post
/public_api/v1/endpoints/restore
Restore a quarantined file on a requested endpoints. When filtering by multiple fields: - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of incidents from the start of the result set.
Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB
CURL
curl -X POST \
-H "Accept: application/json" \
-H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/endpoints/restore" \
-d '{
"request_data" : {
"incident_id" : 0,
"file_hash" : "file_hash",
"endpoint_id" : "endpoint_id"
}
}'
Response
{
"reply": {
"action_id": "<action ID>",
"status": 1,
"endpoints_count": "673"
}
}
Request
Body
optional
Example:
{"request_data":{"file_hash":"","incident_id":302}}
request_data
required
A dictionary containing the API request fields.
file_hash
required
String
String that represents the file in hash. Hash must be a valid SHA256.
endpoint_id
optional
String
Endpoint ID.
Note: If you do not enter a specific endpoint ID, the request will run restore on all endpoints which relate to the quarantined file you defined.
incident_id
optional
Integer
String representing the incident ID.
When included in the request, the Restore File action will appear in the Cortex XDR Incident View Timeline tab.
Responses