Query parameters

• page integer

  The page number to return.

  Minimum value is 1. Default value is 1.

• pageSize integer

  The number of response actions to return per page.

  Minimum value is 1, maximum value is 100. Default value is 10.

• commands array[string]

  A list of response action command names to filter by.

  Not more than 50 elements. Minimum length of each is 1. Values are isolate, unisolate, kill-process, suspend-process, running-processes, get-file, execute, upload, scan, runscript, cancel, or memory-dump.

• agentIds array[string] | string

  A list of Elastic Agent IDs to filter the response actions by.

• userIds array[string] | string

  A list of user IDs that submitted the response actions.

• startDate string

  A start date in ISO 8601 format or Date Math format (for example, now-24h).

• endDate string

  An end date in ISO 8601 format or Date Math format (for example, now).

• agentTypes string

  The agent type to filter response actions by. Defaults to endpoint.

  Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

• withOutputs array[string] | string

  A list of response action IDs whose outputs should be included in the response.

• types array[string]

  A list of response action types to filter by (automated, manual).

  Values are automated or manual.

Responses

• 200 application/json

  Indicates a successful call.

  Hide response attributes Show response attributes object

  • agentTypes array[string]

    The list of agent types the query was filtered by.

  • commands array[string]

    The list of commands the query was filtered by.

  • data array[object]

    The list of response actions.

    Hide data attributes Show data attributes object

    • agents array[string(uuid)]

      The agent IDs for the hosts that the response action was sent to

    • agentState object

      The state of the response action for each agent ID that it was sent to

      Hide agentState attribute Show agentState attribute object

      • * object(uuid) Additional properties
        Hide * attributes Show * attributes object(uuid)

        • completedAt string

          The date and time the response action was completed for the agent ID

        • isCompleted boolean

          Whether the response action is completed for the agent ID

        • wasSuccessful boolean

          Whether the response action was successful for the agent ID

    • agentType string

      List of agent types to retrieve. Defaults to endpoint.

      Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

    • command string Required

      The command for the response action

      Minimum length is 1. Values are isolate, unisolate, kill-process, suspend-process, running-processes, get-file, execute, upload, scan, runscript, cancel, or memory-dump.

    • completedAt string(date-time)

      The response action completion time

    • createdBy string

      The user who created the response action

    • hosts object

      An object containing the host names associated with the agent IDs the response action was sent to

      Hide hosts attribute Show hosts attribute object

      • * object(uuid) Additional properties
        Hide * attribute Show * attribute object(uuid)

        • name string

          The host name

    • id string(uuid)

      The response action ID

    • isComplete boolean

      Whether the response action is complete

    • isExpired boolean

      Whether the response action is expired

    • outputs object

      The outputs of the response action for each agent ID that it was sent to. Content different depending on the response action command and will only be present for agents that have responded to the response action

      Hide outputs attribute Show outputs attribute object

      • * object(uuid) Additional properties

        The agent id

        Hide * attributes Show * attributes object(uuid)

        • content object | string Required

          The response action output content for the agent ID. Exact format depends on the response action command.

          One of:

          object-1 object string-2 string
        • type string Required

          Values are json or text.

    • parameters object

      The parameters of the response action. Content different depending on the response action command

    • startedAt string(date-time)

      The response action start time

    • status string

      The response action status

    • wasSuccessful boolean

      Whether the response action was successful

  • elasticAgentIds array[string]

    The list of elastic agent IDs the query was filtered by.

  • endDate string

    The end date filter applied to the query.

  • page integer

    The current page number.

  • pageSize integer

    The number of items per page.

  • startDate string

    The start date filter applied to the query.

  • statuses array[string]

    The list of statuses the query was filtered by.

  • total integer

    The total number of response actions matching the query.

  • userIds array[string]

    The list of user IDs the query was filtered by.