GET /api/endpoint/action
Api key auth

Spaces method and path for this operation:

get /s/{space_id}/api/endpoint/action

Refer to Spaces for more information.

Get a list of all response actions.

Query parameters

  • page integer

    Page number

    Minimum value is 1. Default value is 1.

  • pageSize integer

    Number of items per page

    Minimum value is 1, maximum value is 100. Default value is 10.

  • commands array[string]

    A list of response action command names.

    Not more than 50 elements. Minimum length of each is 1. Values are isolate, unisolate, kill-process, suspend-process, running-processes, get-file, execute, upload, scan, runscript, cancel, or memory-dump.

  • agentIds array[string] | string

    A list of agent IDs. Max of 250.

  • userIds array[string] | string

    A list of user IDs. Max of 50.

  • startDate string

    A start date in ISO 8601 format or Date Math format.

  • endDate string

    An end date in ISO format or Date Math format.

  • agentTypes string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • withOutputs array[string] | string

    A list of action IDs that should include the complete output of the action. Max of 50.

  • types array[string]

    List of types of response actions

    Values are automated or manual.

Responses

  • 200 application/json

    Indicates a successful call.

    Hide response attributes Show response attributes object
    • agentTypes array[string]

      The list of agent types the query was filtered by.

    • commands array[string]

      The list of commands the query was filtered by.

    • data array[object]

      The list of response actions.

      Hide data attributes Show data attributes object
      • agents array[string(uuid)]

        The agent IDs for the hosts that the response action was sent to

      • agentState object

        The state of the response action for each agent ID that it was sent to

        Hide agentState attribute Show agentState attribute object
        • * object(uuid) Additional properties
          Hide * attributes Show * attributes object(uuid)
          • completedAt string

            The date and time the response action was completed for the agent ID

          • isCompleted boolean

            Whether the response action is completed for the agent ID

          • wasSuccessful boolean

            Whether the response action was successful for the agent ID

      • agentType string

        List of agent types to retrieve. Defaults to endpoint.

        Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

      • command string Required

        The command for the response action

        Minimum length is 1. Values are isolate, unisolate, kill-process, suspend-process, running-processes, get-file, execute, upload, scan, runscript, cancel, or memory-dump.

      • completedAt string(date-time)

        The response action completion time

      • createdBy string

        The user who created the response action

      • hosts object

        An object containing the host names associated with the agent IDs the response action was sent to

        Hide hosts attribute Show hosts attribute object
        • * object(uuid) Additional properties
          Hide * attribute Show * attribute object(uuid)
          • name string

            The host name

      • id string(uuid)

        The response action ID

      • isComplete boolean

        Whether the response action is complete

      • isExpired boolean

        Whether the response action is expired

      • outputs object

        The outputs of the response action for each agent ID that it was sent to. Content different depending on the response action command and will only be present for agents that have responded to the response action

        Hide outputs attribute Show outputs attribute object
        • * object(uuid) Additional properties

          The agent id

          Hide * attributes Show * attributes object(uuid)

          • content object | string Required

            The response action output content for the agent ID. Exact format depends on the response action command.

            One of:
            object-1 object string-2 string
          • type string Required

            Values are json or text.

      • parameters object

        The parameters of the response action. Content different depending on the response action command

      • startedAt string(date-time)

        The response action start time

      • status string

        The response action status

      • wasSuccessful boolean

        Whether the response action was successful

    • elasticAgentIds array[string]

      The list of elastic agent IDs the query was filtered by.

    • endDate string

      The end date filter applied to the query.

    • page integer

      The current page number.

    • pageSize integer

      The number of items per page.

    • startDate string

      The start date filter applied to the query.

    • statuses array[string]

      The list of statuses the query was filtered by.

    • total integer

      The total number of response actions matching the query.

    • userIds array[string]

      The list of user IDs the query was filtered by.
GET /api/endpoint/action 
curl \
 --request GET 'https://<KIBANA_URL>/api/endpoint/action' \
 --header "Authorization: $API_KEY"