Upload file to host

edit

Upload a file to a host running Elastic Defend.

You must have the File Operations Kibana privilege in the Security feature as part of your role and an Enterprise license to perform this action.

Request URL

edit

POST <kibana host>:<port>/api/endpoint/action/upload

The request must include the Content-Type: multipart/form-data HTTP header.

Request body

edit

A multipart/form-data with the following:

Name Type Description Required

endpoint_ids

Array (String)

The IDs of endpoints where you want to issue this action.

Yes

agent_type

String

The type of Agent that the host is running with. Accepted values are:

  • endpoint (default)
  • sentinel_one (currently in Technical Preview)

No

alert_ids

Array (String)

If this action is associated with any alerts, they can be specified here. The action will be logged in any cases associated with the specified alerts.

No

case_ids

Array (String)

The IDs of cases where the action taken will be logged.

No

comment

String

Attach a comment to this action’s log. The comment text will appear in associated cases.

No

parameters.overwrite

Boolean

Overwrite the file on the host if it already exists.

No

file

Stream

The file content to be uploaded.

Yes

Example requests

edit

Upload a file named fix-malware.sh to a host with an endpoint_id value of ed518850-681a-4d60-bb98-e22640cae2a8. It assumes that the file is located in the same directory where the command is being entered:

curl -X POST "api/endpoint/action/upload" \
-H 'kbn-xsrf: true' \
-H 'Content-Type: multipart/form-data' \
-F 'endpoint_ids: ["ed518850-681a-4d60-bb98-e22640cae2a8"]' \
-F "file=@fix-malware.sh" 

The relative path to the file to upload. Note the path must be preceded with @.

Response code

edit
200
Indicates a successful call.
403
Indicates insufficient user privilege (File Operations required), or unsupported license level (Enterprise license required).

Response payload

edit

A JSON object with the details of the response action created.

Example response

edit
{
  "data": {
    "id": "9ff6aebc-2cb6-481e-8869-9b30036c9731",
    "agents": [
      "ed518850-681a-4d60-bb98-e22640cae2a8"
    ],
    "hosts": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "name": "Host-5i6cuc8kdv"
      }
    },
    "command": "upload",
    "agentType": "endpoint",
    "startedAt": "2023-07-03T15:07:22.837Z",
    "isCompleted": false,
    "wasSuccessful": false,
    "isExpired": false,
    "status": "pending",
    "outputs": {},
    "agentState": {
      "ed518850-681a-4d60-bb98-e22640cae2a8": {
        "isCompleted": false,
        "wasSuccessful": false
      }
    },
    "createdBy": "elastic",
    "parameters": {
      "file_name": "fix-malware.sh",
      "file_id": "10e4ce3d-4abb-4f93-a0cd-eaf63a489280",
      "file_sha256": "a0bed94220193ba4895c0aa5b4e7e293381d15765cb164ddf7be5cdd010ae42a",
      "file_size": 69
    }
  }
}