Cancel a response action

POST /api/endpoint/action/cancel
Api key auth

Cancel a running or pending response action (Applies only to some agent types).

application/json

Body Required

  • agent_type string

    List of agent types to retrieve. Defaults to endpoint.

    Values are endpoint, sentinel_one, crowdstrike, or microsoft_defender_endpoint.

  • alert_ids array[string]

    If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.

    At least 1 element. Minimum length of each is 1.

  • case_ids array[string]

    The IDs of cases where the action taken will be logged.

    At least 1 element. Minimum length of each is 1.

  • comment string

    Optional comment

  • endpoint_ids array[string] Required

    List of endpoint IDs (cannot contain empty strings)

    At least 1 element. Minimum length of each is 1.

  • parameters object Required

    Optional parameters object

    Hide parameters attribute Show parameters attribute object
    • id string Required

      ID of the response action to cancel

      Minimum length is 1.

Responses

  • 200 application/json

    Successfully cancelled the response action

    Hide response attribute Show response attribute object
    • data object

      The created response action details

      Hide data attributes Show data attributes object
      • agents object

        The agent IDs for the hosts that the response action was sent to

      • agentState object

        The state of the response action for each agent ID that it was sent to

        Hide agentState attribute Show agentState attribute object
        • * object Additional properties
          Hide * attributes Show * attributes object
          • completedAt string

            The date and time the response action was completed for the agent ID

          • isCompleted boolean

            Whether the response action is completed for the agent ID

          • wasSuccessful boolean

            Whether the response action was successful for the agent ID

      • agentType string

        The response action agent type

      • command string

        The response action command

      • createdBy string

        The user who created the response action

      • hosts object

        An object containing the host names associated with the agent IDs the response action was sent to

        Hide hosts attribute Show hosts attribute object
        • * object Additional properties
          Hide * attribute Show * attribute object
          • name string

            The host name

      • id string

        The response action ID

      • isComplete boolean

        Whether the response action is complete

      • isExpired boolean

        Whether the response action is expired

      • outputs object

        The outputs of the response action for each agent ID that it was sent to

        Hide outputs attribute Show outputs attribute object
        • * object Additional properties
          Hide * attributes Show * attributes object

          • content object | string Required

            The response action output content for the agent ID. Exact format depends on the response action command.

            One of:
            object-1 object string-2 string
          • type string Required

            Values are json or text.

      • parameters object

        The parameters of the response action. Content different depending on the response action command

      • startedAt string

        The response action start time

      • status string

        The response action status

      • wasSuccessful boolean

        Whether the response action was successful
POST /api/endpoint/action/cancel 
curl \
 --request POST 'https://<KIBANA_URL>/api/endpoint/action/cancel' \
 --header "Authorization: $API_KEY" \
 --header "Content-Type: application/json" \
 --data '{"comment":"Cancelling action due to change in requirements","agent_type":"microsoft_defender_endpoint","parameters":{"id":"7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d"},"endpoint_ids":["ed518850-681a-4d60-bb98-e22640cae2a8"]}'
Request example 
{
  "comment": "Cancelling action due to change in requirements",
  "agent_type": "microsoft_defender_endpoint",
  "parameters": {
    "id": "7f8c9b2a-4d3e-4f5a-8b1c-2e3f4a5b6c7d"
  },
  "endpoint_ids": [
    "ed518850-681a-4d60-bb98-e22640cae2a8"
  ]
}