This documentation contains work-in-progress information for future Elastic Stack and Cloud releases. Use the version selector to view supported release docs. It also contains some Elastic Cloud serverless information. Check out our serverless docs for more details.
« List endpoints Release an isolated host »
Elastic Docs Elastic Security Solution [8.16] Elastic Security APIs Endpoint management API

Isolate a host

edit

Isolate a host

edit

Isolates a host running Elastic Defend from the network.

Isolated is a persistent status until the endpoint is given a release command. You must have the Host Isolation privilege and at least a Platinum license to perform this action.

Request URL

edit

POST <kibana host>:<port>/api/endpoint/action/isolate

(Deprecated) POST <kibana host>:<port>/api/endpoint/isolate - This url will return a 308 permanent redirect to POST <kibana host>:<port>/api/endpoint/action/isolate

Request body

edit

A JSON object with these fields:

Name Type Description Required

endpoint_ids

Array (String)

The IDs of endpoints where you want to issue this action.

Yes

agent_type

String

The type of Agent that the host is running with. Accepted values are:

  • endpoint (default)
  • sentinel_one (currently in Technical Preview)

No

alert_ids

Array (String)

If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.

No

case_ids

Array (String)

The IDs of cases where the action taken will be logged.

No

comment

String

Attach a comment to this action’s log. The comment text will appear in associated cases.

No

Example requests

edit

Isolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8:

POST /api/endpoint/action/isolate
{
  "endpoint_ids": ["ed518850-681a-4d60-bb98-e22640cae2a8"]
}

Isolates several hosts; includes a comment:

POST /api/endpoint/action/isolate
{
  "endpoint_ids": [
  	"9972d10e-4b9e-41aa-a534-a85e2a28ea42",
  	"bc0e4f0c-3bca-4633-9fee-156c0b505d16",
  	"fa89271b-b9d4-43f2-a684-307cffddeb5a"
  ],
  "comment": "Locked down, pending further investigation"
}

Isolates hosts with an associated case; includes a comment:

POST /api/endpoint/action/isolate
{
  "endpoint_ids": [
  	"1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0",
  	"b30a11bf-1395-4707-b508-fbb45ef9793e"
  ],
  "case_ids": ["4976be38-c134-4554-bd5e-0fd89ce63667"]
  "comment": "Isolating as initial response"
}

Response code

edit
200
Indicates a successful call.
403
Indicates insufficient user privilege (Host Isolation required), or unsupported license level (minimum Platinum license required).
500
General error. A response message will provide additional details.

Response payload

edit

A JSON object with an id that refers to the submitted action.

Example response

edit
{
  "action": "233db9ea-6733-4849-9226-5a7039c7161d",
  "data": {
    "id": "233db9ea-6733-4849-9226-5a7039c7161d",
    "agents": ["ed518850-681a-4d60-bb98-e22640cae2a8"],
    "command": "suspend-process",
    "agentType": "endpoint",
    "isExpired": false,
    "isCompleted": true,
    "wasSuccessful": true,
    "errors": [],
    "startedAt": "2022-07-29T19:08:49.126Z",
    "completedAt": "2022-07-29T19:09:44.961Z",
    "outputs": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "type": "json",
        "content": {
          "key": "value"
        }
      }
    },
    "createdBy": "myuser",
    "comment": "suspend the process",
    "parameters": {
      "entity_id": "abc123"
    }
  }
}
« List endpoints Release an isolated host »