post
/public_api/v1/endpoints/isolate
Isolate one or more endpoints in a single request. Request is limited to 1000 endpoints.
Required license: Cortex XSIAM Premium or Cortex XSIAM Enterprise. In Cortex NG SIEM, requires endpoints or the Cortex Cloud Runtime Security add-on.
Request headers
Authorization
String
required
{api_key}
{api_key}
Example:
authorization_example
x-xdr-auth-id
String
required
{api_key_id}
{api_key_id}
Example:
xXdrAuthId_example
CLIENT REQUEST
curl -X 'POST'
-H
'Accept: application/json'
-H
'Content-Type: application/json'
-H
'Authorization: authorization_example'
-H
'x-xdr-auth-id: xXdrAuthId_example'
'https://api-yourfqdn/public_api/v1/endpoints/isolate'
-d
''
import http.client
conn = http.client.HTTPSConnection("api-yourfqdn")
payload = "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id_list\",\"operator\":\"in\",\"value\":[\"string\"]}],\"endpoint_id\":\"string\",\"incident_id\":\"string\"}}"
headers = {
'Authorization': "SOME_STRING_VALUE",
'x-xdr-auth-id': "SOME_STRING_VALUE",
'content-type': "application/json"
}
conn.request("POST", "/public_api/v1/endpoints/isolate", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))require 'uri'
require 'net/http'
require 'openssl'
url = URI("https://api-yourfqdn/public_api/v1/endpoints/isolate")
http = Net::HTTP.new(url.host, url.port)
http.use_ssl = true
http.verify_mode = OpenSSL::SSL::VERIFY_NONE
request = Net::HTTP::Post.new(url)
request["Authorization"] = 'SOME_STRING_VALUE'
request["x-xdr-auth-id"] = 'SOME_STRING_VALUE'
request["content-type"] = 'application/json'
request.body = "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id_list\",\"operator\":\"in\",\"value\":[\"string\"]}],\"endpoint_id\":\"string\",\"incident_id\":\"string\"}}"
response = http.request(request)
puts response.read_bodyconst data = JSON.stringify({
"request_data": {
"filters": [
{
"field": "endpoint_id_list",
"operator": "in",
"value": [
"string"
]
}
],
"endpoint_id": "string",
"incident_id": "string"
}
});
const xhr = new XMLHttpRequest();
xhr.withCredentials = true;
xhr.addEventListener("readystatechange", function () {
if (this.readyState === this.DONE) {
console.log(this.responseText);
}
});
xhr.open("POST", "https://api-yourfqdn/public_api/v1/endpoints/isolate");
xhr.setRequestHeader("Authorization", "SOME_STRING_VALUE");
xhr.setRequestHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
xhr.setRequestHeader("content-type", "application/json");
xhr.send(data);HttpResponse<String> response = Unirest.post("https://api-yourfqdn/public_api/v1/endpoints/isolate")
.header("Authorization", "SOME_STRING_VALUE")
.header("x-xdr-auth-id", "SOME_STRING_VALUE")
.header("content-type", "application/json")
.body("{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id_list\",\"operator\":\"in\",\"value\":[\"string\"]}],\"endpoint_id\":\"string\",\"incident_id\":\"string\"}}")
.asString();import Foundation
let headers = [
"Authorization": "SOME_STRING_VALUE",
"x-xdr-auth-id": "SOME_STRING_VALUE",
"content-type": "application/json"
]
let parameters = ["request_data": [
"filters": [
[
"field": "endpoint_id_list",
"operator": "in",
"value": ["string"]
]
],
"endpoint_id": "string",
"incident_id": "string"
]] as [String : Any]
let postData = JSONSerialization.data(withJSONObject: parameters, options: [])
let request = NSMutableURLRequest(url: NSURL(string: "https://api-yourfqdn/public_api/v1/endpoints/isolate")! as URL,
cachePolicy: .useProtocolCachePolicy,
timeoutInterval: 10.0)
request.httpMethod = "POST"
request.allHTTPHeaderFields = headers
request.httpBody = postData as Data
let session = URLSession.shared
let dataTask = session.dataTask(with: request as URLRequest, completionHandler: { (data, response, error) -> Void in
if (error != nil) {
print(error)
} else {
let httpResponse = response as? HTTPURLResponse
print(httpResponse)
}
})
dataTask.resume()<?php
$curl = curl_init();
curl_setopt_array($curl, [
CURLOPT_URL => "https://api-yourfqdn/public_api/v1/endpoints/isolate",
CURLOPT_RETURNTRANSFER => true,
CURLOPT_ENCODING => "",
CURLOPT_MAXREDIRS => 10,
CURLOPT_TIMEOUT => 30,
CURLOPT_HTTP_VERSION => CURL_HTTP_VERSION_1_1,
CURLOPT_CUSTOMREQUEST => "POST",
CURLOPT_POSTFIELDS => "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id_list\",\"operator\":\"in\",\"value\":[\"string\"]}],\"endpoint_id\":\"string\",\"incident_id\":\"string\"}}",
CURLOPT_HTTPHEADER => [
"Authorization: SOME_STRING_VALUE",
"content-type: application/json",
"x-xdr-auth-id: SOME_STRING_VALUE"
],
]);
$response = curl_exec($curl);
$err = curl_error($curl);
curl_close($curl);
if ($err) {
echo "cURL Error #:" . $err;
} else {
echo $response;
}CURL *hnd = curl_easy_init();
curl_easy_setopt(hnd, CURLOPT_CUSTOMREQUEST, "POST");
curl_easy_setopt(hnd, CURLOPT_URL, "https://api-yourfqdn/public_api/v1/endpoints/isolate");
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers, "Authorization: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "x-xdr-auth-id: SOME_STRING_VALUE");
headers = curl_slist_append(headers, "content-type: application/json");
curl_easy_setopt(hnd, CURLOPT_HTTPHEADER, headers);
curl_easy_setopt(hnd, CURLOPT_POSTFIELDS, "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id_list\",\"operator\":\"in\",\"value\":[\"string\"]}],\"endpoint_id\":\"string\",\"incident_id\":\"string\"}}");
CURLcode ret = curl_easy_perform(hnd);var client = new RestClient("https://api-yourfqdn/public_api/v1/endpoints/isolate");
var request = new RestRequest(Method.POST);
request.AddHeader("Authorization", "SOME_STRING_VALUE");
request.AddHeader("x-xdr-auth-id", "SOME_STRING_VALUE");
request.AddHeader("content-type", "application/json");
request.AddParameter("application/json", "{\"request_data\":{\"filters\":[{\"field\":\"endpoint_id_list\",\"operator\":\"in\",\"value\":[\"string\"]}],\"endpoint_id\":\"string\",\"incident_id\":\"string\"}}", ParameterType.RequestBody);
IRestResponse response = client.Execute(request);Body parameters
application/json
request_dataobjectA dictionary containing the API request fields.
A dictionary containing the API request fields.
filtersarrayArray of filtered fields for isolating a number of endpoints at once.
Note: Only required if isolating more than one endpoint.
Array of filtered fields for isolating a number of endpoints at once. Note: Only required if isolating more than one endpoint.
[fieldstring (Enum)required
operatorstring (Enum)required
valuearray[string]required
]
fieldstring (Enum)requiredIdentifies a list the filters match. Filters are
based on the following keywords:
endpoint_id_list: List of endpoint IDs.
Identifies a list the filters match. Filters are based on the following keywords:
endpoint_id_list: List of endpoint IDs.
Allowed values:"endpoint_id_list"
operatorstring (Enum)requiredIdentifies the comparison operator you want to use for this filter. Valid keywords and values are:
in
endpoint_id_list —List of strings
Identifies the comparison operator you want to use for this filter. Valid keywords and values are:
in
endpoint_id_list—List of strings
Allowed values:"in"
valuearray[string]requiredValue that this filter must match. Valid keywords:
endpoint_id_list: List of strings
Value that this filter must match. Valid keywords:
endpoint_id_list: List of strings
endpoint_idstringrequiredIdentifies the endpoint to isolate.
Note: Only required if isolating one endpoint.
Identifies the endpoint to isolate. Note: Only required if isolating one endpoint.
incident_idstringThe case ID.
When included in the request, the Isolate Endpoints action will appear in the Cortex Case View Timeline tab.
The case ID. When included in the request, the Isolate Endpoints action will appear in the Cortex Case View Timeline tab.
REQUEST
{
"request_data": {
"endpoint_id": "<endpoint ID>"
}
}{
"request_data": {
"filters": [
{
"field": "endpoint_id_list",
"operator": "in",
"value": [
"<endpoint ID 1>",
"<endpoint ID 2>",
"<endpoint ID 3>"
]
}
]
}
}Responses
OK
Body
application/json
replyobjectJSON object containing the query result.
JSON object containing the query result.
action_idstringAction ID to scan selected endpoints.
The response only indicates the request was successfully sent to the endpoint. To track if the isolation succeeded either:
- In the Cortex console, navigate to Response > Action Center > Isolation and search for
the action ID. Make sure the Action ID field is
selected in the table Layout settings by selecting
the vertical ellipses.
- Send a Get Action Status request.
Action ID to scan selected endpoints. The response only indicates the request was successfully sent to the endpoint. To track if the isolation succeeded either:
- In the Cortex console, navigate to Response > Action Center > Isolation and search for the action ID. Make sure the Action ID field is selected in the table Layout settings by selecting the vertical ellipses.
- Send a Get Action Status request.
endpoints_countstringNumber of endpoints included in the request.
Number of endpoints included in the request.
RESPONSE
{
"reply": {
"action_id": "<action ID>",
"status": "1",
"endpoints_count": "673"
}
}Bad Request. Got an invalid JSON.
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, ID, or other invalid authentication parameters.
Unauthorized access. User does not have the required license type to run this API.
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
Internal server error. A unified status for API communication type errors.