Isolate a host
editIsolate a host
editIsolates a host running Endpoint and Cloud Security from the network.
Isolated
is a persistent status until the endpoint is given a release command. You must have the superuser
role to perform this action and at least a Platinum license.
Request URL
editPOST <kibana host>:<port>/api/endpoint/isolate
Request body
editA JSON object with these fields:
Name | Type | Description | Required |
---|---|---|---|
|
Array (String) |
The IDs of each endpoint you want to isolate. |
Yes |
|
Array (String) |
If this action is associated with any alerts, they can be specified here. The isolated event will be logged in any cases associated with the specified alerts. |
No |
|
Array (String) |
Logs the action taken on specified cases. |
No |
|
String |
Attach a comment to this action’s log. The comment text will appear in associated cases. |
No |
Example requests
editIsolates a single host with an endpoint_id
value of ed518850-681a-4d60-bb98-e22640cae2a8
:
POST /api/endpoint/isolate { "endpoint_ids": ["ed518850-681a-4d60-bb98-e22640cae2a8"] }
Isolates several hosts; includes a comment:
POST /api/endpoint/isolate { "endpoint_ids": [ "9972d10e-4b9e-41aa-a534-a85e2a28ea42", "bc0e4f0c-3bca-4633-9fee-156c0b505d16", "fa89271b-b9d4-43f2-a684-307cffddeb5a" ], "comment": "Locked down, pending further investigation" }
Isolates hosts with an associated case; includes a comment:
POST /api/endpoint/isolate { "endpoint_ids": [ "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0", "b30a11bf-1395-4707-b508-fbb45ef9793e" ], "case_ids": ["4976be38-c134-4554-bd5e-0fd89ce63667"] "comment": "Isolating as initial response" }
Response code
edit-
200
- Indicates a successful call.
-
403
-
Indicates insufficient user role (must be
superuser
), or unsupported license level (minimum Platinum license required). -
500
- General error. A response message will indicate the failure.