Isolate Endpoints

Isolate one or more endpoints.

Synopsis

URI
/public_api/v1/endpoints/isolate/
HTTP Method
POST
Required License
Cortex XDR Prevent or Cortex XDR Pro per Endpoint

Description

Isolate one or more endpoints in a single request. Request is limited to 1000 endpoints.

Request Fields

The body of this request contains a JSON object with the following fields:
You can only send a request with either
endpoint_id
for isolating one endpoint or
filters
for isolating more than one endpoint. In case of sending both an error is raised.
Field
Description
request_data
(
Required
) A dictionary containing the API request fields.
endpoint_id
(
Required)
String that identifies the endpoint to isolate.
Only required if isolating one endpoint.
filters
(
Required
) Provides an array of filtered fields for isolating a number of endpoints at once.
Only required if isolating more than one endpoint.
Each JSON object must contain the following keywords:
  • field
    String that identifies a list the filters match. Filters are based on the following keywords:
    • endpoint_id_list
      —List of endpoint IDs.
  • operator
    String that identifies the comparison operator you want to use for this filter. Valid keywords and values are:
    in
    • endpoint_id_list
      —List of strings
  • value
    Value that this filter must match. Valid keywords:
    • endpoint_id_list
      —List of strings
Request Example
Isolate one endpoint:
curl -X POST https://api-{fqdn}/public_api/v1/endpoints/isolate/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data":{ "endpoint_id":"<endpoint ID>" } }'
Isolate more than one endpoint:
curl -X POST https://api-{fqdn}/public_api/v1/endpoints/isolate/ \ -H "x-xdr-auth-id:{API_KEY_ID}" \ -H "Authorization:{API_KEY}" \ -H "Content-Type:application/json" \ -d '{ "request_data":{ "filters":[ { "field":"endpoint_id_list", "operator":"in", "value":[ "<endpoint ID 1>", "<endpoint ID 2>", "<endpoint ID 3>" ] } ] } }'

Success Response

Upon success, the HTTP response code is 200.
Field
Description
reply
JSON object containing the query result.
action_id
ID of action to scan selected endpoints.
Response only indicates the request was successfully sent to the endpoint. To track if the isolation succeeded either:
  • In Cortex XDR console, navigate to
    Response
    Action Center
    Isolation
    and search for the action ID. Make sure the
    Action ID
    field is selected in the table
    Layout
    settings by selecting ( table-settings.png ).
  • Send a Get Action Status request.
status
Integer representing whether the action:
  • 1
    —succeeded
  • 0
    —failed
endpoints_count
Number of endpoints included in the request.
Success Response Example
{ "reply": { "action_id":"<action ID>", "status": "1", "endpoints_count": "673" } }

Error Response

Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
Field
Description
400
Bad Request. Got an invalid JSON.
401
Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
402
Unauthorized access. User does not have the required license type to run this API.
403
Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
500
Internal server error. A unified status for API communication type errors.
Error Response Format
{"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}

Recommended For You