1. Home
    2. Security Operations
    3. Cortex XDR
    4. Cortex XDR™ API Reference
    5. APIs
    6. Response Action APIs
    7. Restore File

    Restore File

    Restore a file on an endpoint.

    Synopsis

    URI
    /public_api/v1/endpoints/restore/
    HTTP Method
    POST
    Required License
    Cortex XDR Prevent, Cortex XDR Pro per Endpoint, or Cortex XDR Pro per TB

    Description

    Restore a quarantined file on a requested endpoints.
    When filtering by multiple fields:
    • Response is concatenated using AND condition (OR is not supported).
    • Maximum result set size is 100.
    • Offset is the zero-based number of incidents from the start of the result set.

    Request Fields

    The body of this request contains a JSON object with the following fields:
    Field
    Description
    request_data
    (
    Required
    ) A dictionary containing the API request fields.
    file_hash
    (
    Required
    ) String that represents the file in hash. Hash must be a valid SHA256.
    endpoint_id
    String representing the endpoint ID.
    If you do not enter a specific endpoint ID, the request will run restore on all endpoints which relate to the quarantined file you defined.
    incident_id
    String representing the incident ID.
    When included in the request, the Restore File action will appear in the Cortex XDR Incident View Timeline tab.
    Request Example
    
curl -X POST https://api-{fqdn}/public_api/v1/endpoints/restore/ \    
-H "x-xdr-auth-id:{API_KEY_ID}" \    
-H "Authorization:{API_KEY}" \    
-H "Content-Type:application/json" \    
-d '{ 
   "request_data":{ 
      "file_hash":"<hash value>",
      "incident_id": 302
   }
}'

    Success Response

    Upon success, the HTTP response code is 200.
    Field
    Description
    reply
    JSON object containing the query result.
    action_id
    ID of action to restore selected endpoints.
    Response only indicates the request was successfully sent to the endpoint. To track if the file was restored successfully either:
    • In Cortex XDR console, navigate to
      Response
      Action Center
       and search for the action ID. Make sure the
      Action ID
       field is selected in the table
      Layout
       settings.
    • Send a request.
    status
    Integer representing whether the action:
    • 1
      —succeeded
    • 0
      —failed
    endpoints_count
    Number of endpoints included in the request.
    Success Response Example
    {
    "reply": {
    		"action_id":"<action ID>",
    		"endpoints_count": "673"
        }
}

    Error Response

    Upon error, the reply includes an HTTP response code, an error message, and additional information describing the error. The HTTP response code is one of the following:
    Field
    Description
    400
    Bad Request. Got an invalid JSON.
    401
    Unauthorized access. An issue occurred during authentication. This can indicate an incorrect key, id, or other invalid authentication parameters.
    402
    Unauthorized access. User does not have the required license type to run this API.
    403
    Forbidden access. The provided API Key does not have the required RBAC permissions to run this API.
    500
    Internal server error. A unified status for API communication type errors.
    Error Response Format
    {"reply": {"err_code": STATUS_CODE, "err_msg": GENERAL_MESSAGE, "err_extra": EXTRA_DATA}}

    Recommended For You

    Recommended Videos

    Recommended videos not found.

    © 2022 Palo Alto Networks, Inc. All rights reserved.

    Techdocs Logo