Get a file from a hostedit
Retrieve a file from a host running Elastic Defend.
You must have the File Operations
Kibana privilege in the Security feature as part of your role and at least an Enterprise license to perform this action.
Request URLedit
POST <kibana host>:<port>/api/endpoint/action/get_file
Request bodyedit
A JSON object with these fields:
Name | Type | Description | Required |
---|---|---|---|
|
Array (String) |
The IDs of endpoints where you want to issue this action. |
Yes |
|
Array (String) |
If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts. |
No |
|
Array (String) |
The IDs of cases where the action taken will be logged. |
No |
|
String |
Attach a comment to this action’s log. The comment text will appear in associated cases. |
No |
|
String |
The file’s full path (including the file name). |
Yes |
Example requestsedit
Retrieve a file /usr/my-file.txt
on a host with an endpoint_id
value of ed518850-681a-4d60-bb98-e22640cae2a8
and comments Get my file
:
POST /api/endpoint/action/get_file { "endpoint_ids": ["ed518850-681a-4d60-bb98-e22640cae2a8"], "parameters": { "path": "/usr/my-file.txt", }, "comment": "Get my file" }
Response codeedit
-
200
- Indicates a successful call.
-
403
- Indicates insufficient privileges, or unsupported license level (minimum Enterprise license required).
Response payloadedit
A JSON object with the details of the response action created.
Example responseedit
{ "data": { "id": "27ba1b42-7cc6-4e53-86ce-675c876092b2", "agents": [ "ed518850-681a-4d60-bb98-e22640cae2a8" ], "hosts": { "ed518850-681a-4d60-bb98-e22640cae2a8": { "name": "gke-endpoint-gke-clu-endpoint-node-po-e1a3ab89-4c4r" } }, "command": "get-file", "startedAt": "2023-07-28T19:00:03.911Z", "isCompleted": false, "wasSuccessful": false, "isExpired": false, "status": "pending", "outputs": {}, "agentState": { "ed518850-681a-4d60-bb98-e22640cae2a8": { "isCompleted": false, "wasSuccessful": false } }, "createdBy": "myuser", "parameters": { "path": "/usr/my-file.txt" } } }