json: schema: $ref: '#/components/schemas/ApiResponse' example: data: affected_items: - "Event value 1" - "{\"someKey\": \"Event value 2\"}" total_affected_items: 2 total_failed_items: 0 failed_items: [] message: "All events were forwarded to analisysd" error: 0 '400': $ref: '#/components/responses/ResponseError' '401': $ref: '#/components/responses/UnauthorizedResponse' '403': $ref: '#/components/responses/PermissionDeniedResponse' '405': $ref: '#/components/responses/InvalidHTTPMethodResponse' '406': $ref: '#/components/responses/WrongContentTypeResponse' '413': $ref: '#/components/responses/RequestTooLargeResponse' '429': $ref: '#/components/responses/TooManyRequestsResponse' externalDocs: description: "Find more about Wazuh API usage" url: 'https://documentation.wazuh.com/4.7/user-manual/api/index.html'