post
/public_api/v1/endpoints/abort_scan
Cancel the scan of selected endpoints. A scan can only be aborted if the selected endpoints are in Pending or in Progress status.
When filtering by multiple fields: - Response is concatenated using AND condition (OR is not supported). - Offset is the zero-based number of endpoints from the start of the result set.
Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/endpoints/abort_scan" \
-d '{
"request_data" : {
"incident_id" : "incident_id",
"filters" : [ {
"field" : "endpoint_id_list",
"value" : [ "value", "value" ],
"operator" : "in"
}, {
"field" : "endpoint_id_list",
"value" : [ "value", "value" ],
"operator" : "in"
} ]
}
}'
Request
Body
optional
Example:
{"request_data":{"filters":"all"}}
request_data
required
A dictionary containing the API request fields.
filters
required
Array
An array of filter fields to filter which endpoints to cancel scanning.
To cancel scan of all endpoints, use the value "all".
field
required
String
(Enum)
String that identifies a list the filters match. Filters are based on the following keywords:
endpoint_id_list
: List of endpoint IDs.dist_name
: Name of the distribution list.first_seen
: When an endpoint was first seen.last_seen
: When an endpoint was last seen.ip_list
: List of IP addresses.group_name
: Name of endpoint group.platform
: Type of operating system.alias
: Endpoint alias name.isolate
: If an endpoint has been isolated.hostname
: Name of host.username
: Name of user.
Allowed values:
endpoint_id_list
dist_name
first_seen
last_seen
ip_list
group_name
platform
alias
isolate
hostname
username
operator
required
String
(Enum)
String that identifies the comparison operator you want to use for this filter. Valid keywords and values are:
in
endpoint_id_list
,dist_name
,group_name
,alias
,hostname
,username
: List of stringsip_list
: List of strings, for example 192.168.5.12platform
: Permitted values arewindows
,linux
,macos
,android
isolate
: Permitted values areisolated
orunisolated
scan_status
: Permitted values arenone
,pending
,in_progress
,canceled
,aborted
,pending_cancellation
,success
, orerror
gte
/lte
first_seen
andlast_seen
: Integer in timestamp epoch milliseconds.
Allowed values:
in
gte
lte
value
required
Array
of strings
Value that this filter must match. Valid keywords:
first_seen
,last_seen
: Integer in timestamp epoch milliseconds, UTC timezoneendpoint_id_list
,dist_name
,hostname
,alias
,group_name
: List of stringsip_list
: List of strings, for example 192.168.5.12isolate
: Permitted values areisolated
orunisolated
.platform
: Permitted values arewindows
,linux
,macos
, orandroid
incident_id
optional
String
Incident ID.
When included in the request, the Cancel Scan Endpoints action will appear in the Cortex XDR Incident View Timeline tab.
Responses