mirror of
https://github.com/MicrosoftDocs/windows-itpro-docs.git
synced 2025-05-12 05:17:22 +00:00
3.4 KiB
3.4 KiB
title, description, keywords, search.product, ms.prod, ms.mktglfcycl, ms.sitesec, ms.pagetype, ms.author, author, ms.localizationpriority, manager, audience, ms.collection, ms.topic
| title | description | keywords | search.product | ms.prod | ms.mktglfcycl | ms.sitesec | ms.pagetype | ms.author | author | ms.localizationpriority | manager | audience | ms.collection | ms.topic |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Stop and quarantine file API | Use this API to stop and quarantine file. | apis, graph api, supported apis, stop and quarantine file | eADQiWindows 10XVcnh | w10 | deploy | library | security | macapara | mjcaparas | medium | dansimp | ITPro | M365-security-compliance | article |
Stop and quarantine file API
Applies to:
Stop execution of a file on a machine and delete it.
[!includeMachine actions note]
Permissions
One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Use Microsoft Defender ATP APIs
| Permission type | Permission | Permission display name |
|---|---|---|
| Application | Machine.StopAndQuarantine | 'Stop And Quarantine' |
| Delegated (work or school account) | Machine.StopAndQuarantine | 'Stop And Quarantine' |
Note
When obtaining a token using user credentials:
- The user needs to have at least the following role permission: 'Active remediation actions' (See Create and manage roles for more information)
- The user needs to have access to the machine, based on machine group settings (See Create and manage machine groups for more information)
HTTP request
POST https://api.securitycenter.windows.com/api/machines/{id}/StopAndQuarantineFile
Request headers
| Name | Type | Description |
|---|---|---|
| Authorization | String | Bearer {token}. Required. |
| Content-Type | string | application/json. Required. |
Request body
In the request body, supply a JSON object with the following parameters:
| Parameter | Type | Description |
|---|---|---|
| Comment | String | Comment to associate with the action. Required. |
| Sha1 | String | Sha1 of the file to stop and quarantine on the machine. Required. |
Response
If successful, this method returns 201 - Created response code and Machine Action in the response body.
Example
Request
Here is an example of the request.
POST https://api.securitycenter.windows.com/api/machines/1e5bc9d7e413ddd7902c2932e418702b84d0cc07/StopAndQuarantineFile
Content-type: application/json
{
"Comment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"Sha1": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9"
}
Response
Here is an example of the response.
[!includeImprove request performance]
HTTP/1.1 201 Created
Content-type: application/json
{
"@odata.context": "https://api.securitycenter.windows.com/api/$metadata#MachineActions/$entity",
"id": "141408d1-384c-4c19-8b57-ba39e378011a",
"type": "StopAndQuarantineFile",
"requestor": "Analyst@contoso.com ",
"requestorComment": "Stop and quarantine file on machine due to alert 441688558380765161_2136280442",
"status": "InProgress",
"machineId": "1e5bc9d7e413ddd7902c2932e418702b84d0cc07",
"creationDateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"lastUpdateTimeUtc": "2018-12-04T12:15:04.3825985Z",
"relatedFileInfo": {
"fileIdentifier": "87662bc3d60e4200ceaf7aae249d1c343f4b83c9",
"fileIdentifierType": "Sha1"
}
}