Run a command

POST /api/endpoint/action/execute

Api key auth

Run a shell command on an endpoint.

application/json

Body Required

agent_type string

List of agent types to retrieve. Defaults to endpoint.

Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.
alert_ids array[string]

If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.

At least 1 element. Minimum length of each is 1.
case_ids array[string]

The IDs of cases where the action taken will be logged.

At least 1 element. Minimum length of each is 1.
comment string

Optional comment
endpoint_ids array[string] Required

List of endpoint IDs (cannot contain empty strings)

At least 1 element. Minimum length of each is 1.
parameters object Required

Optional parameters object
Hide parameters attributes Show parameters attributes object
- command string Required
  
  The command to be executed (cannot be an empty string)
  
  Minimum length is 1. Values are isolate, unisolate, kill-process, suspend-process, running-processes, get-file, execute, upload, or scan.
- timeout integer
  
  The maximum timeout value in milliseconds (optional)
  
  Minimum value is 1.

Responses

200 application/json

OK

POST /api/endpoint/action/execute

curl \ --request POST 'https://<KIBANA_URL>/api/endpoint/action/execute' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{"comment":"Get list of all files","parameters":{"command":"ls -al","timeout":600},"endpoint_ids":["b3d6de74-36b0-4fa8-be46-c375bf1771bf"]}'