Restore File

post /public_api/v1/endpoints/restore

Restore a quarantined file on a requested endpoints. When filtering by multiple fields: - Response is concatenated using AND condition (OR is not supported). - Maximum result set size is 100. - Offset is the zero-based number of incidents from the start of the result set.

Required license: Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per GB

CURL

  curl -X POST \

-H "Accept: application/json" \
 -H "Content-Type: application/json" \
"https://api-yourfqdn/public_api/v1/endpoints/restore" \
 -d '{
  "request_data" : {
    "incident_id" : 0,
    "file_hash" : "file_hash",
    "endpoint_id" : "endpoint_id"
  }
}'
  

Response

                {
    "reply": {
        "action_id": "<action ID>",
        "status": 1,
        "endpoints_count": "673"
    }
}
              

Request

Body

optional

Example: {"request_data":{"file_hash":"","incident_id":302}}

request_data

required

A dictionary containing the API request fields.

file_hash

required

String

String that represents the file in hash. Hash must be a valid SHA256.

endpoint_id

optional

String

Endpoint ID.

Note: If you do not enter a specific endpoint ID, the request will run restore on all endpoints which relate to the quarantined file you defined.

incident_id

optional

Integer

String representing the incident ID. When included in the request, the Restore File action will appear in the Cortex XDR Incident View Timeline tab.

Responses

Successful response

Body

optional

action_id

optional

String

endpoints_count

optional

String

Bad Request. Got an invalid JSON.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Unauthorized access. User does not have the required license type to run this API.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.

Internal server error. A unified status for API communication type errors.

Body

The query result upon error.

err_code

optional

String

HTTP response code.

err_msg

optional

String

Error message.

Example: {"line": 1, "column": 19, "message": "no viable alternative at input '|alter2'"}

err_extra

optional

String

Additional information describing the error.