post
/public_api/v1/endpoints/isolate
Isolate one or more endpoints in a single request. Request is limited to 1000 endpoints.
Required license: Cortex XDR Prevent or Cortex XDR Pro per Endpoint
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/endpoints/isolate" \
-d '{
"request_data" : {
"incident_id" : "incident_id",
"endpoint_id" : "endpoint_id",
"filters" : [ {
"field" : "endpoint_id_list",
"value" : [ "value", "value" ],
"operator" : "in"
}, {
"field" : "endpoint_id_list",
"value" : [ "value", "value" ],
"operator" : "in"
} ]
}
}'
Request
Body
optional
Note: You can send a request with either
endpoint_id
for isolating one endpoint or filters
for isolating more than one endpoint. You cannot use both parameters in the same call.
Example:
{"request_data":{"endpoint_id":""}}
request_data
required
A dictionary containing the API request fields.
filters
optional
Array
Array of filtered fields for isolating a number of endpoints at once.
Note: Only required if isolating more than one endpoint.
field
required
String
(Enum)
Identifies a list the filters match. Filters are based on the following keywords:
endpoint_id_list
: List of endpoint IDs.
Allowed values:
endpoint_id_list
operator
required
String
(Enum)
Identifies the comparison operator you want to use for this filter. Valid keywords and values are:
in
endpoint_id_list
—List of strings
Allowed values:
in
value
required
Array
of strings
Value that this filter must match. Valid keywords:
endpoint_id_list
: List of strings
endpoint_id
required
String
Identifies the endpoint to isolate.
Note: Only required if isolating one endpoint.
incident_id
optional
String
The incident ID.
When included in the request, the Isolate Endpoints action will appear in the Cortex XDR Incident ViewTimeline tab.
Responses