Cancel Scan Endpoints

Cancel a scan on endpoints.

Synopsis

URI
/public_api/v1/endpoints/abort_scan
HTTP Method
POST
Required License
Cortex XDR Prevent or Cortex XDR Pro per Endpoint

Description

Cancel the scan of selected endpoints. A scan can only be aborted if the selected endpoints are in
Pending
or in
Progress
status.
When filtering by multiple fields:
  • Response is concatenated using AND condition (OR is not supported).
  • Offset is the zero-based number of endpoints from the start of the result set.

Request Fields

The body of this request contains a JSON object with the following fields:
Field
Description
request_data
(
Required
) A dictionary containing the API request fields.
filters
(
Required
) Cancel scan all endpoints or according to filters.
To cancel scan of all endpoints:
  • all
Provides an array of filtered fields. Each JSON object must contain the following keywords:
  • field
    String that identifies a list the filters match. Filters are based on the following keywords:
    • endpoint_id_list
      —List of endpoint IDs.
    • dist_name
      —Name of the distribution list.
    • first_seen
      —When an endpoint was first seen.
    • last_seen
      —When an endpoint was last seen.
    • ip_list
      —List of IP addresses.
    • group_name
      —Name of endpoint group.
    • platform
      —Type of operating system.
    • alias
      —Endpoint alias name.
    • isolate
      —If an endpoint has been isolated.
    • hostname
      —Name of host.
    • username
      —Name of user.
  • operator
    String that identifies the comparison operator you want to use for this filter. Valid keywords and values are:
    in
    • endpoint_id_list
      ,
      dist_name
      ,
      group_name
      ,
      alias
      ,
      hostname
      ,
      username
      —List of strings
    • ip_list
      —List of strings, for example
      192.168.5.12
    • platform
      windows
      ,
      linux
      ,
      macos
      ,
      android
    • isolate
      isolated
      or
      unisolated
    • scan_status
      none
      ,
      pending
      ,
      in_progress
      ,
      canceled
      ,
      aborted
      ,
      pending_cancellation
      ,
      success
      , or
      error
    gte
    /
    lte
    • first_seen
      and
      last_seen
      — Integer in timestamp epoch milliseconds
  • value
    Value that this filter must match. Valid keywords:
    • first_seen
      ,
      last_seen
      - Integer in timestamp epoch milliseconds, UTC timezone
    • endpoint_id_list
      ,
      dist_name
      ,
      hostname
      ,
      alias
      ,
      group_name
      —List of strings
    • ip_list
      —List of strings, for example
      192.168.5.12
    • isolate
      - Must be
      isolated
      or
      unisolated
      .
    • platform
      windows
      ,
      linux
      ,
      macos
      , or
      android
incident_id
String representing the incident ID.
When included in the request, the Cancel Scan Endpoints action will appear in the Cortex XDR Incident View Timeline tab.
Request Example
To cancel scan of all endpoints:
curl -X POST https://api-{fqdn}/public_api/v1/endpoints/abort_scan/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data":{ "filters": "all" } }'
Code copied to clipboard
Unable to copy due to lack of browser support.
To cancel scan of filtered endpoints:
curl -X POST https://api-{fqdn}/public_api/v1/endpoints/abort_scan/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data":{ "filters":[ { "field":"endpoint_id_list", "operator":"in", "value":[ "<endpoint ID>" ] }, { "field":"dist_name", "operator":"in", "value":[ "WinInstaller" ] }, { "field":"group_name", "operator":"in", "value":[ "test" ] }, { "field":"scan_status", "operator":"in", "value":[ "none", "pending", "in_progress", "pending_cancellation", "aborted", "success" ] }, { "field":"group_name", "operator":"in", "value":[ "test" ] } ] } }'
Code copied to clipboard
Unable to copy due to lack of browser support.

Success Response

Upon success, the HTTP response code is 200.
Field
Description
reply
JSON object containing the query result.
action_id
ID of action to scan selected endpoints.
Response only indicates the request was successfully sent to the endpoint. To track if the scan succeeded either:
  • In Cortex XDR console, navigate to
    Response
    Action Center
    and search for the action ID. Make sure the
    Action ID
    field is selected in the table
    Layout
    settings by selecting ( ).
  • Send a Get Action Status request.
status
Integer representing whether the action:
  • 1
    —succeeded
  • 0
    —failed
endpoints_count
Number of endpoints included in the request.
Success Response Example
{ "reply": { "action_id":"<action ID value>", "status": "1", "endpoints_count": "673" } }
Code copied to clipboard
Unable to copy due to lack of browser support.

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
Field
Description
400
Bad Request. Got an invalid JSON.
401
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
402
Unauthorized access. User does not have the required license type to run this API.
403
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
500
Internal server error. A unified status for API communication type errors.
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}
Code copied to clipboard
Unable to copy due to lack of browser support.

Recommended For You