Fleet API vs Fleet UI

Elastic Stack Elasticsearch
1

I have been using the fleet openapi spec (Swagger UI) to programmatically control our agent polices. I have seen 2 issues (I found a work around for one, at a loss for the second).

  1. creating an Endpoint policy ignores the "antivirus_registration" and "popup.*.message" values on POST requests but it does work on subsequent PUT. which is annoying but workable
  2. the "agent" setting block for a policy doesn't seem to appear anywhere. I would like to create policies with
agent:
  monitoring:
    enabled: true
    use_output: default
    namespace: XXX
    logs: true
    metrics: true

via the API but I can't find a way to do so. If I try to include these keys in policy creation I get "definition for this key is missing" errors (I tried "agent" and "monitoring")

1 Like
2

Hi Robert, could you give a few example curl commands to see the query that you tried to run when encountering these issues?

3

When I did a POST to /api/fleet/package_policies referencing a valid policy

with (partially redacted with XXX)

{
		"name": "Endpoint",
		"description": "",
		"namespace": "XXXX",
		"policy_id": "XXXX",
		"enabled": true,
		"output_id": "",
		"inputs": [
			{
			"streams": [],
			"type": "endpoint",
			"config": {
				"artifact_manifest": {
				"value": {
					"schema_version": "v1",
					"manifest_version": "1.0.43",
					"artifacts": {
					"endpoint-trustlist-windows-v1": {
						"relative_url": "/api/fleet/artifacts/endpoint-trustlist-windows-v1/XXX",
						"compression_algorithm": "zlib",
						"decoded_size": 311,
						"decoded_sha256": "XXX",
						"encryption_algorithm": "none",
						"encoded_sha256": "XXX",
						"encoded_size": 153
					},
					"endpoint-eventfilterlist-windows-v1": {
						"relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-windows-v1/XXX",
						"compression_algorithm": "zlib",
						"decoded_size": 4205,
						"decoded_sha256": "XXX",
						"encryption_algorithm": "none",
						"encoded_sha256": "XXX",
						"encoded_size": 495
					},
					"endpoint-exceptionlist-linux-v1": {
						"relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-linux-v1/XXX",
						"compression_algorithm": "zlib",
						"decoded_size": 14,
						"decoded_sha256": "XXX",
						"encryption_algorithm": "none",
						"encoded_sha256": "XXX",
						"encoded_size": 22
					},
					"endpoint-trustlist-macos-v1": {
						"relative_url": "/api/fleet/artifacts/endpoint-trustlist-macos-v1/XXX",
						"compression_algorithm": "zlib",
						"decoded_size": 14,
						"decoded_sha256": "XXX",
						"encryption_algorithm": "none",
						"encoded_sha256": "XXX",
						"encoded_size": 22
					},
					"endpoint-exceptionlist-macos-v1": {
						"relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-macos-v1/XXX",
						"compression_algorithm": "zlib",
						"decoded_size": 14,
						"decoded_sha256": "XXX",
						"encryption_algorithm": "none",
						"encoded_sha256": "XXX",
						"encoded_size": 22
					},
					"endpoint-trustlist-linux-v1": {
						"relative_url": "/api/fleet/artifacts/endpoint-trustlist-linux-v1/XXX",
						"compression_algorithm": "zlib",
						"decoded_size": 14,
						"decoded_sha256": "XXXX",
						"encryption_algorithm": "none",
						"encoded_sha256": "XXX",
						"encoded_size": 22
					},
					"endpoint-eventfilterlist-linux-v1": {
						"relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-linux-v1/XXX",
						"compression_algorithm": "zlib",
						"decoded_size": 14,
						"decoded_sha256": "XXX",
						"encryption_algorithm": "none",
						"encoded_sha256": "XXX",
						"encoded_size": 22
					},
					"endpoint-exceptionlist-windows-v1": {
						"relative_url": "/api/fleet/artifacts/endpoint-exceptionlist-windows-v1/XXX",
						"compression_algorithm": "zlib",
						"decoded_size": 14,
						"decoded_sha256": "XXX",
						"encryption_algorithm": "none",
						"encoded_sha256": "XXX",
						"encoded_size": 22
					},
					"endpoint-eventfilterlist-macos-v1": {
						"relative_url": "/api/fleet/artifacts/endpoint-eventfilterlist-macos-v1/XXX",
						"compression_algorithm": "zlib",
						"decoded_size": 14,
						"decoded_sha256": "XXX",
						"encryption_algorithm": "none",
						"encoded_sha256": "XXX",
						"encoded_size": 22
					}
					}
				}
				},
				"policy": {
				"value": {
					"linux": {
					"popup": {
						"malware": {
							"message": "Todyl {action} {filename}",
							"enabled": true
						}
					},
					"malware": {
						"mode": "detect"
					},
					"logging": {
						"file": "info"
					},
					"events": {
						"process": true,
						"file": true,
						"network": true
					}
					},
					"windows": {
					"popup": {
						"malware": {
							"message": "Todyl {action} {filename}",
							"enabled": true
						},
						"ransomware": {
							"message": "Todyl {action} {filename}",
							"enabled": true
						}
					},
					"malware": {
						"mode": "prevent"
					},
					"logging": {
						"file": "info"
					},
					"antivirus_registration": {
						"enabled": true
					},
					"events": {
						"registry": true,
						"process": true,
						"security": true,
						"file": true,
						"dns": true,
						"dll_and_driver_load": true,
						"network": true
					},
					"ransomware": {
						"mode": "prevent",
						"supported": true
					}
					},
					"mac": {
					"popup": {
						"malware": {
						"message": "Todyl {action} {filename}",
						"enabled": true
						}
					},
					"malware": {
						"mode": "prevent"
					},
					"logging": {
						"file": "info"
					},
					"events": {
						"process": true,
						"file": true,
						"network": true
					}
					}
				}
				}
			},
			"enabled": true
			}
		],
		"package": {
			"name": "endpoint",
			"title": "Endpoint Security",
			"version": "1.0.0"
		}
	}

the settings

					"antivirus_registration": {
						"enabled": true
					},
...
					"popup": {
						"malware": {
						"message": "Todyl {action} {filename}",
...

didn't stick. When I Re-Ran the exact same json through a PUT to /api/fleet/package_policies/{{item-ID}} using the item id from the previous response the 2 settings were set.

As for the second half of my question (and the most important part) there doesn't seem to be ANY API to change the agent monitoring settings.

4

okay, I can reproduce 1), raised a bug for Security Solution team here: https://github.com/elastic/kibana/issues/112075

For 2) you can add monitoring to agent policy like this, the openapi spec should be updated.

PUT /api/fleet/agent_policies/id
{
   "name": "monitoring agent policy",
   "description": "",
   "namespace": "default",
   "monitoring_enabled": [
      "logs",
      "metrics"
   ]
}
1 Like
5

I tried this and got a 404:

> curl -s --user 'xxx@todyl.com:xxx' PUT -H 'kbn-xsrf: reporting' -H 'Content-Type: application/json' https://xxx.kb.xxx.aws.found.io:9243/api/fleet/agent_policies/c69e0b50-1276-11ec-bfb3-957669c9ab4e -d @foo.json
{"statusCode":404,"error":"Not Found","message":"Not Found"}

with

{
   "name": "monitoring agent policy",
   "description": "",
   "namespace": "default",
   "monitoring_enabled": [
      "logs",
      "metrics"
   ]
}

I also tried with the "name" value matching the policy name to be sure. Neither worked.

and a policy with

id: c69e0b50-1276-11ec-bfb3-957669c9ab4e
revision: 7
outputs:
  default:
    type: elasticsearch
    hosts:
...
agent:
  monitoring:
    enabled: false
    logs: false
    metrics: false
...

and I confirmed I could do a "GET" on that same url and got the policy json back as expected. We are running v7.14.0. Do we need to upgrade?

6

I think it should be there in 7.14 as well.

Can you try changing your command from PUT to -XPUT?

When you open the UI, do you see Agent monitoring checkboxes when editing an agent policy? It uses the same API to update.

image
image1490×1260 110 KB

1 Like
7

yes, that was indeed it. Thank you!

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.