Isolate an endpoint
Spaces method and path for this operation:
post /s/{space_id}/api/endpoint/action/isolate
Refer to Spaces for more information.
Isolate an endpoint from the network. The endpoint remains isolated until it's released.
Body
Required
-
List of agent types to retrieve. Defaults to
endpoint.Values are
endpoint,sentinel_one,crowdstrike, ormicrosoft_defender_endpoint. -
If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.
At least
1element. Minimum length of each is1. -
The IDs of cases where the action taken will be logged.
At least
1element. Minimum length of each is1. -
Optional comment
-
List of endpoint IDs (cannot contain empty strings)
At least
1element. Minimum length of each is1. -
Optional parameters object
POST
/api/endpoint/action/isolate
curl \
--request POST 'https://<KIBANA_URL>/api/endpoint/action/isolate' \
--header "Authorization: $API_KEY" \
--header "Content-Type: application/json" \
--data '{"comment":"Locked down, pending further investigation","endpoint_ids":["9972d10e-4b9e-41aa-a534-a85e2a28ea42","bc0e4f0c-3bca-4633-9fee-156c0b505d16","fa89271b-b9d4-43f2-a684-307cffddeb5a"]}'
Request examples
Isolates several hosts; includes a comment
{
"comment": "Locked down, pending further investigation",
"endpoint_ids": [
"9972d10e-4b9e-41aa-a534-a85e2a28ea42",
"bc0e4f0c-3bca-4633-9fee-156c0b505d16",
"fa89271b-b9d4-43f2-a684-307cffddeb5a"
]
}{
"endpoint_ids": [
"ed518850-681a-4d60-bb98-e22640cae2a8"
]
}{
"comment": "Isolating as initial response",
"case_ids": [
"4976be38-c134-4554-bd5e-0fd89ce63667"
],
"endpoint_ids": [
"1aa1f8fd-0fb0-4fe4-8c30-92068272d3f0",
"b30a11bf-1395-4707-b508-fbb45ef9793e"
]
}