Isolate a host
editIsolate a host
editIsolates a host running Endpoint and Cloud Security from the network.
Isolated is a persistent status until the endpoint is given a release command. You must have the superuser role to perform this action and at least a Platinum license.
Request URL
editPOST <kibana host>:<port>/api/endpoint/isolate
Request body
editA JSON object with these fields:
| Name | Type | Description | Required |
|---|---|---|---|
|
Array (String) |
The IDs of each endpoint you want to isolate. |
Yes |
|
Array (String) |
If this action is associated with any alerts, they can be specified here. The isolated event will be logged in any cases associated with the specified alerts. |
No |
|
Array (String) |
Logs the action taken on specified cases. |
No |
|
String |
Attach a comment to this action’s log. The comment text will appear in associated cases. |
No |
Example requests
editIsolates a single host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8:
POST /api/endpoint/isolate
{
"endpoint_ids": ["ed518850-681a-4d60-bb98-e22640cae2a8"]
}
Isolates several hosts; includes a comment:
POST /api/endpoint/isolate
{
"endpoint_ids": [
"9972d10e-4b9e-41aa-a534-a85e2a28ea42",
"bc0e4f0c-3bca-4633-9fee-156c0b505d16",
"fa89271b-b9d4-43f2-a684-307cffddeb5a"
],
"comment": "Locked down, pending further investigation"
}
Isolates hosts with an associated case; includes a comment:
POST /api/endpoint/isolate
{
"endpoint_ids": [
"1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0",
"b30a11bf-1395-4707-b508-fbb45ef9793e"
],
"case_ids": ["4976be38-c134-4554-bd5e-0fd89ce63667"]
"comment": "Isolating as initial response"
}
Response code
edit-
200 - Indicates a successful call.
-
403 -
Indicates insufficient user role (must be
superuser), or unsupported license level (minimum Platinum license required). -
500 - General error. A response message will indicate the failure.