Get response actions

GET /api/endpoint/action
Api key auth Basic auth

Get a list of all response actions.

Query parameters

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • pageSize integer

    Number of items per page

    Minimum value is 1, maximum value is 100. Default value is 10.

  • commands array[string]

    A list of response action command names.

    Minimum length of each is 1. Values are isolate, unisolate, kill-process, suspend-process, running-processes, get-file, execute, upload, or scan.

  • agentIds array[string] | string

    A list of agent IDs. Max of 50.

  • userIds array[string] | string

    A list of user IDs.

  • startDate string

    A start date in ISO 8601 format or Date Math format.

  • endDate string

    An end date in ISO format or Date Math format.

  • agentTypes string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, or crowdstrike.

  • withOutputs array[string] | string

    A list of action IDs that should include the complete output of the action.

  • types array[string]

    List of types of response actions

    Values are automated or manual.

Responses

  • 200 application/json; Elastic-Api-Version=2023-10-31

    OK

    Additional properties are allowed.
GET /api/endpoint/action 
curl \
 --request GET https://localhost:5601/api/endpoint/action \
 --header "Authorization: $API_KEY"
Response examples (200) 
{
  "data": [
    {
      "id": "b3d6de74-36b0-4fa8-be46-c375bf1771bf",
      "agents": [
        "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
      ],
      "command": "running-processes",
      "agentType": "endpoint",
      "createdBy": "elastic",
      "isExpired": false,
      "startedAt": "2022-08-08T15:24:57.402Z",
      "completedAt": "2022-08-08T09:50:47.672Z",
      "isCompleted": true,
      "wasSuccessful": true
    },
    {
      "id": "43b4098b-8752-4fbb-a7a7-6df7c74d0ee3",
      "agents": [
        "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
      ],
      "command": "isolate",
      "agentType": "endpoint",
      "createdBy": "elastic",
      "isExpired": false,
      "startedAt": "2022-08-08T15:23:37.359Z",
      "completedAt": "2022-08-08T10:41:57.352Z",
      "isCompleted": true,
      "wasSuccessful": true
    },
    {
      "id": "5bc92c86-b8e6-42dd-837f-12ad29e09caa",
      "agents": [
        "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
      ],
      "command": "kill-process",
      "comment": "bad process - taking up too much cpu",
      "agentType": "endpoint",
      "createdBy": "elastic",
      "isExpired": false,
      "startedAt": "2022-08-08T14:38:44.125Z",
      "completedAt": "2022-08-08T09:44:50.952Z",
      "isCompleted": true,
      "wasSuccessful": true
    },
    {
      "id": "790d54e0-3aa3-4e5b-8255-3ce9d851246a",
      "agents": [
        "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
      ],
      "command": "unisolate",
      "comment": "Not a threat to the network",
      "agentType": "endpoint",
      "createdBy": "elastic",
      "isExpired": false,
      "startedAt": "2022-08-08T14:38:15.391Z",
      "completedAt": "2022-08-08T09:40:47.398Z",
      "isCompleted": true,
      "wasSuccessful": true
    }
  ],
  "page": 1,
  "total": 4,
  "endDate": "now",
  "pageSize": 10,
  "startDate": "now-24h/h",
  "elasticAgentIds": [
    "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
  ]
}