Isolate an endpoint

POST /api/endpoint/action/isolate
Api key auth

Isolate an endpoint from the network. The endpoint remains isolated until it's released.

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string]

    If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    The IDs of cases where the action taken will be logged.

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object

    Optional parameters object

Responses

  • 200 application/json

    OK
POST /api/endpoint/action/isolate 
curl \ --request POST 'https://<KIBANA_URL>/api/endpoint/action/isolate' \ --header "Authorization: $API_KEY" \ --header "Content-Type: application/json" \ --data '{"comment":"Locked down, pending further investigation","endpoint_ids":["9972d10e-4b9e-41aa-a534-a85e2a28ea42","bc0e4f0c-3bca-4633-9fee-156c0b505d16","fa89271b-b9d4-43f2-a684-307cffddeb5a"]}'
Request examples 
{ "comment": "Locked down, pending further investigation", "endpoint_ids": [ "9972d10e-4b9e-41aa-a534-a85e2a28ea42", "bc0e4f0c-3bca-4633-9fee-156c0b505d16", "fa89271b-b9d4-43f2-a684-307cffddeb5a" ] }
{ "endpoint_ids": [ "ed518850-681a-4d60-bb98-e22640cae2a8" ] }
{ "comment": "Isolating as initial response", "case_ids": [ "4976be38-c134-4554-bd5e-0fd89ce63667" ], "endpoint_ids": [ "1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0", "b30a11bf-1395-4707-b508-fbb45ef9793e" ] }