Get a file from a host

edit

Retrieve a file from a host running Elastic Defend.

You must have the File Operations Kibana privilege in the Security feature as part of your role and at least an Enterprise license to perform this action.

Request URL

edit

POST <kibana host>:<port>/api/endpoint/action/get_file

Request body

edit

A JSON object with these fields:

Name Type Description Required

endpoint_ids

Array (String)

The IDs of endpoints where you want to issue this action.

Yes

alert_ids

Array (String)

If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.

No

case_ids

Array (String)

The IDs of cases where the action taken will be logged.

No

comment

String

Attach a comment to this action’s log. The comment text will appear in associated cases.

No

parameters.path

String

The file’s full path (including the file name).

Yes

Example requests

edit

Retrieve a file /usr/my-file.txt on a host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8 and comments Get my file:

POST /api/endpoint/action/get_file
{
  "endpoint_ids": ["ed518850-681a-4d60-bb98-e22640cae2a8"],
  "parameters": {
    "path": "/usr/my-file.txt",
  },
  "comment": "Get my file"
}

Response code

edit
200
Indicates a successful call.
403
Indicates insufficient privileges, or unsupported license level (minimum Enterprise license required).

Response payload

edit

A JSON object with the details of the response action created.

Example response

edit
{
  "data": {
    "id": "27ba1b42-7cc6-4e53-86ce-675c876092b2",
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "hosts": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "name": "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r"
      }
    },
    "command": "get-file",
    "startedAt": "2023-07-28T19:00:03.911Z",
    "isCompleted": false,
    "wasSuccessful": false,
    "isExpired": false,
    "status": "pending",
    "outputs": {},
    "agentState": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "isCompleted": false,
        "wasSuccessful": false
      }
    },
    "createdBy": "myuser",
    "parameters": {
      "path": "/usr/my-file.txt"
    }
  }
}