List response actionsedit

Retrieves a list of response actions.

Request URLedit

GET <kibana host>:<port>/api/action

URL query parametersedit

All parameters are optional:

Name Type Description Default

page

number

The page of results to retrieve.

1

pageSize

number

Size of results per page. 1 to 10000.

10

commands

string[]

A list of response action command names.

Accepted values are:

  • isolate
  • unisolate
  • kill-process
  • suspend-process
  • running-processes
  • get-file
  • execute
  • upload

agentIds

string[]

A list of agent IDs. Max of 50.

userIds

string[]

A list of user IDs.

startDate

string

A start date in ISO format or Date Math format.

endDate

string

An end date in ISO format or Date Math format.

agentTypes

string or string[]

List of agent types to retrieve. Accepted values are:

  • endpoint (default)
  • sentinel_one (currently in Technical Preview)

withOutputs

string or string[]

A list of action IDs that should include the complete output of the action.

types

string or string[]

A list of action types. Valid values are:

  • automated: Actions that were triggered from rules
  • manual: Actions that were triggered manually via API

Example requestsedit

List actions:

GET /api/endpoint/action

Lists isolate or kill-process command actions in the last 24 hours for two specific agent IDs:

GET /api/endpoint/action?agentIds=a123&agentIds=b456&commands=isolate&commands=kill-process&startDate=now-24h/h

Response codeedit

200
Indicates a successful call.

Example responseedit

{
    "page": 1,
    "pageSize": 10,
    "total": 4,
    "startDate": "now-24h/h",
    "endDate": "now",
    "elasticAgentIds": [
        "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
    ],
    "data": [
        {
            "id": "b3d6de74-36b0-4fa8-be46-c375bf1771bf",
            "agents": [
                "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
            ],
            "command": "running-processes",
            "agentType": "endpoint",
            "startedAt": "2022-08-08T15:24:57.402Z",
            "isCompleted": true,
            "completedAt": "2022-08-08T09:50:47.672Z",
            "wasSuccessful": true,
            "isExpired": false,
            "createdBy": "elastic"
        },
        {
            "id": "43b4098b-8752-4fbb-a7a7-6df7c74d0ee3",
            "agents": [
                "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
            ],
            "command": "isolate",
            "agentType": "endpoint",
            "startedAt": "2022-08-08T15:23:37.359Z",
            "isCompleted": true,
            "completedAt": "2022-08-08T10:41:57.352Z",
            "wasSuccessful": true,
            "isExpired": false,
            "createdBy": "elastic"
        },
        {
            "id": "5bc92c86-b8e6-42dd-837f-12ad29e09caa",
            "agents": [
                "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
            ],
            "command": "kill-process",
            "agentType": "endpoint",
            "startedAt": "2022-08-08T14:38:44.125Z",
            "isCompleted": true,
            "completedAt": "2022-08-08T09:44:50.952Z",
            "wasSuccessful": true,
            "isExpired": false,
            "createdBy": "elastic",
            "comment": "bad process - taking up too much cpu"
        },
        {
            "id": "790d54e0-3aa3-4e5b-8255-3ce9d851246a",
            "agents": [
                "afdc366c-e2e0-4cdb-ae1d-94575bd2d8e0"
            ],
            "command": "unisolate",
            "agentType": "endpoint",
            "startedAt": "2022-08-08T14:38:15.391Z",
            "isCompleted": true,
            "completedAt": "2022-08-08T09:40:47.398Z",
            "wasSuccessful": true,
            "isExpired": false,
            "createdBy": "elastic",
            "comment": "Not a threat to the network"
        }
    ]
}

For the Fleet APIs, see the Fleet API Documentation.