Isolate a host
editIsolate a host
editIsolates a host running Endpoint Security from the network.
Console supports Elasticsearch APIs only. Console doesn’t allow interactions with Kibana APIs. You must use curl
or another HTTP tool instead. For more information, refer to Run Elasticsearch API requests.
Isolated
is a persistent status until the endpoint is given a release command. You must have the superuser
role to perform this action and at least a Platinum license.
Request URL
editPOST <kibana host>:<port>/api/endpoint/isolate
Request body
editA JSON object with these fields:
Name | Type | Description | Required |
---|---|---|---|
|
Array (String) |
The IDs of each endpoint you want to isolate. |
Yes |
|
Array (String) |
If this action is associated with any alerts, they can be specified here. The isolated event will be logged in any cases associated with the specified alerts. |
No |
|
Array (String) |
Logs the action taken on specified cases. |
No |
|
String |
Attach a comment to this action’s log. The comment text will appear in associated cases. |
No |
Example requests
editIsolates a single host with an endpoint_id
value of ed518850-681a-4d60-bb98-e22640cae2a8
:
POST /api/endpoint/isolate { "endpoint_ids": ["ed518850-681a-4d60-bb98-e22640cae2a8"] }
Isolates several hosts; includes a comment:
POST /api/endpoint/isolate { "endpoint_ids": [ "9972d10e-4b9e-41aa-a534-a85e2a28ea42", "bc0e4f0c-3bca-4633-9fee-156c0b505d16", "fa89271b-b9d4-43f2-a684-307cffddeb5a" ], "comment": "Locked down, pending further investigation" }
Isolates hosts with an associated case; includes a comment:
POST /api/endpoint/isolate { "endpoint_ids": [ "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0", "b30a11bf-1395-4707-b508-fbb45ef9793e" ], "case_ids": ["4976be38-c134-4554-bd5e-0fd89ce63667"] "comment": "Isolating as initial response" }
Response code
edit-
200
- Indicates a successful call.
-
403
-
Indicates insufficient user role (must be
superuser
), or unsupported license level (minimum Platinum license required). -
500
- General error. A response message will indicate the failure.