Open ddribeiro opened 2 months ago
customer-honoria has a workflow where they pull data from the Fleet API into a homegrown system they use for alerting.
Hey @ddribeiro, what's an example when this workflow is used?
My guess: customer-honoria
polls the API and the system is built to trigger an event (ex. webhook) if a new failed login activity is found.
If that's close to reality, do you think customer-honoria
could use Fleet's activity automations (webhooks) instead of polling the API?
@ddribeiro @pintomi1989 we're not able to take this ask into the upcoming sprint due to capacity but please bring this back if you feel it becomes workflow blocking in the short term. thank you!
Problem
customer-honoria
has a workflow where they pull data from the Fleet API into a homegrown system they use for alerting. They are using the API endpoints for Activities, Hosts, Software, Vulnerabilities and would like to only ingest data that is not already in their system.For example, the current response for Activities appears to include all activities that have occurred since the start of a Fleet server. This is a large and continuously growing response to ingest into a system multiple times a day.
What have you tried?
The customer looked for a way they could query the API to respond only with items after a certain date. They were able to find one for the hosts endpoint, but are also ingesting Activities, Software, and Vulnerabilities.
Potential solutions
Limiting results in the API response by date seems like a good way to address this.
Add an
after
parameter to any API endpoint that returns timestamped results. Similar to what is already available for the List hosts endpoint.What is the expected workflow as a result of your proposal?
A Fleet admin would be able to specify an `after` date to limit the results of an API response to include only items that are new since the last time the API was queried. They would then ingest the results into their system, which would only include items that are new since the last time the workflow was run. This makes the workflow more efficient and less to filter on the client side.