Quarantine Files

post /public_api/v1/endpoints/quarantine

Quarantine file on selected endpoints. You can select up to 1000 endpoints.

Note: A success response means that the request reached the defined endpoints, however if the file was not found there, no quarantine action will take place. To ensure if the file has been quarantined, check the Cortex XDR Action Center.

When filtering by multiple fields: - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 1000. - Offset is the zero-based number of incidents from the start of the result set.

CURL

  curl -X POST \

-H "Accept: application/json" \
 -H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/endpoints/quarantine" \
 -d '{
  "request_data" : {
    "file_path" : "file_path",
    "file_hash" : "file_hash",
    "filters" : [ {
      "field" : "endpoint_id_list",
      "value" : [ "value", "value" ],
      "operator" : "in"
    }, {
      "field" : "endpoint_id_list",
      "value" : [ "value", "value" ],
      "operator" : "in"
    } ]
  }
}'
  

Response

                {
    "reply": {
        "action_id": "[ID value]",
        "status": "1",
        "endpoints_count": "673"
    }
}
              

Request

Body

optional

Example:

{"request_data":{"filters":[{"field":"endpoint_id_list","operator":"in","value":[""]}],"file_path":"C:\\\\test_x64.msi","file_hash":""}}

request_data

required

A dictionary containing the API request fields.

filters

required

Array

An array of filter fields.

field

required

String (Enum)

String that identifies a list the filters match. Filters are based on the following keywords:

endpoint_id_list: List of endpoint IDs.

Allowed values:

endpoint_id_list

operator

required

String (Enum)

String that identifies the comparison operator you want to use for this filter. Valid keywords and values are: in

endpoint_id_list: List of strings

Allowed values:

value

required

Array of strings

Value that this filter must match. Valid keywords:

endpoint_id_list: Array of strings

file_path

required

String

The path of the file you want to quarantine. You must enter a proper path and not symbolic links.

file_hash

required

String

Incident ID. When included in the request, the Quarentine File action will appear in the Cortex XDR Incident View Timeline tab.

Responses

Successful response

Body

optional

JSON object containing the query result.

action_id

optional

String

ID of action to quarantine selected endpoints. Response only indicates the request was successfully sent to the endpoint. To track if the file quarantine succeeded either:

In Cortex XDR console, navigate to Response > Action Center and search for the action ID. Make sure the Action ID field is selected in the table Layout settings.
Send a Get Action Status API request.

status

optional

String

Integer representing whether the action:

1: succeeded
0: failed

endpoints_count

optional

String

Number of endpoints included in the request.

Bad Request. Got an invalid JSON.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Internal server error. A unified status for API communication type errors.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.