Isolate Endpoints

post /public_api/v1/endpoints/isolate

Isolate one or more endpoints in a single request. Request is limited to 1000 endpoints.

Required license: Cortex XDR Prevent or Cortex XDR Pro per Endpoint

CURL

  curl -X POST \

-H "Accept: application/json" \
 -H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/endpoints/isolate" \
 -d '{
  "request_data" : {
    "incident_id" : "incident_id",
    "endpoint_id" : "endpoint_id",
    "filters" : [ {
      "field" : "endpoint_id_list",
      "value" : [ "value", "value" ],
      "operator" : "in"
    }, {
      "field" : "endpoint_id_list",
      "value" : [ "value", "value" ],
      "operator" : "in"
    } ]
  }
}'
  

Request

Body

optional

Note: You can send a request with either endpoint_id for isolating one endpoint or filters for isolating more than one endpoint. You cannot use both parameters in the same call.

Example: {"request_data":{"endpoint_id":""}}

request_data

required

A dictionary containing the API request fields.

filters

optional

Array

Array of filtered fields for isolating a number of endpoints at once. Note: Only required if isolating more than one endpoint.

field

required

String (Enum)

Identifies a list the filters match. Filters are based on the following keywords:

endpoint_id_list: List of endpoint IDs.

Allowed values:

endpoint_id_list

operator

required

String (Enum)

Identifies the comparison operator you want to use for this filter. Valid keywords and values are: in

endpoint_id_list —List of strings

Allowed values:

value

required

Array of strings

Value that this filter must match. Valid keywords:

endpoint_id_list: List of strings

endpoint_id

required

String

Identifies the endpoint to isolate. Note: Only required if isolating one endpoint.

incident_id

optional

String

The incident ID. When included in the request, the Isolate Endpoints action will appear in the Cortex XDR Incident ViewTimeline tab.

Responses

Body

optional

JSON object containing the query result.

action_id

optional

String

Action ID to scan selected endpoints. The response only indicates the request was successfully sent to the endpoint. To track if the isolation succeeded either:

In the Cortex XDR console, navigate to Response > Action Center > Isolation and search for the action ID. Make sure the Action ID field is selected in the table Layout settings by selecting the vertical elipses.
Send a Get Action Status request.

endpoints_count

optional

String

Number of endpoints included in the request.

Bad Request. Got an invalid JSON.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, ID, or other invalid authentication parameters.

Unauthorized access. User does not have the required license type to run this API.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Internal server error. A unified status for API communication type errors.