Run a command

POST /api/endpoint/action/execute

Run a shell command on an endpoint.

application/json; Elastic-Api-Version=2023-10-31

Body Required

agent_type string

Values are endpoint, sentinel_one, or crowdstrike.
alert_ids array[string]

A string that is not empty and does not contain only whitespace

At least 1 element. Minimum length of each is 1. Format of each should match the following pattern: ^(?! *$).+$.
case_ids array[string]

Case IDs to be updated (cannot contain empty strings)

At least 1 element. Minimum length of each is 1.
comment string

Optional comment
endpoint_ids array[string] Required

List of endpoint IDs (cannot contain empty strings)

At least 1 element. Minimum length of each is 1.
parameters object Required
Hide parameters attributes Show parameters attributes object
- command string Required
  
  The command to be executed (cannot be an empty string)
  
  Minimum length is 1. Values are isolate, unisolate, kill-process, suspend-process, running-processes, get-file, execute, upload, or scan.
- timeout integer
  
  The maximum timeout value in milliseconds (optional)
  
  Minimum value is 1.

Responses

200 application/json; Elastic-Api-Version=2023-10-31

OK

POST /api/endpoint/action/execute

curl \
 -X POST https://localhost:5601/api/endpoint/action/execute \
 -H "Content-Type: application/json; Elastic-Api-Version=2023-10-31"

Request examples

{
  "agent_type": "endpoint",
  "alert_ids": [
    "string"
  ],
  "case_ids": [
    "string"
  ],
  "comment": "string",
  "endpoint_ids": [
    "string"
  ],
  "parameters": {
    "command": "isolate",
    "timeout": 42
  }
}

Response examples (200)

{}